Differences

This shows you the differences between two versions of the page.

--- paloaltonetworks:configuration:zone_protection [2021/01/07 11:59] – bstafford
+++ paloaltonetworks:configuration:zone_protection [2022/11/23 12:49] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
 ====== Zone Protection ======
+Remember, you should not have TCP-SYN enabled on both Zone Protection and DoS policies at the same time.
+===== Logging =====
+To enable the additional logging, run this operational command:
+<code>set system setting additional-threat-log on</code>
+More data [[https://live.paloaltonetworks.com/t5/blogs/pan-os-8-1-2-introduces-new-log-options/ba-p/217858|here]].
 ===== Troubleshooting =====
 Information on troubleshooting Zone Protection Profiles can be found [[paloaltonetworks:troubleshooting:testing_panos#zone_protection|here]].
@@ Line 23: / Line 29: @@
 ===== Problems with Zone Protection =====
-  * **Strict IP Address Check** caused problems when doing BGP and ECMP with four ISP links after a HA failover. This also causes internal hosts to not be able to ping past the ISP router when you failover from ISP1 to ISP2 using a PBF rule and this is enabled on the "External" zone protection profile.
+  * **Strict IP Address Check** caused problems with VPN tunnel interface monitoring. I couldn't ping the other tunnel when both firewall's were Palo Alto Networks and each end had an IP in a /30. It also caused problems when doing BGP and ECMP with four ISP links after a HA failover. This also causes internal hosts to not be able to ping past the ISP router when you failover from ISP1 to ISP2 using a PBF rule and this is enabled on the "External" zone protection profile.
   * **Fragmented traffic** broke the PS3 connection to the Internet.
   * **ICMP Drop > Suppress ICMP TTL Expired Error** This will break the first hop of a traceroute and mark the hop as "Request timed out". This is when traceroute is starting from inside the network and the zone protection profile is on the outside zone.