Zone Protection profile - Threshold Recommendation

• Alert from Strata Cloud Manager regarding missing Zone Protection profile for certain zone.
• Recommendation from Strata Cloud Manager to configure the Zone Protection profile with certain values for that zone.

• PAN-OS

1. Zone is configured without a Zone Protection profile attached to it.
2. Zone is configured with zone protection profile but based on the metrics collected the zone protection profile needs its configured values to be updated to match the new recommended values.

To address this alert in case A:

1. Check which Zone is highlighted by the Alert to be missing Zone Protection profile.
2. Create a Zone Protection profile which will be applied to that particular Zone: in Firewall UI under Network > Network Profiles > Zone Protection.
3. Use the values provided by this Alert to configure the Flood Protection Tab under this Zone Protection profile
   1. Click the check box next to the SYN section and use the TCP Protocol Recommended Alert Threshold, Activate Threshold and Maximum threshold provided by the Strata Cloud Manager Alert for this particular Zone to adjust those values under the SYN section with the Random Early Drop action.
   2. Click the check box next to the UDP section and use the UDP Protocol Recommended Alert Threshold, Activate Threshold and Maximum threshold provided by the Strata Cloud Manager Alert for this particular Zone to adjust those values under the UDP section.
   3. Click the check box next to the Other IP section and use the Other IP Protocol Recommended Alert Threshold, Activate Threshold and Maximum threshold provided by the Strata Cloud Manager Alert for this particular Zone to adjust those values under the Other IP section.
4. Attach the Zone Protection profile you created in 3 to this particular Zone: in Firewall UI under Network > Zone.

To address this alert in case B:

1. Check which zone protection profile is applied to the zone mentioned in the alert.
2. If zone protection profile is only applied to the zone mentioned in the alert then go to 3 otherwise first created a new zone protection profile under Network > Network Profiles > Zone Protection then go to 3.
3. Use the values provided by this Alert to edit or configure the Flood Protection Tab under this Zone Protection profile
   1. Click the check box next to the SYN section and use the TCP Protocol Recommended Alert Threshold, Activate Threshold and Maximum threshold provided by the Strata Cloud Manager Alert for this particular Zone to adjust those values under the SYN section with the Random Early Drop action.
   2. Click the check box next to the UDP section and use the UDP Protocol Recommended Alert Threshold, Activate Threshold and Maximum threshold provided by the Strata Cloud Manager Alert for this particular Zone to adjust those values under the UDP section.
   3. Click the check box next to the Other IP section and use the Other IP Protocol Recommended Alert Threshold, Activate Threshold and Maximum threshold provided by the Strata Cloud Manager Alert for this particular Zone to adjust those values under the Other IP section.
4. If needed to create a new zone protection profile to be only applied for the zone in the alert then attach the Zone Protection profile you created in 3 to this particular Zone: in Firewall UI under Network > Zone otherwise skip this step.

• Refer to our official documentation about Flood Protection
• In case FW is not sending telemetry data to Strata Cloud Manager instance then the manual approach to Baseline CPS Measurements for Setting Flood Thresholds can be found here.