Zone Protection Recommendations

Palo Alto Networks devices running PAN-OS offer a wide array of next-generation firewall features such as App-ID and User-ID to protect users, networks, and other critical systems. In addition to these powerful technologies, PAN-OS also offers protection against malicious network and transport layer activity by using Zone Protection profiles. By applying these profiles to security zones, you can help defend against floods, reconnaissance, and other packet based attacks.

When configuring Zone Protections, it is important to understand how they are applied by the system, and at what stage of packet processing. Zone Protections are always applied on the ingress interface, so if you wish to protect against floods or scans from the Internet, you would configure and apply the profile on the zone containing the untrusted Internet interface. Security administrators wishing to harden their networks even further can apply Zone Protections to all interfaces, both internal and external, to ensure that protective measures are being applied across the entire environment. This type of zero-trust approach is being recommended more and more as mobility in the enterprise continues to increase.

Also, it is important to understand that because each network environment is different, the specific flood thresholds to apply protective actions will need to be adjusted accordingly. When any configured flood threshold is crossed, a threat log will be generated, and can be forwarded externally if desired using syslog. To determine what configuration is appropriate for your environment, start by determining your average network activity during peak hours to establish a baseline. Then, incrementally adjust the thresholds lower until you reach a point that meets your security objectives, while still allowing room for normal fluctuations in network activity. You will want to avoid setting the activate and maximum thresholds too low in order to avoid disrupting legitimate traffic, but also want to avoid setting them too high so that they will still be effective at mitigating unwanted spikes in traffic volume.

Some Packet Based Attack Protection recommendations on the other hand apply somewhat equally to all organizations. For example, “unknown” and “malformed” IP options are generally unwanted and can be dropped. Selecting the options to drop “mismatched overlapping TCP segments” and “remove TCP timestamp” can prevent certain evasive techniques from being successful through the firewall, and are also generally recommended for all customers. In addition, you can prevent address spoofing in security zones by enabling protection against “Spoofed IP addresses”.  This will ensure only traffic with source addresses that match the firewall routing table will be permitted on ingress.

By following the above recommendations, you can help to make your organization even safer.

• Threat Prevention Deployment Tech Note
• Understanding DoS Protection
• What Are The Differences Between Dos Protection and Zone Protection?
• DoS and Zone Protection Best Practices