The Zone PROTECTION profile will provide you with total protection against attacks such as floods, reconnaissance, and packet-based attacks. Flood attacks can be of several types, including SYN, ICMP, and UDP. You'll be ABLE to guard against port and host sweeps using the reconnaissance protections. The packet safeguards assist you in DEFENDING against big ICMP and ICMP FRAGMENT attacks.

It is intended to provide broad-based security at the ingress zone (the zone where traffic enters the firewall), rather than protecting a specific end host or traffic heading to a specific destination zone. A zone can have just one zone protection profile attached to it. Configure a DoS Protection policy (Policies > DoS Protection) to match on a specific zone, interface, IP address, or user to enhance zone protection capabilities on the firewall.

Because zone protection is based on new connections per second (cps), not packets per second, it is only implemented when there is no session match for the packet (pps). The zone protection option will be bypassed if the packet matches an EXISTING session.