Create a zone protection profile
POST/zone-protection-profiles
Create a new zone protection profile.
Request
- application/json
Body
Created
- folder
- snippet
- device
- red
- syn_cookies
- Array [
- "8001" - TCP Port Scan
- "8002" - Host Sweep
- "8003" - UDP Port Scan
- "8006" - Port Scan
- allow
- alert
- block
- block_ip
- ]
- Array [
- ]
- The source IP address is not the subnet broadcast IP address of the ingress interface.
- The source IP address is routable over the exact ingress interface. If either condition is not true, discard the packet.
global
— Use system-wide setting that is assigned through the CLI.yes
— Reject non-SYN TCP.no
— Accept non-SYN TCP.global
— Use system-wide setting that is assigned through TCP Settings or the CLI.drop
— Drop packets that contain an asymmetric path.bypass
— Bypass scanning on packets that contain an asymmetric path.no
— Enable MPTCP support (do not strip the MPTCP option).yes
— Disable MPTCP support (strip the MPTCP option). With this configured, MPTCP connections are converted to standard TCP connections, as MPTCP is backwards compatible with TCP.global
— Support MPTCP based on the global MPTCP setting. By default, the global MPTCP setting is set to yes so that MPTCP is disabled (the MPTCP option is stripped from the packet).- Include List—Only the protocols on the list are allowed—in addition to IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), and VLAN tagged frames (0x8100). All other protocols are implicitly denied (blocked).
- Exclude List—Only the protocols on the list are denied; all other protocols are implicitly allowed. You cannot exclude IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), or VLAN tagged frames (0x8100).
- Array [
- ]
- Array [
- ]
Possible values: <= 64 characters
, Value must match regular expression ^[a-zA-Z\d-_\. ]+$
The folder in which the resource is defined
Possible values: <= 64 characters
, Value must match regular expression ^[a-zA-Z\d-_\. ]+$
The snippet in which the resource is defined
Possible values: <= 64 characters
, Value must match regular expression ^[a-zA-Z\d-_\. ]+$
The device in which the resource is defined
Possible values: <= 31 characters
The profile name
Possible values: <= 255 characters
The description of the profile
flood object
tcp_syn object
Possible values: <= 2000000
When the flow exceeds the `alert_rate`` threshold, an alarm is generated.
Possible values: <= 2000000
When the flow exceeds the `activate_rate`` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
Possible values: <= 2000000
When the flow exceeds the maximal_rate
threshold, 100% of incoming SYN packets are dropped.
Possible values: <= 2000000
When the flow exceeds the `alert_rate`` threshold, an alarm is generated.
Possible values: <= 2000000
When the flow exceeds the `activate_rate`` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
Possible values: <= 2000000
When the flow exceeds the maximal_rate
threshold, 100% of incoming SYN packets are dropped.
udp object
Enable protection against UDP floods?
red object
Possible values: <= 2000000
The number of UDP packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
Possible values: <= 2000000
The number of UDP packets (not matching an existing session) that the zone receives per second that triggers random dropping of UDP packets.
Possible values: <= 2000000
The maximum number of UDP packets (not matching an existing session) the zone receives per second before packets exceeding the maximum are dropped.
sctp_init object
Enable protection against floods of Stream Control Transmission Protocol (SCTP) packets that contain an Initiation (INIT) chunk?
red object
Possible values: <= 2000000
The number of SCTP INIT packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
Possible values: <= 2000000
The number of SCTP INIT packets (not matching an existing session) that the zone receives per second before subsequent SCTP INIT packets are dropped.
Possible values: <= 2000000
The maximum number of SCTP INIT packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.
icmp object
Enable protection against ICMP floods?
red object
Possible values: <= 2000000
The number of ICMP echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
Possible values: <= 2000000
The number of ICMP packets (not matching an existing session) that the zone receives per second before subsequent ICMP packets are dropped.
Possible values: <= 2000000
The maximum number of ICMP packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.
icmpv6 object
Enable protection against ICMPv6 floods?
red object
Possible values: <= 2000000
The number of ICMPv6 echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
Possible values: <= 2000000
The number of ICMPv6 packets (not matching an existing session) that the zone receives per second before subsequent ICMPv6 packets are dropped.
Possible values: <= 2000000
The maximum number of ICMPv6 packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.
other_ip object
Enable protection against other IP (non-TCP, non-ICMP, non-ICMPv6, non-SCTP, and non-UDP) floods?
red object
Possible values: <= 2000000
Possible values: <= 2000000
Possible values: <= 2000000
scan object[]
Possible values: [8001
, 8002
, 8003
, 8006
]
The threat ID number. These can be found in Palo Alto Networks ThreatVault.
action object
object
object
object
Possible values: [source-and-destination
, source
]
Possible values: >= 1
and <= 3600
Possible values: >= 2
and <= 65535
Possible values: >= 2
and <= 65535
scan_white_list object[]
A descriptive name for the address to exclude.
Check that the source IP address of the ingress packet is routable and the routing interface is in the same zone as the ingress interface. If either condition is not true, discard the packet.
Check that both conditions are true:
Discard fragmented IP packets.
Discard packets with the Strict Source Routing IP option set. Strict Source Routing is an option whereby a source of a datagram provides routing information through which a gateway or host must send the datagram.
Discard packets with the Loose Source Routing IP option set. Loose Source Routing is an option whereby a source of a datagram provides routing information and a gateway or host is allowed to choose any route of a number of intermediate gateways to get the datagram to the next address in the route.
Discard packets with the Timestamp IP option set.
Discard packets with the Record Route IP option set. When a datagram has this option, each router that routes the datagram adds its own IP address to the header, thus providing the path to the recipient.
Discard packets if the security option is defined.
Discard packets if the Stream ID option is defined.
Discard packets if the class and number are unknown.
Discard packets if they have incorrect combinations of class, number, and length based on RFCs 791, 1108, 1393, and 2113.
Drop packets with mismatched overlapping TCP segments.
Drop packets with split handshakes.
Default value: true
Prevent a TCP session from being established if the TCP SYN packet contains data during a three-way handshake.
Default value: true
Prevent a TCP session from being established if the TCP SYN-ACK packet contains data during a three-way handshake.
Possible values: [global
, yes
, no
]
Determine whether to reject the packet if the first packet for the TCP session setup is not a SYN packet:
Possible values: [global
, drop
, bypass
]
Determine whether to drop or bypass packets that contain out-of-sync ACKs or out-of-window sequence numbers:
Determine whether the packet has a TCP timestamp in the header and, if it does, strip the timestamp from the header.
Strip the TCP Fast Open option (and data payload, if any) from the TCP SYN or SYN-ACK packet during a TCP three-way handshake.
Possible values: [no
, yes
, global
]
Default value: global
MPTCP is an extension of TCP that allows a client to maintain a connection by simultaneously using multiple paths to connect to the destination host. By default, MPTCP support is disabled, based on the global MPTCP setting. Review or adjust the MPTCP settings for the security zones associated with this profile:
Discard packets if the ICMP ping packet has an identifier value of 0.
Discard packets that consist of ICMP fragments.
Discard ICMP packets that are larger than 1024 bytes.
Discard ICMP packets that are embedded with an error message.
Stop sending ICMP TTL expired messages.
Stop sending ICMP fragmentation needed messages in response to packets that exceed the interface MTU and have the do not fragment (DF) bit set. This setting will interfere with the PMTUD process performed by hosts behind the firewall.
ipv6 object
Drop packets with type 0 routing header.
Drop packets with type 1 routing header.
Drop packets with type 3 routing header.
Drop packets with type 4 to type 252 routing header.
Drop packets with type 253 routing header.
Drop packets with type 254 routing header.
Drop packets with type 255 routing header.
Discard IPv6 packets that are defined as an RFC 4291 IPv4-Compatible IPv6 address.
filter_ext_hdr object
Discard IPv6 packets that contain the Hop-by-Hop Options extension header.
Discard IPv6 packets that contain the Routing extension header, which directs packets to one or more intermediate nodes on its way to its destination.
Discard IPv6 packets that contain the Destination Options extension, which contains options intended only for the destination of the packet.
Discard IPv6 packets that contain invalid IPv6 options in an extension header.
Discard IPv6 packets that have a header with a reserved field not set to zero.
Discard IPv6 packets that contain an anycast source address.
Discard IPv6 packets with the last fragment flag (M=0) and offset of zero.
Discard IPv6 packets that contain a Packet Too Big ICMPv6 message when the maximum transmission unit (MTU) is less than 1,280 bytes.
ignore_inv_pkt object
Require an explicit Security policy match for Destination Unreachable ICMPv6 messages, even when the message is associated with an existing session.
Require an explicit Security policy match for Packet Too Big ICMPv6 messages, even when the message is associated with an existing session.
Require an explicit Security policy match for Time Exceeded ICMPv6 messages, even when the message is associated with an existing session.
Require an explicit Security policy match for Parameter Problem ICMPv6 messages, even when the message is associated with an existing session.
Require an explicit Security policy match for Redirect Message ICMPv6 messages, even when the message is associated with an existing session.
non_ip_protocol object
Possible values: [exclude
, include
]
Specify the type of list you are creating for protocol protection:
protocol object[]
Enter the protocol name that corresponds to the Ethertype code you are adding to the list. The firewall does not verify that the protocol name matches the Ethertype code but the Ethertype code does determine the protocol filter.
Enter an Ethertype code (protocol) preceded by 0x to indicate hexadecimal (range is 0x0000 to 0xFFFF). A list can have a maximum of 64 Ethertypes. Some sources of Ethertype codes are:
Enable the Ethertype code on the list.
l2_sec_group_tag_protection object
tags object[]
Name for the list of Security Group Tags (SGTs).
The Layer 2 SGTs in headers of packets that you want to exclude (drop) when the SGT matches this list in the Zone Protection profile applied to a zone (range is 0 to 65,535).
Enable this exclude list for Ethernet SGT protection.
Responses
- 201
- 400
- 401
- 403
- 409
- default
Created
Bad Request
- application/json
- Schema
- Example (from schema)
- input_format_mismatch
- output_format_mismatch
- missing_query_parameter
- invalid_query_parameter
- missing_body
- invalid_object
Schema
- Array [
- ]
_errors object[]
{
"_errors": [
{
"code": "string",
"message": "string",
"details": {},
"help": "string"
}
],
"_request_id": "string"
}
{
"_errors": [
{
"code": "E003",
"message": "Input Format Mismatch: input-format=json",
"details": {}
}
],
"_request_id": "123e4567-e89b-12d3-a456-426655440000"
}
{
"_errors": [
{
"code": "E003",
"message": "Output Format Mismatch: output-format=json Accept=xml",
"details": {}
}
],
"_request_id": "123e4567-e89b-12d3-a456-426655440000"
}
{
"_errors": [
{
"code": "E003",
"message": "Missing Query Parameter: name",
"details": {}
}
],
"_request_id": "123e4567-e89b-12d3-a456-426655440000"
}
{
"_errors": [
{
"code": "E003",
"message": "Invalid Query Parameter: location=invalid",
"details": {}
}
],
"_request_id": "123e4567-e89b-12d3-a456-426655440000"
}
{
"_errors": [
{
"code": "E003",
"message": "Missing Body",
"details": {}
}
],
"_request_id": "123e4567-e89b-12d3-a456-426655440000"
}
{
"_errors": [
{
"code": "E003",
"message": "Invalid Object",
"details": {}
}
],
"_request_id": "123e4567-e89b-12d3-a456-426655440000"
}
Unauthorized
- application/json
- Schema
- Example (from schema)
- auth_not_authenticated
- invalid_credential
- key_too_long
- key_expired
- need_password_change
Schema
- Array [
- ]
_errors object[]
{
"_errors": [
{
"code": "string",
"message": "string",
"details": {},
"help": "string"
}
],
"_request_id": "string"
}
{
"_errors": [
{
"code": "E016",
"message": "Not Authenticated",
"details": {}
}
],
"_request_id": "123e4567-e89b-12d3-a456-426655440000"
}
{
"_errors": [
{
"code": "E016",
"message": "Invalid Credential",
"details": {}
}
],
"_request_id": "123e4567-e89b-12d3-a456-426655440000"
}
{
"_errors": [
{
"code": "E016",
"message": "Key Too Long",
"details": {}
}
],
"_request_id": "123e4567-e89b-12d3-a456-426655440000"
}
{
"_errors": [
{
"code": "E016",
"message": "Key Expired",
"details": {}
}
],
"_request_id": "123e4567-e89b-12d3-a456-426655440000"
}
{
"_errors": [
{
"code": "E016",
"message": "The password needs to be changed.",
"details": {}
}
],
"_request_id": "123e4567-e89b-12d3-a456-426655440000"
}
Forbidden
- application/json
- Schema
- Example (from schema)
- auth_unauthorized
Schema
- Array [
- ]
_errors object[]
{
"_errors": [
{
"code": "string",
"message": "string",
"details": {},
"help": "string"
}
],
"_request_id": "string"
}
{
"_errors": [
{
"code": "E007",
"message": "Unauthorized",
"details": {}
}
],
"_request_id": "123e4567-e89b-12d3-a456-426655440000"
}
Conflict
- application/json
- Schema
- Example (from schema)
- object_not_unique
- name_not_unique
- reference_not_zero
Schema
- Array [
- ]
_errors object[]
{
"_errors": [
{
"code": "string",
"message": "string",
"details": {},
"help": "string"
}
],
"_request_id": "string"
}
{
"_errors": [
{
"code": "E016",
"message": "Object Not Unique",
"details": {}
}
],
"_request_id": "123e4567-e89b-12d3-a456-426655440000"
}
{
"_errors": [
{
"code": "E006",
"message": "Name Not Unique",
"details": {}
}
],
"_request_id": "123e4567-e89b-12d3-a456-426655440000"
}
{
"_errors": [
{
"code": "E009",
"message": "Reference Not Zero",
"details": {}
}
],
"_request_id": "123e4567-e89b-12d3-a456-426655440000"
}
General Errors
- application/json
- Schema
- Example (from schema)
- version_not_supported
- method_not_allowed
- action_not_supported
- bad_xpath
- invalid_command
- malformed_command
- session_timeout
Schema
- Array [
- ]
_errors object[]
{
"_errors": [
{
"code": "string",
"message": "string",
"details": {},
"help": "string"
}
],
"_request_id": "string"
}
{
"_errors": [
{
"code": "E012",
"message": "Version Not Supported",
"details": {}
}
],
"_request_id": "123e4567-e89b-12d3-a456-426655440000"
}
{
"_errors": [
{
"code": "E012",
"message": "Method Not Supported",
"details": {}
}
],
"_request_id": "123e4567-e89b-12d3-a456-426655440000"
}
{
"_errors": [
{
"code": "E012",
"message": "Action Not Supported: move",
"details": {}
}
],
"_request_id": "123e4567-e89b-12d3-a456-426655440000"
}
{
"_errors": [
{
"code": "E013",
"message": "Bad XPath",
"details": {}
}
],
"_request_id": "123e4567-e89b-12d3-a456-426655440000"
}
{
"_errors": [
{
"code": "E003",
"message": "Invalid Command",
"details": {}
}
],
"_request_id": "123e4567-e89b-12d3-a456-426655440000"
}
{
"_errors": [
{
"code": "E003",
"message": "Malformed Command",
"details": {}
}
],
"_request_id": "123e4567-e89b-12d3-a456-426655440000"
}
{
"_errors": [
{
"code": "4",
"message": "Session Timeout",
"details": {}
}
],
"_request_id": "123e4567-e89b-12d3-a456-426655440000"
}