11-24-2017 09:03 AM
I have a question regarding Zone Protection on Zones in a shared gateway. Is it supported. When I try and configure it it seems to be valid configuration. However as a shared gateway does not generate logs where do the the ZP logs go? Also when I run the command "show zone-protection zone ?" the SG zones do no show in the list so I can't collect stats for the zone protection.
I did try applying zone protection to the external zone which connects to the SG but this gave a commit warning saying something about syn-cookie not supported. Also in my mind this would apply zone protection too late for it to be affective.
11-28-2017 01:46 AM
Just to clarify my questions were based on a design I am putting forward but in the end I decide to lab the functionality to be sure.
I have just tested this in the lab and have found the below
1. As vsys_remo suggested when you assign a zone protection profile to a zone in an SG it will log to the threat log if you change the Virtual System drop down to all. I have to say I didn't expect this but it is a pleasent suprise. Obviously a Log Forwarding profile is only needed if you wish to forward those logs to an external log device like syslog.
2. The other thing I discovered regarding my point of the "show zone-protection" command. If you use "show zone-protection zone {zonename}" you will only be able to filter based on zones which belong to a VSYS not an SG, however if you just run the command "show zone-protection" it will list all the zone-protection states including those from the SG zones.
Many Thanks to vsys_remo for the guidance.
11-26-2017 04:55 AM
11-27-2017 03:20 AM
Thanks for the response. The link at least clears up the question of External Zone Support in VSYS, however are you able to confirm the qestion of if Zone protection profiles are supported on Layer3 Zones assigned to Shared Gateways? If so where would you find the logs?
11-27-2017 03:43 AM
I haven't any shared gateway configured on our firewalls. But the logs should be in the thread log if you have assigned a Log forwarding profile to the zone.
And in the Monitor tab you probably have to select all virtual systems to view these logs, as they are not assigned to specific vsys
11-28-2017 01:46 AM
Just to clarify my questions were based on a design I am putting forward but in the end I decide to lab the functionality to be sure.
I have just tested this in the lab and have found the below
1. As vsys_remo suggested when you assign a zone protection profile to a zone in an SG it will log to the threat log if you change the Virtual System drop down to all. I have to say I didn't expect this but it is a pleasent suprise. Obviously a Log Forwarding profile is only needed if you wish to forward those logs to an external log device like syslog.
2. The other thing I discovered regarding my point of the "show zone-protection" command. If you use "show zone-protection zone {zonename}" you will only be able to filter based on zones which belong to a VSYS not an SG, however if you just run the command "show zone-protection" it will list all the zone-protection states including those from the SG zones.
Many Thanks to vsys_remo for the guidance.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
