Understanding Zone Protection

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Understanding Zone Protection

L4 Transporter

Hello all,

I recently configured Zone Protection for the external interface (untrust) on a PAN-2020 3.1.6 in a vwire setup.  Initially we have configured ZoneProtection to "Alert" only.

We have set the triggers for "Activate" and "Maximum" to a figure which we will never reach (screenshot ZP-1.jpg) and bound this ZoneProtection Profile to the untrust zone.

After comitting the change we are observing "TCP Flood" alerts in the Threat Log with "Attacker" and "Victim" being ...!

Also the action on this events are "drop" (screenshot ZP-2.jpg).

According our ZoneProtection Profile we should not see any drops.

Can somebody explain why we see these kind of drops and why the IP address of the "Attacker" and "Victim" is ?

kind rgds



L4 Transporter


We don’t log the IP addresses because in a DDoS attack there could be hundreds or even thousands of IPs that were associated with the syn flood attack. We can’t log all of the IPs and showing only one for source and dest could be misleading.

The zone protection profiles should be applied to the destination zone. It appears that you've applied this to the untrust zone which means that you are protecting the traffic going to untrust. It should not block unless rates have actually triggered, so please check your settings and if you still see an issue, please call support.



Hi Alfred,

tnx for your reply.

Are you saying the Zone Protection Profile has to be applied to the trust zone ? I have not found any reference in manuals and docs to that.

The webservers which we want to protect from DDOS are behind the trust zone, just for clarification.

kind rgds


L4 Transporter

Hello Roland

The document at Threat Prevention Deployment Tech Note covers the zone protection configuration and behavior and detail.


L4 Transporter

Hello jerish,

I know this document unfortunately it did not answer my questions above also I could not find any reference as to which zone to bind the protection profile.



Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!