Understanding Zone Protection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Understanding Zone Protection

L4 Transporter

Hello all,

I recently configured Zone Protection for the external interface (untrust) on a PAN-2020 3.1.6 in a vwire setup.  Initially we have configured ZoneProtection to "Alert" only.

We have set the triggers for "Activate" and "Maximum" to a figure which we will never reach (screenshot ZP-1.jpg) and bound this ZoneProtection Profile to the untrust zone.

After comitting the change we are observing "TCP Flood" alerts in the Threat Log with "Attacker" and "Victim" being 0.0.0.0 ...!

Also the action on this events are "drop" (screenshot ZP-2.jpg).

According our ZoneProtection Profile we should not see any drops.

Can somebody explain why we see these kind of drops and why the IP address of the "Attacker" and "Victim" is 0.0.0.0 ?

kind rgds

Roland

6 REPLIES 6

L4 Transporter

Roland,

We don’t log the IP addresses because in a DDoS attack there could be hundreds or even thousands of IPs that were associated with the syn flood attack. We can’t log all of the IPs and showing only one for source and dest could be misleading.

The zone protection profiles should be applied to the destination zone. It appears that you've applied this to the untrust zone which means that you are protecting the traffic going to untrust. It should not block unless rates have actually triggered, so please check your settings and if you still see an issue, please call support.

Thanks,

Alfred

Hi Alfred,

tnx for your reply.

Are you saying the Zone Protection Profile has to be applied to the trust zone ? I have not found any reference in manuals and docs to that.

The webservers which we want to protect from DDOS are behind the trust zone, just for clarification.

kind rgds

Roland

L4 Transporter

Hello Roland

The document at Threat Prevention Deployment Tech Note covers the zone protection configuration and behavior and detail.

-jerish

L4 Transporter

Hello jerish,

I know this document unfortunately it did not answer my questions above also I could not find any reference as to which zone to bind the protection profile.

rgds

Roland

L4 Transporter

hello roland

The first paragraph of the document says it all-

Zone protection setting offer protection against most common flood, reconnaissance attacks and other packet based attacks. It can be used a template configuration for applying similar settings to multiple zones. These settings apply to a destination zone.

-regards

Jerish

L4 Transporter

my fault sorry, I must have overlooked that part, or I was not clear about the definition of the term destination zone.

Roland

  • 14169 Views
  • 6 replies
  • 1 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!