Information on troubleshooting Zone Protection Profiles can be found here.

• Flood Protection logs appear under the Threat Logs.
• Reconnaissance Protection logs appear under Threat Logs.
• Packet Based Attack Protection logs appear on global counters on the CLI.

Flood protection

( subtype eq flood ) and ( name-of-threatid eq 'UDP Flood' ) and ( severity eq critical )

( subtype eq flood ) and ( name-of-threatid eq 'TCP Flood' ) and ( severity eq critical )

( subtype eq flood ) and ( name-of-threatid eq 'ICMP Flood' ) and ( severity eq critical )

• Strict IP Address Check caused problems when doing BGP and ECMP with four ISP links after a HA failover.
• Fragmented traffic broke the PS3 connection to the Internet.
• ICMP Drop > Suppress ICMP TTL Expired Error This will break the first hop of a traceroute and mark the hop as “Request timed out”. This is when traceroute is starting from inside the network and the zone protection profile is on the outside zone.
• ICMP Drop > Discard ICMP embedded with error message This will break all hops of a traceroute (except for the first) and mark each hop as “Request timed out”.This is when traceroute is starting from inside the network and the zone protection profile is on the inside zone.

Palo Alto Network's best practice (June 2019) is to block Spoofed IP Address as well as Unknown and Malformed under IP Option Drop. Also, block TCP with SYN data and TCP with SYNACK data and strip TCP Timestamp option. IPv6 drop best practice is to to drop packets with routing header type 0, 1, 4 to 252 and 255.