6.17 Ensure that a Zone Protection Profile with Flood Protection settings enabled for all flood types is attached to all untrusted zones

Information

Enable all Flood Protection options in the Zone Protection Profile attached to all untrusted zones. The Alert, Activate, and Maximum settings for Flood Protection depend highly on the environment and device used. Perform traffic analysis on the specific environment and firewall to determine accurate thresholds. Do not rely on default values to be appropriate for an environment.
Rationale:
Without flood protection, it may be possible for an attacker, through the use of a botnet or other means, to overwhelm network resources. Flood protection does not completely eliminate this risk; rather, it provides a layer of protection. Without a properly configured zone protection profile applied to untrusted interfaces, the protected / trusted networks are susceptible to large number of attacks. While many of these involve denial of service, some of these attacks are designed to evade IPS systems (fragmentation attacks for instance) or to evade basic firewall protections (source routing and record route attacks).

Solution

In the GUI
Navigate to Network > Network Profiles > Zone Protection > Flood Protection.
Set all settings to "enabled" with at least the default values.
Navigate to Network > Zones, select each untrusted zone in turn, and set the Zone Protection Profile.
or
Execute the following CLI command to configure Zone Protection:
username@hostname#set network profiles zone-protection-profile
Default Value:
Not Configured

See Also

https://workbench.cisecurity.org/files/1780

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5

Plugin: Palo_Alto

Control ID: aa19f96b94e4c7b896b7323a54d87e49ecc72edefcaf5a444c16b42d49d8c6ed