12-06-2010 12:34 AM
Hello all,
I recently configured Zone Protection for the external interface (untrust) on a PAN-2020 3.1.6 in a vwire setup. Initially we have configured ZoneProtection to "Alert" only.
We have set the triggers for "Activate" and "Maximum" to a figure which we will never reach (screenshot ZP-1.jpg) and bound this ZoneProtection Profile to the untrust zone.
After comitting the change we are observing "TCP Flood" alerts in the Threat Log with "Attacker" and "Victim" being 0.0.0.0 ...!
Also the action on this events are "drop" (screenshot ZP-2.jpg).
According our ZoneProtection Profile we should not see any drops.
Can somebody explain why we see these kind of drops and why the IP address of the "Attacker" and "Victim" is 0.0.0.0 ?
kind rgds
Roland
12-06-2010 11:53 AM
Roland,
We don’t log the IP addresses because in a DDoS attack there could be hundreds or even thousands of IPs that were associated with the syn flood attack. We can’t log all of the IPs and showing only one for source and dest could be misleading.
The zone protection profiles should be applied to the destination zone. It appears that you've applied this to the untrust zone which means that you are protecting the traffic going to untrust. It should not block unless rates have actually triggered, so please check your settings and if you still see an issue, please call support.
Thanks,
Alfred
12-06-2010 12:41 PM
Hi Alfred,
tnx for your reply.
Are you saying the Zone Protection Profile has to be applied to the trust zone ? I have not found any reference in manuals and docs to that.
The webservers which we want to protect from DDOS are behind the trust zone, just for clarification.
kind rgds
Roland
12-06-2010 06:27 PM
Hello Roland
The document at Threat Prevention Deployment Tech Note covers the zone protection configuration and behavior and detail.
-jerish
12-06-2010 11:53 PM
Hello jerish,
I know this document unfortunately it did not answer my questions above also I could not find any reference as to which zone to bind the protection profile.
rgds
Roland
12-07-2010 10:38 AM
hello roland
The first paragraph of the document says it all-
Zone protection setting offer protection against most common flood, reconnaissance attacks and other packet based attacks. It can be used a template configuration for applying similar settings to multiple zones. These settings apply to a destination zone.
-regards
Jerish
12-07-2010 11:56 PM
my fault sorry, I must have overlooked that part, or I was not clear about the definition of the term destination zone.
Roland
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
