Saucepan

User Tools

Site Tools

Trace: bad_session_end ipv6 dos_protection certificates firewall_resources kerberos zone_protection snmp basics panorama
paloaltonetworks:configuration:zone_protection

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
paloaltonetworks:configuration:zone_protection [2021/02/16 07:39] – [Zone Protection] bstaffordpaloaltonetworks:configuration:zone_protection [2022/11/23 12:49] (current) – external edit 127.0.0.1
Line 1: Line 1:
 ====== Zone Protection ====== ====== Zone Protection ======
 +Remember, you should not have TCP-SYN enabled on both Zone Protection and DoS policies at the same time.
 ===== Logging ===== ===== Logging =====
 To enable the additional logging, run this operational command: To enable the additional logging, run this operational command:
  
 <code>set system setting additional-threat-log on</code> <code>set system setting additional-threat-log on</code>
 +More data [[https://live.paloaltonetworks.com/t5/blogs/pan-os-8-1-2-introduces-new-log-options/ba-p/217858|here]].
 ===== Troubleshooting ===== ===== Troubleshooting =====
 Information on troubleshooting Zone Protection Profiles can be found [[paloaltonetworks:troubleshooting:testing_panos#zone_protection|here]]. Information on troubleshooting Zone Protection Profiles can be found [[paloaltonetworks:troubleshooting:testing_panos#zone_protection|here]].
Line 27: Line 29:
 ===== Problems with Zone Protection ===== ===== Problems with Zone Protection =====
  
-  * **Strict IP Address Check** caused problems when doing BGP and ECMP with four ISP links after a HA failover. This also causes internal hosts to not be able to ping past the ISP router when you failover from ISP1 to ISP2 using a PBF rule and this is enabled on the "External" zone protection profile.+  * **Strict IP Address Check** caused problems with VPN tunnel interface monitoring. I couldn't ping the other tunnel when both firewall's were Palo Alto Networks and each end had an IP in a /30. It also caused problems when doing BGP and ECMP with four ISP links after a HA failover. This also causes internal hosts to not be able to ping past the ISP router when you failover from ISP1 to ISP2 using a PBF rule and this is enabled on the "External" zone protection profile.
   * **Fragmented traffic** broke the PS3 connection to the Internet.   * **Fragmented traffic** broke the PS3 connection to the Internet.
   * **ICMP Drop > Suppress ICMP TTL Expired Error** This will break the first hop of a traceroute and mark the hop as "Request timed out". This is when traceroute is starting from inside the network and the zone protection profile is on the outside zone.   * **ICMP Drop > Suppress ICMP TTL Expired Error** This will break the first hop of a traceroute and mark the hop as "Request timed out". This is when traceroute is starting from inside the network and the zone protection profile is on the outside zone.
paloaltonetworks/configuration/zone_protection.1613461171.txt.gz · Last modified: (external edit)