Configure a Zone Service Protection Profile

Perform the following steps to create a zone service protection profile:

1. Go to Configuration > Zone Policies / Profiles > Zone Service Protection Profiles.
2. On the Zone Service Protection Profile page, click Create. The Create TCP Zone Service Protection Profile page appears.
3. Enter a name for the Zone Service Protection Profile.
4. Expand the Rate Limit Countermeasure section and enter the appropriate information.

Table 73 : Displays Create Protocol Zone Service Protection Profile window

Field	Purpose
Rate Limit	Select a configured GLID.
Rate Limit Action	Select one of the following actions: Drop—Drops the packet. It is the default option. Ignore—Ignores the traffic. Blacklist-src (unsupported)—Blacklists the source.
Max Dynamic Entry Count	Enter the maximum number of allowable dynamic entries.
Class List Overflow	Enable Class List Overflow Click to allow an overflow policy to take effect if the maximum dynamic entry count is exceeded. If not selected, all traffic exceeding the maximum count is dropped.
Deny Packets	Select the check box to drop and blacklist the matching traffic.
Stateful	Select the check box to enable stateful session tracking. NOTE: Applicable only for UDP and DNS-UDP protocols.
Drop Fragmented Packets	Select the check box to drop the fragmented packets.
Tunnel Decap	Select the check box to decapsulate and process the inner packets. NOTE: Applicable only for IP-Proto, GRE, IPv4-ENCAP and IPv6-ENCAP protocols.
Tunnel Decap Key	Enter a key for tunnel decapsulation. NOTE: Applicable only for IP-Proto and GRE protocol.
Tunnel Rate Limit	Select the check box to enable DDoS protection on tunnel traffic. NOTE: Applicable only for IP-Proto, GRE, IPv4 and IPv6 protocols.

5. Expand the IP Based Countermeasure section and enter the appropriate information.

   Table 74 : IP Based Countermeasure

   Field	Purpose
   Source Based Policy	Select an existing Source Based Policy template. After the source-based policy is selected, select the following: Class List Action GLID Action <Protocol> Template Encap Template NOTE: The Encap Template field is disabled by default for the following services: - ICMPv4 - ICMPv6 - Other - Protocol Number Log Template Refer to the following: For DNS-TCP/DNS-UDP, a DNS Template and TCP/UDP Template are required. For HTTP, a HTTP Template and a TCP Template are required. For SSL-L4, an SSL-L4 Template and a TCP Template are required. For SIP-TCP/SIP-UDP, a SIP Template and a TCP/UDP Template are required. For Protocol Num, an IP Proto Template and Encap Template are required.
   IP Filtering Policy	Select an IP Filtering Policy to be associated with the zone service.

6. Expand the Pattern Recognition (ZAPR) section and enter the appropriate information.

   Table 75 : Pattern Recognition (ZAPR) fields

   Field	Purpose
   Start Pattern Recognition	Select a zone service level at which you want to run the signature extraction. The signature extraction is pushed to TPS only when the mitigation is started. TPS extracts the unknown attack signatures from the attack traffic and stops extraction when TPS sends de-escalation notification to A10 Defend Orchestrator App. The extracted attack signatures are analyzed using Machine Learning techniques and converted to signature rules using Berkeley Packet Filter (BPF) expressions.
   Apply Extracted Filters	Select a zone service level at which the extracted signature extraction filters are applied on the incoming traffic and the packets that match the filters are dropped.
   Triggered By	Select one of the following options: Packet Rate Exceeds Zone Escalation. You can trigger the pattern recognition when a packet rate threshold exceeds a global limit ID (GLID) or when there is zone escalation. If the option is not specified, by default the trigger is when a rate threshold exceeds a GLID. If you select the Packet Rate Exceeds option to trigger pattern recognition, you must specify the rate limit.
   Capture Traffic	Select one of the following options: All Dropped You can capture all traffic or capture only the dropped traffic for the purpose of extracting a ZAPR filter. If the option is not specified, the default behavior will capture only the dropped traffic.

   To monitor the dropped packets and packet rates, go to Mitigation > Zone Mitigation Console.

   NOTE:

   The Triggered By and Capture Traffic options are applicable only when the TPS v5.0.2 device is used.

5. Expand the Escalation Levels section and enter the appropriate information.

   Depending on the protocol selected, policy levels are configurable. A zone service level configuration can have up to 5 levels that start at zero and escalates to 4. Click on the downward arrow on the Level 0 row if it exists.

Table 76 : Displays Policy Levels.

Fields	Purpose
Source Default GLID	Select a configured GLID for rate-limits.
GLID Action	Select one of the following options: Drop Ignore Blacklist-src
TCP Template	A protocol (TCP) template or two protocol templates may appear depending on the protocol selected earlier for the zone. Select a configured zone protocol template.
Encap Template	Select a template to encapsulate the packets.
Source Escalation Score	Enter the source escalation score for the level, which specifies the number of score units required to move source traffic to this security level. Only source threshold violations are counted against this score. NOTE: Under Level 0, the default value is 10. If the source traffic exceeds the set score, DDoS Source Escalation notification is generated. For more information, see Audit Logs.
Source Violation Actions	Select a configured violation action.
Zone Escalation Score	Enter the zone escalation score for the level. The number specifies the score required to escalate to the next level. NOTE: Under Level 0, the default value is 10.
Zone Violation Actions	Select a configured zone violation action.
Close Sessions for Unauth Sources	Select the check box to close the sessions for the source-zone-services learned without any authentication in case of level escalation. The feature supports the following: Service type: [port | port-range] [tcp | ssl | http | dns-tcp | sip-tcp | udp (stateful) | dns-udp | quic | sip-udp] port other [tcp | udp] Service level: Level 1 to Level 4 For this feature to work, the zone-service must use a zone-template with any of following authentication mechanism configured: syn-auth ack-auth UDP retry timeout NOTE: Supports TPS version 5.0.2-P3 and later. NOTE: For more information on Escalation Levels,

7. Click the Plus (+) sign to add further indicator configuration for the zone service.
   

Table 77 : Indicators for Zone Service

Field	Purpose
Indicator	Select an indicator from the drop-down list. NOTE: Under Level 0, by default the pkt-rate indicator is selected. NOTE: For more information about the threshold indicators, see Indicator Settings.
Parameter	Enter information for the specific indicator that requires the information.
Score	Enter the score for this escalation level. NOTE: Under Level 0, for the pkt-rate indicator, the default value is 20.
Threshold Per Zone	Threshold (Total Traffic)—Enter the indicator threshold values that correspond to the total traffic of the zone service. If a detector group is associated with this zone, these values are pushed to the TPS detector when you click Save on the Edit Zone Service page and then click Save & Push on the Configuration > Protected Objects > Zones > Configure page. Threshold (Per Device)—Enter the indicator threshold values per mitigator. If a mitigator group is associated with this zone, these values are pushed to the TPS mitigator when you click Save on the Edit Zone Service page and then click Save & Push on the Configuration > Protected Objects > Zones > Configure page. Violation Action—Select a configured violation action from the drop-down list.
Threshold Per Source	Threshold—Enter the threshold for the indicator. Violation Action—Select a violation action from the drop-down list.

8. Repeat the steps for any additional indicators.
9. Click Save.