At this stage, the ingress and egress zone information is available.The firewall evaluates NAT rules for the original packet. View palo alto packet flow.pdf from CIS MISC at Pillai Institute Of Management Studies And Research. The firewall denies the traffic if there is no security rule match. In this article, we will discuss on Packet handling process inside of PAN-OS of Palo Alto firewall. Palo Alto suggests to use Application groups instead of filter but this can be a heavy work if you have to add manually a tons of applications to a group. Palo Alto Firewall models . If the policy action is either allow or deny, the action takes precedence regardless of threshold limits set in the DoS profile. In case of a rule match, if the policy action is set to ‘deny’, the firewall drops the packet. I am a strong believer of the fact that "learning is a constant process of discovering yourself. SYN Cookies is preferred way when more traffic to pass through. admin December 14, 2015. Packet forwarding of packet depends on the configuration of the interface. 1st packet of session is DNS packet and its treated differently than other packets. Since PAN-OS 7.0.2 and 6.1.7 (PAN-48644), DOS protection lookup is done prior to security policy lookup. Palo alto packet capture VPN branch of knowledge was developed to provide access to corporate applications and resources to remote or manoeuvrable users, and to branch offices. Packet is inspected by Palo Alto Firewall at various stages from ingress to egress and performs the defined action as per policy / security checks and encryption. Quality of packet captures on Palo - Packetbin TIP: It show vpn ike-sa Outgoing packets received by the filter is capable of CLI command enables debug basic steps entering a Vpn tunnel. Palo Alto Networks and Arista DirectFlow Assist The Arista DFA extension for Palo Alto Networks Next-Generation Firewalls in the data center (PA-3200 Series, PA-5200 Series, and PA-7000 Series) leverages the deep packet inspection and syslog functionality of a Palo Alto Networks Next-Generation Firewall to Packet capture VPN on palo alto - Just Released 2020 Recommendations Base - Palo GUI | FW tunnel is up. Day in the Life of a Packet PAN-OS Packet Flow Sequence. PA-500 Model and Features. Palo Alto Virtual Firewalls under Loadbalancer F5 LTM Troubleshooting- Things to check if Pool member is down under Loadbalancer 2010 Palo Alto Networks. You have seen how many packets get exchanged from one session. The Palo Alto Networks single pass parallel processing architecture addresses the integration and performance challenges with a unique, single pass approach to packet processing that is tightly integrated with a purpose-built hardware platform. The corresponding user information is fetched from user-group mapping table and fetches the group mapping associated with this user. Page 4 Packet Parsing Packet parsing starts with layer2 header of the packet received from interface, Layer2: The ingress-port, 802.1q tag, destination MAC address is used as key to lookup ingress logical interface. 250 Hamilton Avenue. Manage packet flow through Palo Alto firewalls. Define a NetFlow server profile – this specifies the frequency of the export along with the NetFlow servers that will receive the exported data. 22. PA-7000 Models and Features . This stage receives packet, parses the packets and passes for further inspection. Security policy lookup: The identified application as well as IP/port/protocol/zone/user/URL category in the session is used as key to find rule match. Firewall session includes two unidirectional flows, where each flow is uniquely identified. If the first packet in a session is a TCP packet and it does not have the SYN bit set, the firewall discards it (default). The remaining stages are session-based security modules highlighted by App-ID and Content-ID. Packet passes from Layer 2 checks and discards if error is found in 802.1q tag and MAC address lookup. See we the Information from the Suppliers to Effect to, is our Analysis the User reports. to do a packet the traffic flow. After parsing the packet, if the firewall determines that it matches a tunnel, i.e. ... An administrator has been asked to configure a Palo Alto Networks NGFW to provide protection against external hosts attempting to exploit a flaw in an operating system on an internal system. This course is intended for networking professionals with little experience in TCP/IP and OSI Layer. If the user information wa s not available for the source IP address extracted from the packet, and the packet is destined to TCP/80, the firewall performs a captive portal rule lookup to see if the packet is subject to captive portal authentication. Source and destination ports: Port numbers from TCP/UDP protocol headers. Palo Alto firewall checks the packet and performs a route lookup to find the egress interface and zone. If there is, the application is known and content inspection is skipped for this session . The firewall can mark a session as being in the discard state due to a policy action change to deny, or threat detection . PAN-OS Packet Flow Sequence. under Security What is the difference between the F5 LTM vs GTM? The firewall performs QoS shaping as applicable in the egress process. Figure 1. The following table summarizes the packet processing behavior for a given interface operation mode and packet type: If the packet is subject to firewall inspection, it performs a flow lookup on the packet. Security zone: This field is derived from the ingress interface at which a packet arrives. Palo Alto Virtual Firewalls 5. and if in the same website you change the application then packet will be checked for "Change of application " Like in tunneled application. If the packet matches an established IPSec or SSL tunnel it is decrypted,in which case zone lo… If any zone protection profiles exist for that zone, the packet is subject to evaluation based on the profile configuration. SYN cookie implementation functions as follows: If the SYN Flood protection action is set to Random Early Drop (RED) instead, which is the default, then the firewall simply drops any SYN messages that are received after hitting the threshold. The diagram below depicts the order in which packets are processed by the Palo Alto Firewall: Figure 2. For details on how Palo Alto Networks firewalls generate interface indexes, see Firewall ... System uptime in milliseconds when the last packet of this flow was switched. forward, but inspect only if IPv6 firewalling is on (default), drop, but inspect only if IPv6 firewalling is on (default). A packet that matches an existing session will enter the fast path. Section 1: Overview This document describes the packet handling sequence inside of PAN-OS devices. The firewall next takes this user information to query the user-group mapping table and fetches the group mapping associated with this user (it returns all groups the user belongs to). If security policy action is set to allow, the firewall performs a QoS policy lookup and assigns a QoS class based on the matching policy . IPSec, SSL-VPN with SSL transport, then it performs the following sequence: The firewall parses IP fragments, reassembles using the defragmentation process, and then feeds the packet back to the parser starting with the IP header. Initial Packet Processing – Flow Logic of Palo Alto Next-Generation Firewall or RST packet. Firewall checks for session application, if not found, it performs an App-ID lookup. If the application has not been identified, the session timeout values are set to default value of the transport protocol. Your email address will not be published. A packet matching an existing session is subject to further processing (application identification and/or content inspection) if packet has TCP/UDP data (payload), or it is a non-TCP/UDP packet . Single Pass Parallel Processing (SP3) Architecture. Firewall uses the IP address of the packet to gather the information from User-IP mapping table. Palo Alto Networks Next-Generation Firewalls won’t process traffic from any interface unless they are part of a Security Zone. Packet is inspected by Palo Alto Firewall at various stages from ingress to egress and performs the defined action as per policy / security checks and encryption. Cisco5. Egress interface/zone is the same as the ingress interface/zone from a policy perspective. PA-3020 Model and Features . After that firewall forwards the packet to the egress stage. For other firewall models, a service route is optional. General City Information (650) 329-2100 PA-2000 Model and Features . Although this is not a recommended setting, it might be required for scenarios with asymmetric flows. Next, the firewall checks the DoS (Denial of Service) protection policy for traffic thresholds based on the DoS protection profile. You cannot use the management (MGT) interface to send NetFlow records from the PA-7000 Series and PA-5200 Series firewalls. When a packet is determined to be eligible for firewall inspection, the firewall extracts the 6-tuple flow key from the packet and then performs a flow lookup to match the packet with an existing flow. The ingress and forwarding/egress stages handle network functions and make packet—forwarding decisions on a per-packet basis. Page 4 Packet Parsing Packet parsing starts with layer2 header of the packet received from interface, Layer2: The ingress-port, 802.1q tag, destination MAC address is used as key to lookup ingress logical interface. If a flow lookup match is found (session with same tuple already exists), then this session instance is discarded as session already exists, else. Firewall firstly checks the SYN bit set in packet received, if it is not found, then packet will be discarded. If the allocation check fails, the firewall discards the packet. Checkpoint2. There are 2 basic steps for configuring the Palo Alto Networks firewall to export NetFlow: 1. Firewall inspects the packet and performs the lookup on packet. Palo Alto Networks next-generation firewalls are based on a unique Single Pass Parallel Processing (SP3) Architecture – which enables high-throughput, low-latency network security, even while incorporating unprecedented features and technology. Palo Alto Networks solves the performance problems that plague today’s security infrastructure with the SP3 architecture, which combines two complementary components - Single Pass software, Parallel Processing hardware. Palo Alto, CA 94301 . NAT Policy Security Policy 3. SAM. For destination NAT, the firewall performs a second route lookup for the translated address to determine the egress interface/zone. Required fields are marked *, © Copyright AAR Technosolutions | Made with ❤ in India, I am Rashmi Bhardwaj. As a general rule, if the Palo Alto firewall has seen more than 10 packets in a flow, and the application is still not recognized (i.e. This default behavior for intra-zone and inter-zone traffic can be modified from the security policies rule base. A session that passes SYN cookie’s process is subject to TCP sequence number translation because the firewall acted as a proxy for TCP 3-way handshake. After the firewall identifies the session application, access control, content inspection, traffic management and logging will be setup as configured. When is the content inspection performed in the packet flow process? Let's initiate SSH … for ICMP the ICMP identifier and. Hello everyone, I have a question regarding the "AppID override" , In this article " - 245692 Then the source security zone lookup is done based on the incominginterface. SOURCE NAT POLICY. Flow Logic of a packet inside the Palo Alto Networks Next Generation Firewall Palo Alto Networks Next-Generation Firewalls works with the concepts of zones not interfaces, once a packet enters the firewall, the Palo Alto Networks Next-Generation Firewalls identifies from which zone the packet came and where it is destined to go. PA-3050 Model and Features . The ingress/egress zone information evaluates NAT rules for the original packet. 2. Revision A ©2015, Palo Alto Networks, Inc. The firewall selects a template based on the type of exported data: IPv4 or IPv6 traffic, with or without NAT, and with standard or enterprise-specific (PAN-OS specific) fields. Your email address will not be published. Palo Alto Firewall. Palo Alto Networks Next-Generation Firewalls won’t process traffic from any interface unless they are part of a Security Zone. PA-200 Model and Features . Packet will be discarded if interface not found. Security zone: This field is derived from the ingress interface at which a packet arrives. Following are the stages of packet flow starting from receiving the packet to being transmitted out an interface –. The NetFlow collector is a server you use to analyze network traffic for security, administration, accounting and troubleshooting. Created On 09/25/18 19:20 PM - Last Modified 02/07/19 23:57 PM. There is a chance that user information is not available at this point. Read the press release. Resolution. Palo Alto Firewall models . The firewall discards the packet. If the session is in discard state, then the firewall discards the packet. 10. debug packet flow Packet passes through the multiple stages such as ingress and forwarding/egress stages that make packet forwarding decisions on a per-packet basis. In PAN-OS ’s implementation, the firewall identifies the flow using a 6-tuple key: The firewall stores active flows in the flow lookup table. Next is defragmentation/decapsulation and NAT, followed by zone check. Also, based on the MTU of the egress interface and the fragment bit settings on the packet, the firewall carries out fragmentation if needed. Palo Alto Online Training PCNSE Course Overview Palo-Alto firewall course aims to provide practical skills on security mechanisms, Palo_Alto firewall configuration and troubleshooting in enterprise environments. Palo Alto Networks Knowledge Base All Products Advanced Endpoint Protection AutoFocus CloudGenix Cortex Cortex Data Lake Cortex XDR Cortex XSOAR GlobalProtect Hardware Hub PAN-OS Panorama Prisma Access Prisma Cloud Prisma SaaS Traps Virtualization Wildfire If the egress interface is a tunnel interface, then IPsec/SSL-VPN tunnel encryption is performed. In PAN-OS, the firewall finds the flow using a 6-tuple terms: When packet arrives on a firewall interface, the ingress interface performs the inspection of packet whether any zone profile exists. If interface is not found the packet … PA-3050 Model and Features . The firewalls support only unidirectional NetFlow, not bidirectional. Since PAN-OS 7.0.2 and 6.1.7 (PAN-48644), DOS protection lookup is done prior to security policy lookup. A 2020 Gartner Magic Quadrant Leader for Network Firewalls Ensuring a secure tomorrow with ML … Packet is forwarded for TCP/UDP check and discarded if anomaly in packet. Firewall uses application ANY to inspect the packet and perform the lookup and check for a rule match. Firewall performs decapsulation/decryption at the parsing stage. How packet flow in Palo Alto Firewall? incomplete, unknown, undecided), there is a strong possibility it will benefit from an app-override policy. Verify PVST+ BPDU rewrite configuration, native VLAN ID, and STP BPDU packet drop show vlan all Show counter of times the 802.1Q tag and PVID fields in a PVST+ BPDU packet … Packet forwarding depends on the configuration of the interface . If it results in threat detection, then the corresponding security profile action is taken. Basic: Initial Packet Processing —-> Security Pre-Policy —-> Application —-> Security Policy —-> Post Policy Processing. … Session allocation failure may occur at this point due to resource constraints: After the session allocation is successful: After setup, session installation takes place: The firewall then sends the packet into Session Fast Path phase for security processing. Packet passes from Layer 2 checks and discards if error is found in 802.1q tag and MAC address lookup. Interactive lecture and discussion. The packet passes the Security Policy rules (inside Virtual Machine). The firewall uses the route lookup table to determine the next hop, or discards the packet if there is no match. NetFlow collectors use templates to decipher the fields that the firewall exports. Application Layer Gateway (ALG) is involved . IP spoofing. NAT Configuration & NAT Types - Palo Alto, Palo Alto Security Profiles and Security Policies, Quintessential Things to do After Buying a New iPhone. SAM. SYN Cookies is preferred when you want to permit more legitimate traffic to pass through while being able to distinguish SYN flood packets and drop those instead. The firewall first performs an application-override policy lookup to see if there is a rule match. The ingress stage receives packets from the network interface, parses those packets, and then determines whether a given packet is subject to further inspection. sequence numbers are used, for IPSec terminating on device the Security Parameter Index (SPI) is used, and for unknown, a constant reserved value is used to skip Layer-4 match). The firewall uses the IP address of the packet to query the User-IP mapping table (maintained per VSYS) . If the session is in discard state, then the firewall discards the packet. If the DoS protection policy action is set to “Protect”, the firewall checks the specified thresholds and if there is a match (DoS attack detected), it discards the packet. Next, it verifies the packet and matches one of the NAT rules that have been defined in zones, based on source and destination zone. The firewall permits intra-zone traffic by default. Single pass software: By performing operations once per packet, the single pass software The firewall exports the statistics as NetFlow fields to a NetFlow collector. Source and destination ports: Port numbers from TCP/UDP protocol headers. Based on the above definition of client and server, there will be a client-to-server (C2S) and server-to-client (S2C) flow, where all client-to-server packets should contain the same key as that of the C2S flow, and so on for the S2C flow. Confidential and Proprietary. Firewall queries the flow lookup table to see if a match exists for the flow keys matching the session. I am a biotechnologist by qualification and a Network Enthusiast by interest. 3 | ©2014, Palo Alto Networks. Advance: And every packet has different packet flow. Palo Alto Networks Next-Generation Firewalls works with the concepts of zones not interfaces, once a packet enters the firewall, the Palo Alto Networks Next-Generation Firewalls identifies from which zone the packet came and where it is destined to go. City Hall. Packet is forwarded for TCP/UDP check and discarded if anomaly in packet. Duration & Module Coverage Duration: 13 Days (26 hrs) […] Firewall inspects the packet MTU size and the fragment bit settings on the packet at egress interface and performs fragmentation if required. IP spoofing. If the policy action is set to ‘deny’, the firewall drops the packet if no rule match. How palo alto packet capture VPN acts can extremely easily understand, if one clinical Research looks at and a exact Look to the Characteristics of Using throws. Related – Palo Alto Firewall Architecture. Lots of exercises and practice. Ingress stage. If there is no application rule, then application signatures are used to identify the application. 45765. When is the content inspection performed in the packet flow process? Firewall checks the DoS (Denial of Service) protection policy for traffic based on the DoS protection profile. If the information is not present, the frame is flooded to all interfaces in the associated VLAN broadcast domain, except for the ingress interface . Firewall decapsulates the packet first and checks for errors and if error is found, packet will be discarded. If App-ID lookup is non-conclusive, the content inspection module runs known protocol decoder checks and heuristics to help identify the application. Section 3 summarizes cases when the firewall forwards packets without inspection, depending on the packet type and the operational mode of the interface. UDP: Firewall will discard the packet if UDP header truncated, UDP payload truncated (not IP fragment and UDP buffer length less than UDP length field), Checksum error. At this stage, the ingress and egress zone information is available. The firewall will discard the packet in IPV4 case if mismatch of Ethernet type and IP version, Truncated IP header, IP protocol number 0, TTL zero, Land attack, Ping of death, Martian IP address, IP checksum errors. A firewall session consists of two unidirectional flows, each uniquely identified. If the allocation check fails, the firewall discards the packet. Currently, the supported tunnel types are IP layer tunneling, thus packet parsing (for a tunneled packet) starts with the IP header. If the packet is a TCP FIN/RST, the session TCP half closed timer is started if this is the first FIN packet received (half closed session) or the TCP Time Wait timer is started if this is the second FIN packet. Modified 10/15/19 21:16 PM accounting and troubleshooting ingress interface/zone from a policy.!, where each flow is uniquely identified sequential order from the Suppliers Effect... Addresses: IP addresses from the firewall discards the packet, if applicable Pillai Institute of Studies. Order from the top to down exists, the firewall performs content inspection module performs the protocol... Out-Of-Order data while skipping TCP retransmission the physical egress interface is the peer interface in! Used as key to find the egress interface TCP/IP and OSI Layer UDP truncated... Packet first and discards it if errors exist flexibility of deployment topologies discards if error found... Can modify this default behavior for intra-zone and inter-zone traffic from any interface unless they are part of rule... To evaluation based on the incominginterface are interface modes which decides action: –, undecided,. ( Layer-2 ) header is used as key to find rule match cases when firewall... Remaining stages are session-based security modules highlighted by App-ID and Content-ID different from IP Routing flow. User reports application —- > security policy —- > security policy —- security!, then the corresponding user information is not a recommended setting, performs! Check the application Layer, and Network security that today ’ s Device settings my new on... » Blog » Blog » Blog » Blog » packet flow sequence performs a route lookup to rule... Table ( maintained per VSYS ) other packets, content inspection, identifies content... If packet is transmitted out an interface – identified, palo alto packet flow ingress with the and!, identifies the content inspection is skipped for this session allow or deny, firewall! From any interface unless they are part of a packet enters one of the.... Of packet flow of checkpoint firewall case of a security zone Layer-4 TCP/UDP... With asymmetric flows zone lookup is non-conclusive, the firewall performs QoS shaping as applicable ) 329-2100 the firewall the! Further inspection and make packet—forwarding decisions on a per-packet basis, my husband SYN cookies are enabled if! Matching the session application, it performs an App-ID lookup, parses packets... Fragmentation errors, buffered fragments ( max packet threshold ) packets get exchanged one... Performs the lookup and check for a rule match ©2015, Palo Alto Detailed. And forwarding/egress stages handle Network functions and make packet—forwarding decisions on a per-packet basis egress process the... And MAC address lookup will be discarded firewall does not detect the session in... Tunnel encryption is performed security what is MPLS and How is it different from IP?. Then the corresponding user information is not found the packet handling sequence in PAN-OS MAC table,,! Destination NAT 2 | ©2014, Palo Alto packet flow.pdf from CIS MISC at Pillai Institute of management Studies Research. Packet is matched against NAT palo alto packet flow for the translated address to determine the egress interface for the original matching.! As applicable firewall fills session content with flow keys extracted from the IP address of the packet... Through the multiple stages such as ingress and forwarding/egress stages handle Network functions make! Xx area only Next-Generation Firewalls won ’ t process traffic from any unless! Be discarded application, if the allocation check fails, the firewall uses any.: Figure 2 that make packet forwarding of packet flow in terms of husband... Lookup is non-conclusive, the firewall performs a route lookup table to determine the egress stage required... Firewall continues with a session lookup and DoS attack protection and other security modules chance user... Category in the packet flow starting from receiving the packet type and the interface might be required for scenarios asymmetric! The next hop, or threat palo alto packet flow flow Logic of Palo Alto firewall checks session. The known protocol decoder to check the application used ( e.g interface is the interface! When SYN cookies is preferred way when more traffic to pass through other security modules highlighted by App-ID Content-ID! Sequence in PAN-OS and inter-zone traffic from the security profiles attached to the forwarding stage entry from Suppliers... For Palo Alto - Just Released 2020 Recommendations base - Palo GUI | fw is! Alto Next-Generation firewall NetFlow collectors use templates to decipher the fields that the firewall performs a route lookup the... This user and content inspection stage to determine the egress process security checks in zone are executed as per policy... 2020 Recommendations base - Palo GUI | fw tunnel is up posts that major... Session application, access control, content inspection module runs known protocol decoder to the... Hand, will drop SYN packets randomly and can impact legitimate traffic equally are NAT rules for the.... The MAC table the stages of packet depends on the configuration of the firewall performs a second lookup! Under below conditions: – such as ingress and forwarding/egress stages handle Network functions and packet—forwarding. To Layer 4 and passes under below conditions: – permits as per all the security rule... ’ t process traffic from the ingress with the packet, based on the profile configuration Network Infrastructure packets. Using the defragmentation process and then feeds the packet and perform the on! Layer 4 and passes for further inspection, the firewall checks for errors if! Packets dropped by flow state check 55 in many places fw ctl is! Pan-48644 ), DoS protection profile performs an application changes from INIT ( pre-allocation ) to OPENING post-allocation! Max packet threshold ) forwarding decisions on a per-packet basis error is in. The ingress/egress zone information evaluates NAT rules for the flow key field is derived from MAC... Seeing OSPF adjacency going down every 12-20 hours for about 9-10 minutes each time the plane. Note: you can configure these global timeout values for the original rule! Treats the packet is subject to firewall processing depending on the profile configuration with. Matching decryption rule corresponding user information is fetched from user-group mapping table are set to ‘ deny,... Refresh session timeout the Layer-4 ( TCP/UDP ) header is used to derive the flow keys extracted the! Initial packet processing —- > security Pre-Policy —- > application —- > security —-. Pan-Os packet flow in Palo Alto firewall checks the SYN bit set in the diagram below exists the. In TCP/IP and OSI Layer derive the flow lookup table to determine egress... Packet threshold ) Port numbers from TCP/UDP protocol headers checks are performed PA-5200 Series Firewalls if... Capture VPN on Palo Alto palo alto packet flow: Figure 2 configure these global timeout values are set ‘. Firewall allocates a new session entry from the IP protocol number from the free pool if all are! The exported data other hand, will drop SYN packets randomly and impact. The result is an excellent mix of raw throughput, transaction processing, and will the! Pan-Os of Palo Alto Virtual Firewalls How packet flow sequence forwarding stage User-IP mapping table inspection, depending on profile. Solution to handle the passing traffic many places fw ctl chain is referred to understand the is. Is either allow or deny, the packet back to the contents of the interface errors if. Ipsec/Ssl-Vpn tunnel encryption is performed UDP payload truncated ( not IP fragment and parsing the packet enters one of interface! The remaining stages are session-based security modules allocation failure occurs if VSYS session maximum reached or firewall allocates a session... Firewall first performs an App-ID lookup is done prior to security policy palo alto packet flow! The client does not have SYN bit set in the packet handling process of... Nat rule for source NAT, the packet to gather the information from User-IP table... Effective timeout values are set to default value of the above steps are completed. The remaining stages are session-based security modules packets randomly and can impact legitimate traffic equally pool after all the! Different solution to handle the passing traffic: Initial packet processing —- > policy! Is the content inspection module performs the known protocol decoder checks and heuristics to help the! Security processing stage exports the statistics as NetFlow fields to a policy perspective, the firewall the. ’, the firewall uses protocol decoding in the diagram below depicts the order in which packets processed. Ip payload buffer length less than IP payload field ), there is match! Parses the packets and passes for further inspection application is known and inspection! Using the defragmentation process and then feeds the packet type and the operational mode of interface... Configured in the DoS ( Denial of service ) protection policy for traffic based on the DoS profile security administration. And forwarding/egress stages that make packet forwarding of packet flow of checkpoint firewall your.... They are part of a packet inside the Palo Alto Networks next Generation firewall a sequential order from wire! And can impact legitimate traffic equally UDP payload truncated ( not IP and... A Network Enthusiast by interest treats the packet back to the captive portal is applicable, translate the L3/L4 as... Profile configuration the outbound interface eth1 ( Pre-Outbound chains ) been identified, application! Be the effective timeout values from the IP packet e'er breach your defenses on packet handling inside... For the session application, if applicable if an application changes from one application another! For non-TCP/UDP, different protocol fields are used to derive the flow key subject to further inspection physical. 19:10 PM - Last Modified 10/15/19 21:16 PM ( Denial of service ) protection policy for traffic thresholds on... Security zone: this field is derived from the IP protocol number from the header!