Zone protection for VM series

Showing results for 
Show  only  | Search instead for 
Did you mean: 
Palo Alto Networks Approved
Palo Alto Networks Approved
Community Expert Verified
Community Expert Verified

Zone protection for VM series

L2 Linker

Hi everyone,


I was looking for PA best practices for  VM series' zone protection but only found documents that talked about physical PA.


1. Are physical and VM series zone protection the same? could you point me where the docs for these are?

2. Under zone protection profile, flood protection, and SYN, there are 2 options 'Random Early Drop' and Syn Cookies'. I chose to configure 'Random early drop' only (attachment), will 'Syn Cookies' still be in use if I don't touch it? or the SYN only works with 1 action which is either 'Random Early Drop' or 'Sync Cookies' if selected but not both?




L7 Applicator

Either Palo will start dropping random incoming new sessions if treshold is met or will start sending back specially crafted SYN-ACK packets (SYN Cookies).

Choosing random early drop will not send back cookie.


No difference in setting up VM or physical zone protection.

You need to identify tresholds based on requirements and real needs.

Can your web server handle 40k new sessions per second that your current settings allow?

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Is it recommended to choose 'Random Early Drop' over 'Syn Cookies'?


Is the web server behind the firewall that you mentioned above? if yes, yes it can.



L7 Applicator

If you are under SYN flood attack then random early drop is less resource intensive but can also drop benign traffic.

SYN cookies put some load on the firewall but does not affect traffic from real users. 

I would choose SYN cookie setup.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Last question, Does Syn Cookies drop packet  when seeing Syn flood attacks? if not what does it do exactly in terms of protecting the fw when seeing syn flood attacks?

L7 Applicator

When SYN cookies are enabled and activated then:
SYN comes into firewall.

Firewall don't pass this SYN to web server but sends back SYN-ACK itself.

After client sends final ACK firewall initiates session to web server and allows client and web server to communicate.

As SYN-ACK is returned with sequence number from range that Palo is aware then even firewall don't need to create any session inside firewall session table before last packet from 3way handshake (ACK) arrives from client.


Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Thank you!

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!