Inconsistent documentation on zone protection

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Please sign in to see details of an important advisory in our Customer Advisories area.

Inconsistent documentation on zone protection

Not applicable


Palo Alto's documentation is inconsistent on the behavior of flood protection when it is applied by a zone protection policy.

1) "Threat Prevention Deployment Tech Note - Version 2.0 RevA", page 44 says that the zone protection based flood protection applies per source-destination-port tuple:

"Configure Flood Protection settings based on the number of packets you want to allow to each service behind the firewall. Settings apply to all traffic that enters the network through any interface in the zone on which the Zone Protection Profile is active, but a separate counter is maintained for each source IP/destination IP/destination port tuple."

2) "Threat Prevention Deployment Tech Note - Version 2.0 RevA", page 45 directly contradicts this:

"Flood Protection enabled under Zone Protection is applied to the aggregate traffic seen on a specific zone. It will maintain a single counter for all traffic, regardless of source IP/destination IP/destination port."

Which is correct?




L5 Sessionator

Hi rvandegrift

With regards to Zone protection, statement number 2 is accurate. That is, it is applied to specific zones regardless of number of interfaces associated with it. And for this purpose, there is only single counter.

Separate counter mentioned in statement 1 is for Reconnaissance Protection, which will maintain counter for all different attempts made to sniff the traffic. Hope this helps. Thank you.

What makes you think that the first comment applies to reconnaissance protection?  The quote above is from the flood protection section.

Yes, the comment is from Flood Protection, but the statement "separate counter is maintained for each source IP/destination IP/destination port tuple", makes sense with reconnaissance protection as attacker will try to sniffs various ports on same destination or different ports on different destinations. Where as in flood, attacker will flood the network mostly to a known or single ip rendering it useless to process other legitimate request.

  • 3 replies
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!