Apply zone protection - to which zone?

L3 Networker

Apply zone protection - to which zone?


I am wondering where and how zone protection profiles are applied to. I figure if I attach a zone protection profile to a zone, all resources behind that zone are under protection. But let's take the following example:

* one interface connected to internet (zone: untrust)

* one interface connected to internal LAN (zone: trust)

* several interfaces for different DMZs (zone: dmz)

Now if I want to protect my DMZ, do I apply the zone protection to the DMZ zone or to the untrust zone? There are actually no resources connected directly to the untrust zone, but I would believe that protecting the untrust zone would automatically protect all zones behind the untrust zone, including DMZ and trust. Am I right with this assumption?

In this scenario, why would I still apply different zone protection profiles to DMZ and trust?

How does traffic flow relate to zone protection?



Tags (2)
L6 Presenter

Re: Apply zone protection - to which zone?

As I understand the zone protection is for incoming traffic.

That is if you want to protect DMZ then you should apply your zone-protection on the Untrust zone (facing Internet) and the Trust zone (facing your LAN - if you wish to protect from inside threats aswell (for example an overtaken client is being used to DDoS/DoS your DMZ devices)).

L5 Sessionator

Re: Apply zone protection - to which zone?

Explanation from Understanding DoS Protection

These settings apply to the ingress zone (i.e. the zone where traffic enters the firewall). Zone protection settings apply to all interfaces within the zone for which the profile is configured.

Note: Zone protection is only enforced when there is no session match for the packet. If the packet matches an existing

session, it will bypass the zone protection setting.


L3 Networker

Re: Apply zone protection - to which zone?

Thanks , that helps. So in other words:

Attaching a zone protection profile to my Untrust zone will *npt* protect my DMZ zone because it's a different zone and has different interfaces. Did I get that right? So an untrust protection would only really protect the firewall itself and separate profiles should be attached to DMZ and other zones.

Also, good point about protection only being applied to new sessions, not existing ones. It seems it makes more sense to use DOS protection.

L5 Sessionator

Re: Apply zone protection - to which zone?

ZP is applied on the ingress zone,so if the traffic for destination  DMZ zone enters from Untrust zone,apply ZP on the Untrust zone, hence adding ZP to Untrust zone would definitely help DMZ  and Trust both as most of the malicious traffic generally originates from the Internet.

As said,you can additionally apply the ZP to the Trust interface to protect DMZ from the bad traffic initiated from Trust zone.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!