https://live.paloaltonetworks.com/t5/general-topics/inconsistent-documentation-on-zone-protection/m-p/26243#M19160 <HTML><HEAD></HEAD><BODY><P>Hi <A href="https://live.paloaltonetworks.com/u1/29784">rvandegrift</A></P><P></P><P>With regards to Zone protection, statement number 2 is accurate. That is, it is applied to specific zones regardless of number of interfaces associated with it. And for this purpose, there is only single counter. </P><P></P><P>Separate counter mentioned in statement 1 is for Reconnaissance Protection, which will maintain counter for all different attempts made to sniff the traffic. Hope this helps. Thank you.</P></BODY></HTML> Tue, 04 Nov 2014 16:32:04 GMT ssharma 2014-11-04T16:32:04Z https://live.paloaltonetworks.com/t5/general-topics/inconsistent-documentation-on-zone-protection/m-p/26242#M19159 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>Palo Alto's documentation is inconsistent on the behavior of flood protection when it is applied by a zone protection policy.</P><P></P><P>1) "Threat Prevention Deployment Tech Note - Version 2.0 RevA", page 44 says that the zone protection based flood protection applies per source-destination-port tuple:</P><P>"Configure Flood Protection settings based on the number of packets you want to allow to each service behind the firewall. Settings apply to all traffic that enters the network through any interface in the zone on which the Zone Protection Profile is active, but a separate counter is maintained for each source IP/destination IP/destination port tuple."</P><P></P><P>2) "Threat Prevention Deployment Tech Note - Version 2.0 RevA", page 45 directly contradicts this:</P><P>"Flood Protection enabled under Zone Protection is applied to the aggregate traffic seen on a specific zone. It will maintain a single counter for all traffic, regardless of source IP/destination IP/destination port."</P><P></P><P>Which is correct?</P><P></P><P>Thanks,</P><P>Ross</P></BODY></HTML> Tue, 04 Nov 2014 16:16:19 GMT https://live.paloaltonetworks.com/t5/general-topics/inconsistent-documentation-on-zone-protection/m-p/26242#M19159 rvandegrift 2014-11-04T16:16:19Z https://live.paloaltonetworks.com/t5/general-topics/inconsistent-documentation-on-zone-protection/m-p/26243#M19160 <HTML><HEAD></HEAD><BODY><P>Hi <A href="https://live.paloaltonetworks.com/u1/29784">rvandegrift</A></P><P></P><P>With regards to Zone protection, statement number 2 is accurate. That is, it is applied to specific zones regardless of number of interfaces associated with it. And for this purpose, there is only single counter. </P><P></P><P>Separate counter mentioned in statement 1 is for Reconnaissance Protection, which will maintain counter for all different attempts made to sniff the traffic. Hope this helps. Thank you.</P></BODY></HTML> Tue, 04 Nov 2014 16:32:04 GMT https://live.paloaltonetworks.com/t5/general-topics/inconsistent-documentation-on-zone-protection/m-p/26243#M19160 ssharma 2014-11-04T16:32:04Z https://live.paloaltonetworks.com/t5/general-topics/inconsistent-documentation-on-zone-protection/m-p/26244#M19161 <HTML><HEAD></HEAD><BODY><P>What makes you think that the first comment applies to reconnaissance protection?&nbsp; The quote above is from the flood protection section.</P></BODY></HTML> Tue, 04 Nov 2014 16:34:36 GMT https://live.paloaltonetworks.com/t5/general-topics/inconsistent-documentation-on-zone-protection/m-p/26244#M19161 rvandegrift 2014-11-04T16:34:36Z https://live.paloaltonetworks.com/t5/general-topics/inconsistent-documentation-on-zone-protection/m-p/26245#M19162 <HTML><HEAD></HEAD><BODY><P>Yes, the comment is from Flood Protection, but the statement "separate counter is maintained for each source IP/destination IP/destination port tuple", makes sense with reconnaissance protection as attacker will try to sniffs various ports on same destination or different ports on different destinations. Where as in flood, attacker will flood the network mostly to a known or single ip rendering it useless to process other legitimate request. </P></BODY></HTML> Tue, 04 Nov 2014 16:40:45 GMT https://live.paloaltonetworks.com/t5/general-topics/inconsistent-documentation-on-zone-protection/m-p/26245#M19162 ssharma 2014-11-04T16:40:45Z