https://live.paloaltonetworks.com/t5/general-topics/aggregate-vs-zone-protection-profiles/m-p/361952#M88249 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp; I understand it can be different for classified depending server/application itself, but am I right in my understanding of aggregate vs zone protection profiles.</P> Tue, 10 Nov 2020 18:41:15 GMT raji_toor 2020-11-10T18:41:15Z https://live.paloaltonetworks.com/t5/general-topics/aggregate-vs-zone-protection-profiles/m-p/361663#M88211 <P>We have separate zone protection profiles for each zone. And the definition of aggregate says that "all <SPAN>thresholds apply to the entire group of devices specified in a DoS Protection policy rule". So if we are trying to protect servers in DMZ, unless we use smaller groups (for which our environment doesn't seem to have a usecase). Do we even need to use Aggregate DOS protection. Only using Classified seems more appropriate in this scenario,&nbsp;</SPAN></P><P>&nbsp;</P><P><SPAN>Also as i understand, I should be able club multiple DMZ servers in same DOS policy and the thresholds will apply to each server individually.</SPAN></P><P>&nbsp;</P> Mon, 09 Nov 2020 16:55:33 GMT https://live.paloaltonetworks.com/t5/general-topics/aggregate-vs-zone-protection-profiles/m-p/361663#M88211 raji_toor 2020-11-09T16:55:33Z https://live.paloaltonetworks.com/t5/general-topics/aggregate-vs-zone-protection-profiles/m-p/361782#M88224 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/56221">@raji_toor</a>,</P> <P><STRONG>Also as i understand, I should be able club multiple DMZ servers in same DOS policy and the thresholds will apply to each server individually.</STRONG></P> <P>If you have everything setup under just classified profile then yes that's correct.&nbsp;</P> <P>&nbsp;</P> <P>So not knowing anything about your environment I can't tell you if you should use aggregate, but I&nbsp;<EM>can&nbsp;</EM>tell you that in the vast majority of environments you wouldn't throw all of your public services in the same DoS entry. If you're properly tuning your DoS profiles you shouldn't have the exact same values for your&nbsp;<EM>x&nbsp;</EM>website as you would have for&nbsp;<EM>y&nbsp;</EM>website or your Exchange server for instance. It's pretty rare I come across an environment where grouping them all under a sole entry is advisable.&nbsp;</P> Tue, 10 Nov 2020 02:45:29 GMT https://live.paloaltonetworks.com/t5/general-topics/aggregate-vs-zone-protection-profiles/m-p/361782#M88224 BPry 2020-11-10T02:45:29Z https://live.paloaltonetworks.com/t5/general-topics/aggregate-vs-zone-protection-profiles/m-p/361952#M88249 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/43480">@BPry</a>&nbsp; I understand it can be different for classified depending server/application itself, but am I right in my understanding of aggregate vs zone protection profiles.</P> Tue, 10 Nov 2020 18:41:15 GMT https://live.paloaltonetworks.com/t5/general-topics/aggregate-vs-zone-protection-profiles/m-p/361952#M88249 raji_toor 2020-11-10T18:41:15Z https://live.paloaltonetworks.com/t5/general-topics/aggregate-vs-zone-protection-profiles/m-p/361953#M88250 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/56221">@raji_toor</a>,</P> <P>So your understanding is that you&nbsp;<EM>shouldn't&nbsp;</EM>set an aggregate profile because you already have Zone Protection configured on the zone right? The zone protection can accomplish the same thing as an aggregate profile, but you would generally have your Zone Protection values set much higher than you ever would on a DoS profile. If you're just going to set those values high enough that your ZP would trip anyways then yes you wouldn't setup an aggregate profile.&nbsp;</P> Tue, 10 Nov 2020 18:56:55 GMT https://live.paloaltonetworks.com/t5/general-topics/aggregate-vs-zone-protection-profiles/m-p/361953#M88250 BPry 2020-11-10T18:56:55Z