Zone Protection profiles defend
the ingress zone edge against IP flood attacks, reconnaissance port
scans and host sweeps, IP packet-based attacks, and non-IP protocol
attacks. The ingress zone is where traffic enters the firewall in
the direction of flow from the client to the server (c2s), where
the client is the originator of the flow and the server is the responder.
Zone Protection profiles provide a second layer of broad defense
against DoS attacks, based on the aggregate traffic entering the
zone, by limiting the new connections-per-second (CPS) to the zone.
Zone Protection profiles don’t take individual devices (IP addresses)
into account because the profiles apply to the aggregate traffic
entering the zone.
Zone protection profiles defend the network
as a session is formed, before the firewall performs DoS Protection
policy and Security policy rule lookups, and consume fewer CPU cycles
than a DoS Protection policy or Security policy rule lookup. If
a Zone Protection profile denies traffic, the firewall doesn’t spend
CPU cycles on policy rule lookups.
Apply Zone Protection profiles
to every zone, both internet-facing and internal.
DoS Protection profiles and policy
rules defend specific individual endpoints and resources against
flood attacks, especially high-value targets that users access from
the internet. While a Zone Protection profile defends the zone from
flood attacks, a DoS Protection policy rule with an appropriate
DoS Protection profile defends critical individual systems in a
zone from targeted flood attacks, providing a granular third layer
of defense against DoS attacks.
Because the intent
of DoS protection is to defend critical devices and because it consumes
resources, DoS protection defends only the devices you specify in
a DoS Protection policy rule. No other devices are protected.
DoS
Protection profiles set flood protection thresholds (new CPS limits)
for individual devices or groups of devices, resource protection
thresholds (session limits for specified endpoints and resources),
and whether the profile applies to
aggregate or classified traffic.
DoS Protection policy rules specify match criteria (source, destination,
service ports), the action to take when traffic matches the rule,
and the
aggregate and classified DoS
Protection profiles associated with each rule.
Aggregate DoS
Protection policy rules apply the CPS thresholds defined in an aggregate
DoS Protection profile to the combined traffic of all the devices
that meet the DoS Protection policy rule match criteria. For example,
if you configure the aggregate DoS Protection profile to limit the
CPS rate to 20,000, the 20,000 CPS limit applies to the aggregate
number of connections for the entire group. In this case, one device
could receive the majority of the allowed connections.
Classified DoS
Protection policy rules apply the CPS thresholds defined in a classified
DoS Protection profile to each individual device that matches the
policy rule. For example, if you configure the classified DoS Protection
profile to limit the CPS rate to 4,000, then no device in the group
can accept more than 4,000 CPS. A DoS Protection policy can have
one aggregate profile and one classified profile.
Classified
profiles can classify connections by source IP, destination IP,
or both. For internet-facing zones, classify by destination IP only
because the firewall can’t scale to hold the internet routing table.
Apply
DoS Protection only to critical devices, especially popular attack
targets that users access from the internet, such as web servers
and database servers.
Security Policy rules affect
both the ingress and egress flows of a session. To establish a session,
incoming traffic must match an existing Security policy rule. If
there is no match, the firewall discards the packet. A Security
policy allows or denies traffic between zones (interzone) and within
zones (intrazone) using criteria including zones, IP addresses,
users, applications, services, and URL categories.
The default Security policy rules don’t
permit traffic to travel between zones, so you need to configure
a Security policy rule if you want to allow interzone traffic. All
intrazone traffic is allowed by default. You can configure Security
policy rules to match and control intrazone, interzone, or universal
(intrazone and interzone) traffic.
Zone Protection profiles,
DoS Protection profiles and policy rules, and Security policy rules
only affect dataplane traffic on the firewall. Traffic originating
on the firewall management interface does not cross the dataplane,
so the firewall does not match management traffic against these
profiles or policy rules.
