Differences

This shows you the differences between two versions of the page.

--- paloaltonetworks:configuration:zone_protection [2021/02/16 07:41] – [Logging] bstafford
+++ paloaltonetworks:configuration:zone_protection [2022/11/23 12:49] (current) – external edit 127.0.0.1
@@ Line 1: / Line 1: @@
 ====== Zone Protection ======
+Remember, you should not have TCP-SYN enabled on both Zone Protection and DoS policies at the same time.
 ===== Logging =====
 To enable the additional logging, run this operational command:
@@ Line 28: / Line 29: @@
 ===== Problems with Zone Protection =====
-  * **Strict IP Address Check** caused problems when doing BGP and ECMP with four ISP links after a HA failover. This also causes internal hosts to not be able to ping past the ISP router when you failover from ISP1 to ISP2 using a PBF rule and this is enabled on the "External" zone protection profile.
+  * **Strict IP Address Check** caused problems with VPN tunnel interface monitoring. I couldn't ping the other tunnel when both firewall's were Palo Alto Networks and each end had an IP in a /30. It also caused problems when doing BGP and ECMP with four ISP links after a HA failover. This also causes internal hosts to not be able to ping past the ISP router when you failover from ISP1 to ISP2 using a PBF rule and this is enabled on the "External" zone protection profile.
   * **Fragmented traffic** broke the PS3 connection to the Internet.
   * **ICMP Drop > Suppress ICMP TTL Expired Error** This will break the first hop of a traceroute and mark the hop as "Request timed out". This is when traceroute is starting from inside the network and the zone protection profile is on the outside zone.