https://live.paloaltonetworks.com/t5/general-topics/apply-zone-protection-to-which-zone/m-p/36113#M26541 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I am wondering where and how zone protection profiles are applied to. I figure if I attach a zone protection profile to a zone, all resources behind that zone are under protection. But let's take the following example:</P><P></P><P>* one interface connected to internet (zone: untrust)</P><P>* one interface connected to internal LAN (zone: trust)</P><P>* several interfaces for different DMZs (zone: dmz)</P><P></P><P>Now if I want to protect my DMZ, do I apply the zone protection to the DMZ zone or to the untrust zone? There are actually no resources connected directly to the untrust zone, but I would believe that protecting the untrust zone would automatically protect all zones behind the untrust zone, including DMZ and trust. Am I right with this assumption?</P><P></P><P>In this scenario, why would I still apply different zone protection profiles to DMZ and trust? </P><P></P><P>How does traffic flow relate to zone protection?</P><P></P><P>Thanks</P><P>zone</P></BODY></HTML> Sun, 26 May 2013 22:20:03 GMT cryptochrome 2013-05-26T22:20:03Z https://live.paloaltonetworks.com/t5/general-topics/apply-zone-protection-to-which-zone/m-p/36113#M26541 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>I am wondering where and how zone protection profiles are applied to. I figure if I attach a zone protection profile to a zone, all resources behind that zone are under protection. But let's take the following example:</P><P></P><P>* one interface connected to internet (zone: untrust)</P><P>* one interface connected to internal LAN (zone: trust)</P><P>* several interfaces for different DMZs (zone: dmz)</P><P></P><P>Now if I want to protect my DMZ, do I apply the zone protection to the DMZ zone or to the untrust zone? There are actually no resources connected directly to the untrust zone, but I would believe that protecting the untrust zone would automatically protect all zones behind the untrust zone, including DMZ and trust. Am I right with this assumption?</P><P></P><P>In this scenario, why would I still apply different zone protection profiles to DMZ and trust? </P><P></P><P>How does traffic flow relate to zone protection?</P><P></P><P>Thanks</P><P>zone</P></BODY></HTML> Sun, 26 May 2013 22:20:03 GMT https://live.paloaltonetworks.com/t5/general-topics/apply-zone-protection-to-which-zone/m-p/36113#M26541 cryptochrome 2013-05-26T22:20:03Z https://live.paloaltonetworks.com/t5/general-topics/apply-zone-protection-to-which-zone/m-p/36114#M26542 <HTML><HEAD></HEAD><BODY><P>As I understand the zone protection is for incoming traffic.</P><P></P><P>That is if you want to protect DMZ then you should apply your zone-protection on the Untrust zone (facing Internet) and the Trust zone (facing your LAN - if you wish to protect from inside threats aswell (for example an overtaken client is being used to DDoS/DoS your DMZ devices)).</P></BODY></HTML> Mon, 27 May 2013 06:48:08 GMT https://live.paloaltonetworks.com/t5/general-topics/apply-zone-protection-to-which-zone/m-p/36114#M26542 mikand 2013-05-27T06:48:08Z https://live.paloaltonetworks.com/t5/general-topics/apply-zone-protection-to-which-zone/m-p/36115#M26543 <HTML><HEAD></HEAD><BODY><P>Explanation from Understanding DoS Protection</P><P></P><P>These settings apply to the ingress zone (i.e. the zone where traffic enters the firewall). Zone protection settings apply to all interfaces within the zone for which the profile is configured.</P><P>Note: Zone protection is only enforced when there is no session match for the packet. If the packet matches an existing</P><P>session, it will bypass the zone protection setting.</P><P></P><P>Refer:</P><UL><LI><A href="https://live.paloaltonetworks.com/docs/DOC-3094">Threat Prevention Deployment Tech Note</A></LI><LI><A __default_attr="5078" __jive_macro_name="document" class="jive_macro jive_macro_document" href="https://live.paloaltonetworks.com/"></A></LI></UL></BODY></HTML> Tue, 28 May 2013 05:02:57 GMT https://live.paloaltonetworks.com/t5/general-topics/apply-zone-protection-to-which-zone/m-p/36115#M26543 UhMayYeah 2013-05-28T05:02:57Z https://live.paloaltonetworks.com/t5/general-topics/apply-zone-protection-to-which-zone/m-p/36116#M26544 <HTML><HEAD></HEAD><BODY><P>Thanks <A __default_attr="11199" __jive_macro_name="user" class="jive_macro jive_macro_user" data-objecttype="3" href="https://live.paloaltonetworks.com/"></A>, that helps. So in other words:</P><P></P><P>Attaching a zone protection profile to my Untrust zone will *npt* protect my DMZ zone because it's a different zone and has different interfaces. Did I get that right? So an untrust protection would only really protect the firewall itself and separate profiles should be attached to DMZ and other zones.</P><P></P><P>Also, good point about protection only being applied to new sessions, not existing ones. It seems it makes more sense to use DOS protection.</P></BODY></HTML> Tue, 28 May 2013 07:05:14 GMT https://live.paloaltonetworks.com/t5/general-topics/apply-zone-protection-to-which-zone/m-p/36116#M26544 cryptochrome 2013-05-28T07:05:14Z https://live.paloaltonetworks.com/t5/general-topics/apply-zone-protection-to-which-zone/m-p/36117#M26545 <HTML><HEAD></HEAD><BODY><P>ZP is applied on the ingress zone,so if the traffic for destination&nbsp; DMZ zone enters from Untrust zone,apply ZP on the Untrust zone, hence adding ZP to Untrust zone would definitely help DMZ&nbsp; and Trust both as most of the malicious traffic generally originates from the Internet.</P><P>As <A __default_attr="3245" __jive_macro_name="user" class="jive_macro jive_macro_user" href="https://live.paloaltonetworks.com/"></A> said,you can additionally apply the ZP to the Trust interface to protect DMZ from the bad traffic initiated from Trust zone.</P></BODY></HTML> Tue, 28 May 2013 07:25:11 GMT https://live.paloaltonetworks.com/t5/general-topics/apply-zone-protection-to-which-zone/m-p/36117#M26545 UhMayYeah 2013-05-28T07:25:11Z