1. Packages
  2. Strata Cloud Manager Provider
  3. API Docs
  4. ZoneProtectionProfile
Strata Cloud Manager v0.4.3 published on Saturday, Nov 8, 2025 by Pulumi
Schema (JSON)
pulumi/pulumi-scm

scm.ZoneProtectionProfile

scm logo
Strata Cloud Manager v0.4.3 published on Saturday, Nov 8, 2025 by Pulumi
Schema (JSON)
pulumi/pulumi-scm

    ZoneProtectionProfile resource

    Create ZoneProtectionProfile Resource

    Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.

    Constructor syntax

    new ZoneProtectionProfile(name: string, args?: ZoneProtectionProfileArgs, opts?: CustomResourceOptions);
    @overload
def ZoneProtectionProfile(resource_name: str,
                          args: Optional[ZoneProtectionProfileArgs] = None,
                          opts: Optional[ResourceOptions] = None)

@overload
def ZoneProtectionProfile(resource_name: str,
                          opts: Optional[ResourceOptions] = None,
                          asymmetric_path: Optional[str] = None,
                          description: Optional[str] = None,
                          device: Optional[str] = None,
                          discard_icmp_embedded_error: Optional[bool] = None,
                          flood: Optional[ZoneProtectionProfileFloodArgs] = None,
                          folder: Optional[str] = None,
                          fragmented_traffic_discard: Optional[bool] = None,
                          icmp_frag_discard: Optional[bool] = None,
                          icmp_large_packet_discard: Optional[bool] = None,
                          icmp_ping_zero_id_discard: Optional[bool] = None,
                          ipv6: Optional[ZoneProtectionProfileIpv6Args] = None,
                          l2_sec_group_tag_protection: Optional[ZoneProtectionProfileL2SecGroupTagProtectionArgs] = None,
                          loose_source_routing_discard: Optional[bool] = None,
                          malformed_option_discard: Optional[bool] = None,
                          mismatched_overlapping_tcp_segment_discard: Optional[bool] = None,
                          mptcp_option_strip: Optional[str] = None,
                          name: Optional[str] = None,
                          non_ip_protocol: Optional[ZoneProtectionProfileNonIpProtocolArgs] = None,
                          record_route_discard: Optional[bool] = None,
                          reject_non_syn_tcp: Optional[str] = None,
                          scan_white_lists: Optional[Sequence[ZoneProtectionProfileScanWhiteListArgs]] = None,
                          scans: Optional[Sequence[ZoneProtectionProfileScanArgs]] = None,
                          security_discard: Optional[bool] = None,
                          snippet: Optional[str] = None,
                          spoofed_ip_discard: Optional[bool] = None,
                          stream_id_discard: Optional[bool] = None,
                          strict_ip_check: Optional[bool] = None,
                          strict_source_routing_discard: Optional[bool] = None,
                          suppress_icmp_needfrag: Optional[bool] = None,
                          suppress_icmp_timeexceeded: Optional[bool] = None,
                          tcp_fast_open_and_data_strip: Optional[bool] = None,
                          tcp_handshake_discard: Optional[bool] = None,
                          tcp_syn_with_data_discard: Optional[bool] = None,
                          tcp_synack_with_data_discard: Optional[bool] = None,
                          tcp_timestamp_strip: Optional[bool] = None,
                          timestamp_discard: Optional[bool] = None,
                          unknown_option_discard: Optional[bool] = None)
    func NewZoneProtectionProfile(ctx *Context, name string, args *ZoneProtectionProfileArgs, opts ...ResourceOption) (*ZoneProtectionProfile, error)
    public ZoneProtectionProfile(string name, ZoneProtectionProfileArgs? args = null, CustomResourceOptions? opts = null)
    public ZoneProtectionProfile(String name, ZoneProtectionProfileArgs args)
public ZoneProtectionProfile(String name, ZoneProtectionProfileArgs args, CustomResourceOptions options)

    type: scm:ZoneProtectionProfile
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.

    Parameters

    name string
    The unique name of the resource.
    args ZoneProtectionProfileArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    resource_name str
    The unique name of the resource.
    args ZoneProtectionProfileArgs
    The arguments to resource properties.
    opts ResourceOptions
    Bag of options to control resource's behavior.
    ctx Context
    Context object for the current deployment.
    name string
    The unique name of the resource.
    args ZoneProtectionProfileArgs
    The arguments to resource properties.
    opts ResourceOption
    Bag of options to control resource's behavior.
    name string
    The unique name of the resource.
    args ZoneProtectionProfileArgs
    The arguments to resource properties.
    opts CustomResourceOptions
    Bag of options to control resource's behavior.
    name String
    The unique name of the resource.
    args ZoneProtectionProfileArgs
    The arguments to resource properties.
    options CustomResourceOptions
    Bag of options to control resource's behavior.

    Constructor example

    The following reference example uses placeholder values for all input properties.

    var zoneProtectionProfileResource = new Scm.ZoneProtectionProfile("zoneProtectionProfileResource", new()
{
    AsymmetricPath = "string",
    Description = "string",
    Device = "string",
    DiscardIcmpEmbeddedError = false,
    Flood = new Scm.Inputs.ZoneProtectionProfileFloodArgs
    {
        Icmp = new Scm.Inputs.ZoneProtectionProfileFloodIcmpArgs
        {
            Enable = false,
            Red = new Scm.Inputs.ZoneProtectionProfileFloodIcmpRedArgs
            {
                ActivateRate = 0,
                AlarmRate = 0,
                MaximalRate = 0,
            },
        },
        Icmpv6 = new Scm.Inputs.ZoneProtectionProfileFloodIcmpv6Args
        {
            Enable = false,
            Red = new Scm.Inputs.ZoneProtectionProfileFloodIcmpv6RedArgs
            {
                ActivateRate = 0,
                AlarmRate = 0,
                MaximalRate = 0,
            },
        },
        OtherIp = new Scm.Inputs.ZoneProtectionProfileFloodOtherIpArgs
        {
            Enable = false,
            Red = new Scm.Inputs.ZoneProtectionProfileFloodOtherIpRedArgs
            {
                ActivateRate = 0,
                AlarmRate = 0,
                MaximalRate = 0,
            },
        },
        SctpInit = new Scm.Inputs.ZoneProtectionProfileFloodSctpInitArgs
        {
            Enable = false,
            Red = new Scm.Inputs.ZoneProtectionProfileFloodSctpInitRedArgs
            {
                ActivateRate = 0,
                AlarmRate = 0,
                MaximalRate = 0,
            },
        },
        TcpSyn = new Scm.Inputs.ZoneProtectionProfileFloodTcpSynArgs
        {
            Enable = false,
            Red = new Scm.Inputs.ZoneProtectionProfileFloodTcpSynRedArgs
            {
                ActivateRate = 0,
                AlarmRate = 0,
                MaximalRate = 0,
            },
            SynCookies = new Scm.Inputs.ZoneProtectionProfileFloodTcpSynSynCookiesArgs
            {
                ActivateRate = 0,
                AlarmRate = 0,
                MaximalRate = 0,
            },
        },
        Udp = new Scm.Inputs.ZoneProtectionProfileFloodUdpArgs
        {
            Enable = false,
            Red = new Scm.Inputs.ZoneProtectionProfileFloodUdpRedArgs
            {
                ActivateRate = 0,
                AlarmRate = 0,
                MaximalRate = 0,
            },
        },
    },
    Folder = "string",
    FragmentedTrafficDiscard = false,
    IcmpFragDiscard = false,
    IcmpLargePacketDiscard = false,
    IcmpPingZeroIdDiscard = false,
    Ipv6 = new Scm.Inputs.ZoneProtectionProfileIpv6Args
    {
        AnycastSource = false,
        FilterExtHdr = new Scm.Inputs.ZoneProtectionProfileIpv6FilterExtHdrArgs
        {
            DestOptionHdr = false,
            HopByHopHdr = false,
            RoutingHdr = false,
        },
        Icmpv6TooBigSmallMtuDiscard = false,
        IgnoreInvPkt = new Scm.Inputs.ZoneProtectionProfileIpv6IgnoreInvPktArgs
        {
            DestUnreach = false,
            ParamProblem = false,
            PktTooBig = false,
            Redirect = false,
            TimeExceeded = false,
        },
        Ipv4CompatibleAddress = false,
        NeedlessFragmentHdr = false,
        OptionsInvalidIpv6Discard = false,
        ReservedFieldSetDiscard = false,
        RoutingHeader0 = false,
        RoutingHeader1 = false,
        RoutingHeader253 = false,
        RoutingHeader254 = false,
        RoutingHeader255 = false,
        RoutingHeader3 = false,
        RoutingHeader4252 = false,
    },
    L2SecGroupTagProtection = new Scm.Inputs.ZoneProtectionProfileL2SecGroupTagProtectionArgs
    {
        Tags = new[]
        {
            new Scm.Inputs.ZoneProtectionProfileL2SecGroupTagProtectionTagArgs
            {
                Name = "string",
                Tag = "string",
                Enable = false,
            },
        },
    },
    LooseSourceRoutingDiscard = false,
    MalformedOptionDiscard = false,
    MismatchedOverlappingTcpSegmentDiscard = false,
    MptcpOptionStrip = "string",
    Name = "string",
    NonIpProtocol = new Scm.Inputs.ZoneProtectionProfileNonIpProtocolArgs
    {
        ListType = "string",
        Protocols = new[]
        {
            new Scm.Inputs.ZoneProtectionProfileNonIpProtocolProtocolArgs
            {
                EtherType = "string",
                Name = "string",
                Enable = false,
            },
        },
    },
    RecordRouteDiscard = false,
    RejectNonSynTcp = "string",
    ScanWhiteLists = new[]
    {
        new Scm.Inputs.ZoneProtectionProfileScanWhiteListArgs
        {
            Name = "string",
            Ipv4 = "string",
            Ipv6 = "string",
        },
    },
    Scans = new[]
    {
        new Scm.Inputs.ZoneProtectionProfileScanArgs
        {
            Name = "string",
            Action = new Scm.Inputs.ZoneProtectionProfileScanActionArgs
            {
                Alert = null,
                Allow = null,
                Block = null,
                BlockIp = new Scm.Inputs.ZoneProtectionProfileScanActionBlockIpArgs
                {
                    Duration = 0,
                    TrackBy = "string",
                },
            },
            Interval = 0,
            Threshold = 0,
        },
    },
    SecurityDiscard = false,
    Snippet = "string",
    SpoofedIpDiscard = false,
    StreamIdDiscard = false,
    StrictIpCheck = false,
    StrictSourceRoutingDiscard = false,
    SuppressIcmpNeedfrag = false,
    SuppressIcmpTimeexceeded = false,
    TcpFastOpenAndDataStrip = false,
    TcpHandshakeDiscard = false,
    TcpSynWithDataDiscard = false,
    TcpSynackWithDataDiscard = false,
    TcpTimestampStrip = false,
    TimestampDiscard = false,
    UnknownOptionDiscard = false,
});

    example, err := scm.NewZoneProtectionProfile(ctx, "zoneProtectionProfileResource", &scm.ZoneProtectionProfileArgs{
	AsymmetricPath:           pulumi.String("string"),
	Description:              pulumi.String("string"),
	Device:                   pulumi.String("string"),
	DiscardIcmpEmbeddedError: pulumi.Bool(false),
	Flood: &scm.ZoneProtectionProfileFloodArgs{
		Icmp: &scm.ZoneProtectionProfileFloodIcmpArgs{
			Enable: pulumi.Bool(false),
			Red: &scm.ZoneProtectionProfileFloodIcmpRedArgs{
				ActivateRate: pulumi.Int(0),
				AlarmRate:    pulumi.Int(0),
				MaximalRate:  pulumi.Int(0),
			},
		},
		Icmpv6: &scm.ZoneProtectionProfileFloodIcmpv6Args{
			Enable: pulumi.Bool(false),
			Red: &scm.ZoneProtectionProfileFloodIcmpv6RedArgs{
				ActivateRate: pulumi.Int(0),
				AlarmRate:    pulumi.Int(0),
				MaximalRate:  pulumi.Int(0),
			},
		},
		OtherIp: &scm.ZoneProtectionProfileFloodOtherIpArgs{
			Enable: pulumi.Bool(false),
			Red: &scm.ZoneProtectionProfileFloodOtherIpRedArgs{
				ActivateRate: pulumi.Int(0),
				AlarmRate:    pulumi.Int(0),
				MaximalRate:  pulumi.Int(0),
			},
		},
		SctpInit: &scm.ZoneProtectionProfileFloodSctpInitArgs{
			Enable: pulumi.Bool(false),
			Red: &scm.ZoneProtectionProfileFloodSctpInitRedArgs{
				ActivateRate: pulumi.Int(0),
				AlarmRate:    pulumi.Int(0),
				MaximalRate:  pulumi.Int(0),
			},
		},
		TcpSyn: &scm.ZoneProtectionProfileFloodTcpSynArgs{
			Enable: pulumi.Bool(false),
			Red: &scm.ZoneProtectionProfileFloodTcpSynRedArgs{
				ActivateRate: pulumi.Int(0),
				AlarmRate:    pulumi.Int(0),
				MaximalRate:  pulumi.Int(0),
			},
			SynCookies: &scm.ZoneProtectionProfileFloodTcpSynSynCookiesArgs{
				ActivateRate: pulumi.Int(0),
				AlarmRate:    pulumi.Int(0),
				MaximalRate:  pulumi.Int(0),
			},
		},
		Udp: &scm.ZoneProtectionProfileFloodUdpArgs{
			Enable: pulumi.Bool(false),
			Red: &scm.ZoneProtectionProfileFloodUdpRedArgs{
				ActivateRate: pulumi.Int(0),
				AlarmRate:    pulumi.Int(0),
				MaximalRate:  pulumi.Int(0),
			},
		},
	},
	Folder:                   pulumi.String("string"),
	FragmentedTrafficDiscard: pulumi.Bool(false),
	IcmpFragDiscard:          pulumi.Bool(false),
	IcmpLargePacketDiscard:   pulumi.Bool(false),
	IcmpPingZeroIdDiscard:    pulumi.Bool(false),
	Ipv6: &scm.ZoneProtectionProfileIpv6Args{
		AnycastSource: pulumi.Bool(false),
		FilterExtHdr: &scm.ZoneProtectionProfileIpv6FilterExtHdrArgs{
			DestOptionHdr: pulumi.Bool(false),
			HopByHopHdr:   pulumi.Bool(false),
			RoutingHdr:    pulumi.Bool(false),
		},
		Icmpv6TooBigSmallMtuDiscard: pulumi.Bool(false),
		IgnoreInvPkt: &scm.ZoneProtectionProfileIpv6IgnoreInvPktArgs{
			DestUnreach:  pulumi.Bool(false),
			ParamProblem: pulumi.Bool(false),
			PktTooBig:    pulumi.Bool(false),
			Redirect:     pulumi.Bool(false),
			TimeExceeded: pulumi.Bool(false),
		},
		Ipv4CompatibleAddress:     pulumi.Bool(false),
		NeedlessFragmentHdr:       pulumi.Bool(false),
		OptionsInvalidIpv6Discard: pulumi.Bool(false),
		ReservedFieldSetDiscard:   pulumi.Bool(false),
		RoutingHeader0:            pulumi.Bool(false),
		RoutingHeader1:            pulumi.Bool(false),
		RoutingHeader253:          pulumi.Bool(false),
		RoutingHeader254:          pulumi.Bool(false),
		RoutingHeader255:          pulumi.Bool(false),
		RoutingHeader3:            pulumi.Bool(false),
		RoutingHeader4252:         pulumi.Bool(false),
	},
	L2SecGroupTagProtection: &scm.ZoneProtectionProfileL2SecGroupTagProtectionArgs{
		Tags: scm.ZoneProtectionProfileL2SecGroupTagProtectionTagArray{
			&scm.ZoneProtectionProfileL2SecGroupTagProtectionTagArgs{
				Name:   pulumi.String("string"),
				Tag:    pulumi.String("string"),
				Enable: pulumi.Bool(false),
			},
		},
	},
	LooseSourceRoutingDiscard:              pulumi.Bool(false),
	MalformedOptionDiscard:                 pulumi.Bool(false),
	MismatchedOverlappingTcpSegmentDiscard: pulumi.Bool(false),
	MptcpOptionStrip:                       pulumi.String("string"),
	Name:                                   pulumi.String("string"),
	NonIpProtocol: &scm.ZoneProtectionProfileNonIpProtocolArgs{
		ListType: pulumi.String("string"),
		Protocols: scm.ZoneProtectionProfileNonIpProtocolProtocolArray{
			&scm.ZoneProtectionProfileNonIpProtocolProtocolArgs{
				EtherType: pulumi.String("string"),
				Name:      pulumi.String("string"),
				Enable:    pulumi.Bool(false),
			},
		},
	},
	RecordRouteDiscard: pulumi.Bool(false),
	RejectNonSynTcp:    pulumi.String("string"),
	ScanWhiteLists: scm.ZoneProtectionProfileScanWhiteListArray{
		&scm.ZoneProtectionProfileScanWhiteListArgs{
			Name: pulumi.String("string"),
			Ipv4: pulumi.String("string"),
			Ipv6: pulumi.String("string"),
		},
	},
	Scans: scm.ZoneProtectionProfileScanArray{
		&scm.ZoneProtectionProfileScanArgs{
			Name: pulumi.String("string"),
			Action: &scm.ZoneProtectionProfileScanActionArgs{
				Alert: &scm.ZoneProtectionProfileScanActionAlertArgs{},
				Allow: &scm.ZoneProtectionProfileScanActionAllowArgs{},
				Block: &scm.ZoneProtectionProfileScanActionBlockArgs{},
				BlockIp: &scm.ZoneProtectionProfileScanActionBlockIpArgs{
					Duration: pulumi.Int(0),
					TrackBy:  pulumi.String("string"),
				},
			},
			Interval:  pulumi.Int(0),
			Threshold: pulumi.Int(0),
		},
	},
	SecurityDiscard:            pulumi.Bool(false),
	Snippet:                    pulumi.String("string"),
	SpoofedIpDiscard:           pulumi.Bool(false),
	StreamIdDiscard:            pulumi.Bool(false),
	StrictIpCheck:              pulumi.Bool(false),
	StrictSourceRoutingDiscard: pulumi.Bool(false),
	SuppressIcmpNeedfrag:       pulumi.Bool(false),
	SuppressIcmpTimeexceeded:   pulumi.Bool(false),
	TcpFastOpenAndDataStrip:    pulumi.Bool(false),
	TcpHandshakeDiscard:        pulumi.Bool(false),
	TcpSynWithDataDiscard:      pulumi.Bool(false),
	TcpSynackWithDataDiscard:   pulumi.Bool(false),
	TcpTimestampStrip:          pulumi.Bool(false),
	TimestampDiscard:           pulumi.Bool(false),
	UnknownOptionDiscard:       pulumi.Bool(false),
})

    var zoneProtectionProfileResource = new ZoneProtectionProfile("zoneProtectionProfileResource", ZoneProtectionProfileArgs.builder()
    .asymmetricPath("string")
    .description("string")
    .device("string")
    .discardIcmpEmbeddedError(false)
    .flood(ZoneProtectionProfileFloodArgs.builder()
        .icmp(ZoneProtectionProfileFloodIcmpArgs.builder()
            .enable(false)
            .red(ZoneProtectionProfileFloodIcmpRedArgs.builder()
                .activateRate(0)
                .alarmRate(0)
                .maximalRate(0)
                .build())
            .build())
        .icmpv6(ZoneProtectionProfileFloodIcmpv6Args.builder()
            .enable(false)
            .red(ZoneProtectionProfileFloodIcmpv6RedArgs.builder()
                .activateRate(0)
                .alarmRate(0)
                .maximalRate(0)
                .build())
            .build())
        .otherIp(ZoneProtectionProfileFloodOtherIpArgs.builder()
            .enable(false)
            .red(ZoneProtectionProfileFloodOtherIpRedArgs.builder()
                .activateRate(0)
                .alarmRate(0)
                .maximalRate(0)
                .build())
            .build())
        .sctpInit(ZoneProtectionProfileFloodSctpInitArgs.builder()
            .enable(false)
            .red(ZoneProtectionProfileFloodSctpInitRedArgs.builder()
                .activateRate(0)
                .alarmRate(0)
                .maximalRate(0)
                .build())
            .build())
        .tcpSyn(ZoneProtectionProfileFloodTcpSynArgs.builder()
            .enable(false)
            .red(ZoneProtectionProfileFloodTcpSynRedArgs.builder()
                .activateRate(0)
                .alarmRate(0)
                .maximalRate(0)
                .build())
            .synCookies(ZoneProtectionProfileFloodTcpSynSynCookiesArgs.builder()
                .activateRate(0)
                .alarmRate(0)
                .maximalRate(0)
                .build())
            .build())
        .udp(ZoneProtectionProfileFloodUdpArgs.builder()
            .enable(false)
            .red(ZoneProtectionProfileFloodUdpRedArgs.builder()
                .activateRate(0)
                .alarmRate(0)
                .maximalRate(0)
                .build())
            .build())
        .build())
    .folder("string")
    .fragmentedTrafficDiscard(false)
    .icmpFragDiscard(false)
    .icmpLargePacketDiscard(false)
    .icmpPingZeroIdDiscard(false)
    .ipv6(ZoneProtectionProfileIpv6Args.builder()
        .anycastSource(false)
        .filterExtHdr(ZoneProtectionProfileIpv6FilterExtHdrArgs.builder()
            .destOptionHdr(false)
            .hopByHopHdr(false)
            .routingHdr(false)
            .build())
        .icmpv6TooBigSmallMtuDiscard(false)
        .ignoreInvPkt(ZoneProtectionProfileIpv6IgnoreInvPktArgs.builder()
            .destUnreach(false)
            .paramProblem(false)
            .pktTooBig(false)
            .redirect(false)
            .timeExceeded(false)
            .build())
        .ipv4CompatibleAddress(false)
        .needlessFragmentHdr(false)
        .optionsInvalidIpv6Discard(false)
        .reservedFieldSetDiscard(false)
        .routingHeader0(false)
        .routingHeader1(false)
        .routingHeader253(false)
        .routingHeader254(false)
        .routingHeader255(false)
        .routingHeader3(false)
        .routingHeader4252(false)
        .build())
    .l2SecGroupTagProtection(ZoneProtectionProfileL2SecGroupTagProtectionArgs.builder()
        .tags(ZoneProtectionProfileL2SecGroupTagProtectionTagArgs.builder()
            .name("string")
            .tag("string")
            .enable(false)
            .build())
        .build())
    .looseSourceRoutingDiscard(false)
    .malformedOptionDiscard(false)
    .mismatchedOverlappingTcpSegmentDiscard(false)
    .mptcpOptionStrip("string")
    .name("string")
    .nonIpProtocol(ZoneProtectionProfileNonIpProtocolArgs.builder()
        .listType("string")
        .protocols(ZoneProtectionProfileNonIpProtocolProtocolArgs.builder()
            .etherType("string")
            .name("string")
            .enable(false)
            .build())
        .build())
    .recordRouteDiscard(false)
    .rejectNonSynTcp("string")
    .scanWhiteLists(ZoneProtectionProfileScanWhiteListArgs.builder()
        .name("string")
        .ipv4("string")
        .ipv6("string")
        .build())
    .scans(ZoneProtectionProfileScanArgs.builder()
        .name("string")
        .action(ZoneProtectionProfileScanActionArgs.builder()
            .alert(ZoneProtectionProfileScanActionAlertArgs.builder()
                .build())
            .allow(ZoneProtectionProfileScanActionAllowArgs.builder()
                .build())
            .block(ZoneProtectionProfileScanActionBlockArgs.builder()
                .build())
            .blockIp(ZoneProtectionProfileScanActionBlockIpArgs.builder()
                .duration(0)
                .trackBy("string")
                .build())
            .build())
        .interval(0)
        .threshold(0)
        .build())
    .securityDiscard(false)
    .snippet("string")
    .spoofedIpDiscard(false)
    .streamIdDiscard(false)
    .strictIpCheck(false)
    .strictSourceRoutingDiscard(false)
    .suppressIcmpNeedfrag(false)
    .suppressIcmpTimeexceeded(false)
    .tcpFastOpenAndDataStrip(false)
    .tcpHandshakeDiscard(false)
    .tcpSynWithDataDiscard(false)
    .tcpSynackWithDataDiscard(false)
    .tcpTimestampStrip(false)
    .timestampDiscard(false)
    .unknownOptionDiscard(false)
    .build());

    zone_protection_profile_resource = scm.ZoneProtectionProfile("zoneProtectionProfileResource",
    asymmetric_path="string",
    description="string",
    device="string",
    discard_icmp_embedded_error=False,
    flood={
        "icmp": {
            "enable": False,
            "red": {
                "activate_rate": 0,
                "alarm_rate": 0,
                "maximal_rate": 0,
            },
        },
        "icmpv6": {
            "enable": False,
            "red": {
                "activate_rate": 0,
                "alarm_rate": 0,
                "maximal_rate": 0,
            },
        },
        "other_ip": {
            "enable": False,
            "red": {
                "activate_rate": 0,
                "alarm_rate": 0,
                "maximal_rate": 0,
            },
        },
        "sctp_init": {
            "enable": False,
            "red": {
                "activate_rate": 0,
                "alarm_rate": 0,
                "maximal_rate": 0,
            },
        },
        "tcp_syn": {
            "enable": False,
            "red": {
                "activate_rate": 0,
                "alarm_rate": 0,
                "maximal_rate": 0,
            },
            "syn_cookies": {
                "activate_rate": 0,
                "alarm_rate": 0,
                "maximal_rate": 0,
            },
        },
        "udp": {
            "enable": False,
            "red": {
                "activate_rate": 0,
                "alarm_rate": 0,
                "maximal_rate": 0,
            },
        },
    },
    folder="string",
    fragmented_traffic_discard=False,
    icmp_frag_discard=False,
    icmp_large_packet_discard=False,
    icmp_ping_zero_id_discard=False,
    ipv6={
        "anycast_source": False,
        "filter_ext_hdr": {
            "dest_option_hdr": False,
            "hop_by_hop_hdr": False,
            "routing_hdr": False,
        },
        "icmpv6_too_big_small_mtu_discard": False,
        "ignore_inv_pkt": {
            "dest_unreach": False,
            "param_problem": False,
            "pkt_too_big": False,
            "redirect": False,
            "time_exceeded": False,
        },
        "ipv4_compatible_address": False,
        "needless_fragment_hdr": False,
        "options_invalid_ipv6_discard": False,
        "reserved_field_set_discard": False,
        "routing_header0": False,
        "routing_header1": False,
        "routing_header253": False,
        "routing_header254": False,
        "routing_header255": False,
        "routing_header3": False,
        "routing_header4252": False,
    },
    l2_sec_group_tag_protection={
        "tags": [{
            "name": "string",
            "tag": "string",
            "enable": False,
        }],
    },
    loose_source_routing_discard=False,
    malformed_option_discard=False,
    mismatched_overlapping_tcp_segment_discard=False,
    mptcp_option_strip="string",
    name="string",
    non_ip_protocol={
        "list_type": "string",
        "protocols": [{
            "ether_type": "string",
            "name": "string",
            "enable": False,
        }],
    },
    record_route_discard=False,
    reject_non_syn_tcp="string",
    scan_white_lists=[{
        "name": "string",
        "ipv4": "string",
        "ipv6": "string",
    }],
    scans=[{
        "name": "string",
        "action": {
            "alert": {},
            "allow": {},
            "block": {},
            "block_ip": {
                "duration": 0,
                "track_by": "string",
            },
        },
        "interval": 0,
        "threshold": 0,
    }],
    security_discard=False,
    snippet="string",
    spoofed_ip_discard=False,
    stream_id_discard=False,
    strict_ip_check=False,
    strict_source_routing_discard=False,
    suppress_icmp_needfrag=False,
    suppress_icmp_timeexceeded=False,
    tcp_fast_open_and_data_strip=False,
    tcp_handshake_discard=False,
    tcp_syn_with_data_discard=False,
    tcp_synack_with_data_discard=False,
    tcp_timestamp_strip=False,
    timestamp_discard=False,
    unknown_option_discard=False)

    const zoneProtectionProfileResource = new scm.ZoneProtectionProfile("zoneProtectionProfileResource", {
    asymmetricPath: "string",
    description: "string",
    device: "string",
    discardIcmpEmbeddedError: false,
    flood: {
        icmp: {
            enable: false,
            red: {
                activateRate: 0,
                alarmRate: 0,
                maximalRate: 0,
            },
        },
        icmpv6: {
            enable: false,
            red: {
                activateRate: 0,
                alarmRate: 0,
                maximalRate: 0,
            },
        },
        otherIp: {
            enable: false,
            red: {
                activateRate: 0,
                alarmRate: 0,
                maximalRate: 0,
            },
        },
        sctpInit: {
            enable: false,
            red: {
                activateRate: 0,
                alarmRate: 0,
                maximalRate: 0,
            },
        },
        tcpSyn: {
            enable: false,
            red: {
                activateRate: 0,
                alarmRate: 0,
                maximalRate: 0,
            },
            synCookies: {
                activateRate: 0,
                alarmRate: 0,
                maximalRate: 0,
            },
        },
        udp: {
            enable: false,
            red: {
                activateRate: 0,
                alarmRate: 0,
                maximalRate: 0,
            },
        },
    },
    folder: "string",
    fragmentedTrafficDiscard: false,
    icmpFragDiscard: false,
    icmpLargePacketDiscard: false,
    icmpPingZeroIdDiscard: false,
    ipv6: {
        anycastSource: false,
        filterExtHdr: {
            destOptionHdr: false,
            hopByHopHdr: false,
            routingHdr: false,
        },
        icmpv6TooBigSmallMtuDiscard: false,
        ignoreInvPkt: {
            destUnreach: false,
            paramProblem: false,
            pktTooBig: false,
            redirect: false,
            timeExceeded: false,
        },
        ipv4CompatibleAddress: false,
        needlessFragmentHdr: false,
        optionsInvalidIpv6Discard: false,
        reservedFieldSetDiscard: false,
        routingHeader0: false,
        routingHeader1: false,
        routingHeader253: false,
        routingHeader254: false,
        routingHeader255: false,
        routingHeader3: false,
        routingHeader4252: false,
    },
    l2SecGroupTagProtection: {
        tags: [{
            name: "string",
            tag: "string",
            enable: false,
        }],
    },
    looseSourceRoutingDiscard: false,
    malformedOptionDiscard: false,
    mismatchedOverlappingTcpSegmentDiscard: false,
    mptcpOptionStrip: "string",
    name: "string",
    nonIpProtocol: {
        listType: "string",
        protocols: [{
            etherType: "string",
            name: "string",
            enable: false,
        }],
    },
    recordRouteDiscard: false,
    rejectNonSynTcp: "string",
    scanWhiteLists: [{
        name: "string",
        ipv4: "string",
        ipv6: "string",
    }],
    scans: [{
        name: "string",
        action: {
            alert: {},
            allow: {},
            block: {},
            blockIp: {
                duration: 0,
                trackBy: "string",
            },
        },
        interval: 0,
        threshold: 0,
    }],
    securityDiscard: false,
    snippet: "string",
    spoofedIpDiscard: false,
    streamIdDiscard: false,
    strictIpCheck: false,
    strictSourceRoutingDiscard: false,
    suppressIcmpNeedfrag: false,
    suppressIcmpTimeexceeded: false,
    tcpFastOpenAndDataStrip: false,
    tcpHandshakeDiscard: false,
    tcpSynWithDataDiscard: false,
    tcpSynackWithDataDiscard: false,
    tcpTimestampStrip: false,
    timestampDiscard: false,
    unknownOptionDiscard: false,
});

    type: scm:ZoneProtectionProfile
properties:
    asymmetricPath: string
    description: string
    device: string
    discardIcmpEmbeddedError: false
    flood:
        icmp:
            enable: false
            red:
                activateRate: 0
                alarmRate: 0
                maximalRate: 0
        icmpv6:
            enable: false
            red:
                activateRate: 0
                alarmRate: 0
                maximalRate: 0
        otherIp:
            enable: false
            red:
                activateRate: 0
                alarmRate: 0
                maximalRate: 0
        sctpInit:
            enable: false
            red:
                activateRate: 0
                alarmRate: 0
                maximalRate: 0
        tcpSyn:
            enable: false
            red:
                activateRate: 0
                alarmRate: 0
                maximalRate: 0
            synCookies:
                activateRate: 0
                alarmRate: 0
                maximalRate: 0
        udp:
            enable: false
            red:
                activateRate: 0
                alarmRate: 0
                maximalRate: 0
    folder: string
    fragmentedTrafficDiscard: false
    icmpFragDiscard: false
    icmpLargePacketDiscard: false
    icmpPingZeroIdDiscard: false
    ipv6:
        anycastSource: false
        filterExtHdr:
            destOptionHdr: false
            hopByHopHdr: false
            routingHdr: false
        icmpv6TooBigSmallMtuDiscard: false
        ignoreInvPkt:
            destUnreach: false
            paramProblem: false
            pktTooBig: false
            redirect: false
            timeExceeded: false
        ipv4CompatibleAddress: false
        needlessFragmentHdr: false
        optionsInvalidIpv6Discard: false
        reservedFieldSetDiscard: false
        routingHeader0: false
        routingHeader1: false
        routingHeader3: false
        routingHeader253: false
        routingHeader254: false
        routingHeader255: false
        routingHeader4252: false
    l2SecGroupTagProtection:
        tags:
            - enable: false
              name: string
              tag: string
    looseSourceRoutingDiscard: false
    malformedOptionDiscard: false
    mismatchedOverlappingTcpSegmentDiscard: false
    mptcpOptionStrip: string
    name: string
    nonIpProtocol:
        listType: string
        protocols:
            - enable: false
              etherType: string
              name: string
    recordRouteDiscard: false
    rejectNonSynTcp: string
    scanWhiteLists:
        - ipv4: string
          ipv6: string
          name: string
    scans:
        - action:
            alert: {}
            allow: {}
            block: {}
            blockIp:
                duration: 0
                trackBy: string
          interval: 0
          name: string
          threshold: 0
    securityDiscard: false
    snippet: string
    spoofedIpDiscard: false
    streamIdDiscard: false
    strictIpCheck: false
    strictSourceRoutingDiscard: false
    suppressIcmpNeedfrag: false
    suppressIcmpTimeexceeded: false
    tcpFastOpenAndDataStrip: false
    tcpHandshakeDiscard: false
    tcpSynWithDataDiscard: false
    tcpSynackWithDataDiscard: false
    tcpTimestampStrip: false
    timestampDiscard: false
    unknownOptionDiscard: false

    ZoneProtectionProfile Resource Properties

    To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.

    Inputs

    In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.

    The ZoneProtectionProfile resource accepts the following input properties:

    AsymmetricPath string
    Determine whether to drop or bypass packets that contain out-of-sync ACKs or out-of-window sequence numbers:

    • global — Use system-wide setting that is assigned through TCP Settings or the CLI.
    • drop — Drop packets that contain an asymmetric path.
    • bypass — Bypass scanning on packets that contain an asymmetric path.
    Description string
    The description of the profile
    Device string
    The device in which the resource is defined
    DiscardIcmpEmbeddedError bool
    Discard ICMP packets that are embedded with an error message.
    Flood ZoneProtectionProfileFlood
    Flood
    Folder string
    The folder in which the resource is defined
    FragmentedTrafficDiscard bool
    Discard fragmented IP packets.
    IcmpFragDiscard bool
    Discard packets that consist of ICMP fragments.
    IcmpLargePacketDiscard bool
    Discard ICMP packets that are larger than 1024 bytes.
    IcmpPingZeroIdDiscard bool
    Discard packets if the ICMP ping packet has an identifier value of 0.
    Ipv6 ZoneProtectionProfileIpv6
    Ipv6
    L2SecGroupTagProtection ZoneProtectionProfileL2SecGroupTagProtection
    L2 sec group tag protection
    LooseSourceRoutingDiscard bool
    Discard packets with the Loose Source Routing IP option set. Loose Source Routing is an option whereby a source of a datagram provides routing information and a gateway or host is allowed to choose any route of a number of intermediate gateways to get the datagram to the next address in the route.
    MalformedOptionDiscard bool
    Discard packets if they have incorrect combinations of class, number, and length based on RFCs 791, 1108, 1393, and 2113.
    MismatchedOverlappingTcpSegmentDiscard bool
    Drop packets with mismatched overlapping TCP segments.
    MptcpOptionStrip string
    MPTCP is an extension of TCP that allows a client to maintain a connection by simultaneously using multiple paths to connect to the destination host. By default, MPTCP support is disabled, based on the global MPTCP setting. Review or adjust the MPTCP settings for the security zones associated with this profile:

    • no — Enable MPTCP support (do not strip the MPTCP option).
    • yes — Disable MPTCP support (strip the MPTCP option). With this configured, MPTCP connections are converted to standard TCP connections, as MPTCP is backwards compatible with TCP.
    • global — Support MPTCP based on the global MPTCP setting. By default, the global MPTCP setting is set to yes so that MPTCP is disabled (the MPTCP option is stripped from the packet).
    Name string
    The profile name
    NonIpProtocol ZoneProtectionProfileNonIpProtocol
    Non ip protocol
    RecordRouteDiscard bool
    Discard packets with the Record Route IP option set. When a datagram has this option, each router that routes the datagram adds its own IP address to the header, thus providing the path to the recipient.
    RejectNonSynTcp string
    Determine whether to reject the packet if the first packet for the TCP session setup is not a SYN packet:

    • global — Use system-wide setting that is assigned through the CLI.
    • yes — Reject non-SYN TCP.
    • no — Accept non-SYN TCP.
    ScanWhiteLists List<ZoneProtectionProfileScanWhiteList>
    Scan white list
    Scans List<ZoneProtectionProfileScan>
    Scan
    SecurityDiscard bool
    Discard packets if the security option is defined.
    Snippet string
    The snippet in which the resource is defined
    SpoofedIpDiscard bool
    Check that the source IP address of the ingress packet is routable and the routing interface is in the same zone as the ingress interface. If either condition is not true, discard the packet.
    StreamIdDiscard bool
    Discard packets if the Stream ID option is defined.
    StrictIpCheck bool
    Check that both conditions are true:

    • The source IP address is not the subnet broadcast IP address of the ingress interface.
    • The source IP address is routable over the exact ingress interface. If either condition is not true, discard the packet.
    StrictSourceRoutingDiscard bool
    Discard packets with the Strict Source Routing IP option set. Strict Source Routing is an option whereby a source of a datagram provides routing information through which a gateway or host must send the datagram.
    SuppressIcmpNeedfrag bool
    Stop sending ICMP fragmentation needed messages in response to packets that exceed the interface MTU and have the do not fragment (DF) bit set. This setting will interfere with the PMTUD process performed by hosts behind the firewall.
    SuppressIcmpTimeexceeded bool
    Stop sending ICMP TTL expired messages.
    TcpFastOpenAndDataStrip bool
    Strip the TCP Fast Open option (and data payload, if any) from the TCP SYN or SYN-ACK packet during a TCP three-way handshake.
    TcpHandshakeDiscard bool
    Drop packets with split handshakes.
    TcpSynWithDataDiscard bool
    Prevent a TCP session from being established if the TCP SYN packet contains data during a three-way handshake.
    TcpSynackWithDataDiscard bool
    Prevent a TCP session from being established if the TCP SYN-ACK packet contains data during a three-way handshake.
    TcpTimestampStrip bool
    Determine whether the packet has a TCP timestamp in the header and, if it does, strip the timestamp from the header.
    TimestampDiscard bool
    Discard packets with the Timestamp IP option set.
    UnknownOptionDiscard bool
    Discard packets if the class and number are unknown.
    AsymmetricPath string
    Determine whether to drop or bypass packets that contain out-of-sync ACKs or out-of-window sequence numbers:

    • global — Use system-wide setting that is assigned through TCP Settings or the CLI.
    • drop — Drop packets that contain an asymmetric path.
    • bypass — Bypass scanning on packets that contain an asymmetric path.
    Description string
    The description of the profile
    Device string
    The device in which the resource is defined
    DiscardIcmpEmbeddedError bool
    Discard ICMP packets that are embedded with an error message.
    Flood ZoneProtectionProfileFloodArgs
    Flood
    Folder string
    The folder in which the resource is defined
    FragmentedTrafficDiscard bool
    Discard fragmented IP packets.
    IcmpFragDiscard bool
    Discard packets that consist of ICMP fragments.
    IcmpLargePacketDiscard bool
    Discard ICMP packets that are larger than 1024 bytes.
    IcmpPingZeroIdDiscard bool
    Discard packets if the ICMP ping packet has an identifier value of 0.
    Ipv6 ZoneProtectionProfileIpv6Args
    Ipv6
    L2SecGroupTagProtection ZoneProtectionProfileL2SecGroupTagProtectionArgs
    L2 sec group tag protection
    LooseSourceRoutingDiscard bool
    Discard packets with the Loose Source Routing IP option set. Loose Source Routing is an option whereby a source of a datagram provides routing information and a gateway or host is allowed to choose any route of a number of intermediate gateways to get the datagram to the next address in the route.
    MalformedOptionDiscard bool
    Discard packets if they have incorrect combinations of class, number, and length based on RFCs 791, 1108, 1393, and 2113.
    MismatchedOverlappingTcpSegmentDiscard bool
    Drop packets with mismatched overlapping TCP segments.
    MptcpOptionStrip string
    MPTCP is an extension of TCP that allows a client to maintain a connection by simultaneously using multiple paths to connect to the destination host. By default, MPTCP support is disabled, based on the global MPTCP setting. Review or adjust the MPTCP settings for the security zones associated with this profile:

    • no — Enable MPTCP support (do not strip the MPTCP option).
    • yes — Disable MPTCP support (strip the MPTCP option). With this configured, MPTCP connections are converted to standard TCP connections, as MPTCP is backwards compatible with TCP.
    • global — Support MPTCP based on the global MPTCP setting. By default, the global MPTCP setting is set to yes so that MPTCP is disabled (the MPTCP option is stripped from the packet).
    Name string
    The profile name
    NonIpProtocol ZoneProtectionProfileNonIpProtocolArgs
    Non ip protocol
    RecordRouteDiscard bool
    Discard packets with the Record Route IP option set. When a datagram has this option, each router that routes the datagram adds its own IP address to the header, thus providing the path to the recipient.
    RejectNonSynTcp string
    Determine whether to reject the packet if the first packet for the TCP session setup is not a SYN packet:

    • global — Use system-wide setting that is assigned through the CLI.
    • yes — Reject non-SYN TCP.
    • no — Accept non-SYN TCP.
    ScanWhiteLists []ZoneProtectionProfileScanWhiteListArgs
    Scan white list
    Scans []ZoneProtectionProfileScanArgs
    Scan
    SecurityDiscard bool
    Discard packets if the security option is defined.
    Snippet string
    The snippet in which the resource is defined
    SpoofedIpDiscard bool
    Check that the source IP address of the ingress packet is routable and the routing interface is in the same zone as the ingress interface. If either condition is not true, discard the packet.
    StreamIdDiscard bool
    Discard packets if the Stream ID option is defined.
    StrictIpCheck bool
    Check that both conditions are true:

    • The source IP address is not the subnet broadcast IP address of the ingress interface.
    • The source IP address is routable over the exact ingress interface. If either condition is not true, discard the packet.
    StrictSourceRoutingDiscard bool
    Discard packets with the Strict Source Routing IP option set. Strict Source Routing is an option whereby a source of a datagram provides routing information through which a gateway or host must send the datagram.
    SuppressIcmpNeedfrag bool
    Stop sending ICMP fragmentation needed messages in response to packets that exceed the interface MTU and have the do not fragment (DF) bit set. This setting will interfere with the PMTUD process performed by hosts behind the firewall.
    SuppressIcmpTimeexceeded bool
    Stop sending ICMP TTL expired messages.
    TcpFastOpenAndDataStrip bool
    Strip the TCP Fast Open option (and data payload, if any) from the TCP SYN or SYN-ACK packet during a TCP three-way handshake.
    TcpHandshakeDiscard bool
    Drop packets with split handshakes.
    TcpSynWithDataDiscard bool
    Prevent a TCP session from being established if the TCP SYN packet contains data during a three-way handshake.
    TcpSynackWithDataDiscard bool
    Prevent a TCP session from being established if the TCP SYN-ACK packet contains data during a three-way handshake.
    TcpTimestampStrip bool
    Determine whether the packet has a TCP timestamp in the header and, if it does, strip the timestamp from the header.
    TimestampDiscard bool
    Discard packets with the Timestamp IP option set.
    UnknownOptionDiscard bool
    Discard packets if the class and number are unknown.
    asymmetricPath String
    Determine whether to drop or bypass packets that contain out-of-sync ACKs or out-of-window sequence numbers:

    • global — Use system-wide setting that is assigned through TCP Settings or the CLI.
    • drop — Drop packets that contain an asymmetric path.
    • bypass — Bypass scanning on packets that contain an asymmetric path.
    description String
    The description of the profile
    device String
    The device in which the resource is defined
    discardIcmpEmbeddedError Boolean
    Discard ICMP packets that are embedded with an error message.
    flood ZoneProtectionProfileFlood
    Flood
    folder String
    The folder in which the resource is defined
    fragmentedTrafficDiscard Boolean
    Discard fragmented IP packets.
    icmpFragDiscard Boolean
    Discard packets that consist of ICMP fragments.
    icmpLargePacketDiscard Boolean
    Discard ICMP packets that are larger than 1024 bytes.
    icmpPingZeroIdDiscard Boolean
    Discard packets if the ICMP ping packet has an identifier value of 0.
    ipv6 ZoneProtectionProfileIpv6
    Ipv6
    l2SecGroupTagProtection ZoneProtectionProfileL2SecGroupTagProtection
    L2 sec group tag protection
    looseSourceRoutingDiscard Boolean
    Discard packets with the Loose Source Routing IP option set. Loose Source Routing is an option whereby a source of a datagram provides routing information and a gateway or host is allowed to choose any route of a number of intermediate gateways to get the datagram to the next address in the route.
    malformedOptionDiscard Boolean
    Discard packets if they have incorrect combinations of class, number, and length based on RFCs 791, 1108, 1393, and 2113.
    mismatchedOverlappingTcpSegmentDiscard Boolean
    Drop packets with mismatched overlapping TCP segments.
    mptcpOptionStrip String
    MPTCP is an extension of TCP that allows a client to maintain a connection by simultaneously using multiple paths to connect to the destination host. By default, MPTCP support is disabled, based on the global MPTCP setting. Review or adjust the MPTCP settings for the security zones associated with this profile:

    • no — Enable MPTCP support (do not strip the MPTCP option).
    • yes — Disable MPTCP support (strip the MPTCP option). With this configured, MPTCP connections are converted to standard TCP connections, as MPTCP is backwards compatible with TCP.
    • global — Support MPTCP based on the global MPTCP setting. By default, the global MPTCP setting is set to yes so that MPTCP is disabled (the MPTCP option is stripped from the packet).
    name String
    The profile name
    nonIpProtocol ZoneProtectionProfileNonIpProtocol
    Non ip protocol
    recordRouteDiscard Boolean
    Discard packets with the Record Route IP option set. When a datagram has this option, each router that routes the datagram adds its own IP address to the header, thus providing the path to the recipient.
    rejectNonSynTcp String
    Determine whether to reject the packet if the first packet for the TCP session setup is not a SYN packet:

    • global — Use system-wide setting that is assigned through the CLI.
    • yes — Reject non-SYN TCP.
    • no — Accept non-SYN TCP.
    scanWhiteLists List<ZoneProtectionProfileScanWhiteList>
    Scan white list
    scans List<ZoneProtectionProfileScan>
    Scan
    securityDiscard Boolean
    Discard packets if the security option is defined.
    snippet String
    The snippet in which the resource is defined
    spoofedIpDiscard Boolean
    Check that the source IP address of the ingress packet is routable and the routing interface is in the same zone as the ingress interface. If either condition is not true, discard the packet.
    streamIdDiscard Boolean
    Discard packets if the Stream ID option is defined.
    strictIpCheck Boolean
    Check that both conditions are true:

    • The source IP address is not the subnet broadcast IP address of the ingress interface.
    • The source IP address is routable over the exact ingress interface. If either condition is not true, discard the packet.
    strictSourceRoutingDiscard Boolean
    Discard packets with the Strict Source Routing IP option set. Strict Source Routing is an option whereby a source of a datagram provides routing information through which a gateway or host must send the datagram.
    suppressIcmpNeedfrag Boolean
    Stop sending ICMP fragmentation needed messages in response to packets that exceed the interface MTU and have the do not fragment (DF) bit set. This setting will interfere with the PMTUD process performed by hosts behind the firewall.
    suppressIcmpTimeexceeded Boolean
    Stop sending ICMP TTL expired messages.
    tcpFastOpenAndDataStrip Boolean
    Strip the TCP Fast Open option (and data payload, if any) from the TCP SYN or SYN-ACK packet during a TCP three-way handshake.
    tcpHandshakeDiscard Boolean
    Drop packets with split handshakes.
    tcpSynWithDataDiscard Boolean
    Prevent a TCP session from being established if the TCP SYN packet contains data during a three-way handshake.
    tcpSynackWithDataDiscard Boolean
    Prevent a TCP session from being established if the TCP SYN-ACK packet contains data during a three-way handshake.
    tcpTimestampStrip Boolean
    Determine whether the packet has a TCP timestamp in the header and, if it does, strip the timestamp from the header.
    timestampDiscard Boolean
    Discard packets with the Timestamp IP option set.
    unknownOptionDiscard Boolean
    Discard packets if the class and number are unknown.
    asymmetricPath string
    Determine whether to drop or bypass packets that contain out-of-sync ACKs or out-of-window sequence numbers:

    • global — Use system-wide setting that is assigned through TCP Settings or the CLI.
    • drop — Drop packets that contain an asymmetric path.
    • bypass — Bypass scanning on packets that contain an asymmetric path.
    description string
    The description of the profile
    device string
    The device in which the resource is defined
    discardIcmpEmbeddedError boolean
    Discard ICMP packets that are embedded with an error message.
    flood ZoneProtectionProfileFlood
    Flood
    folder string
    The folder in which the resource is defined
    fragmentedTrafficDiscard boolean
    Discard fragmented IP packets.
    icmpFragDiscard boolean
    Discard packets that consist of ICMP fragments.
    icmpLargePacketDiscard boolean
    Discard ICMP packets that are larger than 1024 bytes.
    icmpPingZeroIdDiscard boolean
    Discard packets if the ICMP ping packet has an identifier value of 0.
    ipv6 ZoneProtectionProfileIpv6
    Ipv6
    l2SecGroupTagProtection ZoneProtectionProfileL2SecGroupTagProtection
    L2 sec group tag protection
    looseSourceRoutingDiscard boolean
    Discard packets with the Loose Source Routing IP option set. Loose Source Routing is an option whereby a source of a datagram provides routing information and a gateway or host is allowed to choose any route of a number of intermediate gateways to get the datagram to the next address in the route.
    malformedOptionDiscard boolean
    Discard packets if they have incorrect combinations of class, number, and length based on RFCs 791, 1108, 1393, and 2113.
    mismatchedOverlappingTcpSegmentDiscard boolean
    Drop packets with mismatched overlapping TCP segments.
    mptcpOptionStrip string
    MPTCP is an extension of TCP that allows a client to maintain a connection by simultaneously using multiple paths to connect to the destination host. By default, MPTCP support is disabled, based on the global MPTCP setting. Review or adjust the MPTCP settings for the security zones associated with this profile:

    • no — Enable MPTCP support (do not strip the MPTCP option).
    • yes — Disable MPTCP support (strip the MPTCP option). With this configured, MPTCP connections are converted to standard TCP connections, as MPTCP is backwards compatible with TCP.
    • global — Support MPTCP based on the global MPTCP setting. By default, the global MPTCP setting is set to yes so that MPTCP is disabled (the MPTCP option is stripped from the packet).
    name string
    The profile name
    nonIpProtocol ZoneProtectionProfileNonIpProtocol
    Non ip protocol
    recordRouteDiscard boolean
    Discard packets with the Record Route IP option set. When a datagram has this option, each router that routes the datagram adds its own IP address to the header, thus providing the path to the recipient.
    rejectNonSynTcp string
    Determine whether to reject the packet if the first packet for the TCP session setup is not a SYN packet:

    • global — Use system-wide setting that is assigned through the CLI.
    • yes — Reject non-SYN TCP.
    • no — Accept non-SYN TCP.
    scanWhiteLists ZoneProtectionProfileScanWhiteList[]
    Scan white list
    scans ZoneProtectionProfileScan[]
    Scan
    securityDiscard boolean
    Discard packets if the security option is defined.
    snippet string
    The snippet in which the resource is defined
    spoofedIpDiscard boolean
    Check that the source IP address of the ingress packet is routable and the routing interface is in the same zone as the ingress interface. If either condition is not true, discard the packet.
    streamIdDiscard boolean
    Discard packets if the Stream ID option is defined.
    strictIpCheck boolean
    Check that both conditions are true:

    • The source IP address is not the subnet broadcast IP address of the ingress interface.
    • The source IP address is routable over the exact ingress interface. If either condition is not true, discard the packet.
    strictSourceRoutingDiscard boolean
    Discard packets with the Strict Source Routing IP option set. Strict Source Routing is an option whereby a source of a datagram provides routing information through which a gateway or host must send the datagram.
    suppressIcmpNeedfrag boolean
    Stop sending ICMP fragmentation needed messages in response to packets that exceed the interface MTU and have the do not fragment (DF) bit set. This setting will interfere with the PMTUD process performed by hosts behind the firewall.
    suppressIcmpTimeexceeded boolean
    Stop sending ICMP TTL expired messages.
    tcpFastOpenAndDataStrip boolean
    Strip the TCP Fast Open option (and data payload, if any) from the TCP SYN or SYN-ACK packet during a TCP three-way handshake.
    tcpHandshakeDiscard boolean
    Drop packets with split handshakes.
    tcpSynWithDataDiscard boolean
    Prevent a TCP session from being established if the TCP SYN packet contains data during a three-way handshake.
    tcpSynackWithDataDiscard boolean
    Prevent a TCP session from being established if the TCP SYN-ACK packet contains data during a three-way handshake.
    tcpTimestampStrip boolean
    Determine whether the packet has a TCP timestamp in the header and, if it does, strip the timestamp from the header.
    timestampDiscard boolean
    Discard packets with the Timestamp IP option set.
    unknownOptionDiscard boolean
    Discard packets if the class and number are unknown.
    asymmetric_path str
    Determine whether to drop or bypass packets that contain out-of-sync ACKs or out-of-window sequence numbers:

    • global — Use system-wide setting that is assigned through TCP Settings or the CLI.
    • drop — Drop packets that contain an asymmetric path.
    • bypass — Bypass scanning on packets that contain an asymmetric path.
    description str
    The description of the profile
    device str
    The device in which the resource is defined
    discard_icmp_embedded_error bool
    Discard ICMP packets that are embedded with an error message.
    flood ZoneProtectionProfileFloodArgs
    Flood
    folder str
    The folder in which the resource is defined
    fragmented_traffic_discard bool
    Discard fragmented IP packets.
    icmp_frag_discard bool
    Discard packets that consist of ICMP fragments.
    icmp_large_packet_discard bool
    Discard ICMP packets that are larger than 1024 bytes.
    icmp_ping_zero_id_discard bool
    Discard packets if the ICMP ping packet has an identifier value of 0.
    ipv6 ZoneProtectionProfileIpv6Args
    Ipv6
    l2_sec_group_tag_protection ZoneProtectionProfileL2SecGroupTagProtectionArgs
    L2 sec group tag protection
    loose_source_routing_discard bool
    Discard packets with the Loose Source Routing IP option set. Loose Source Routing is an option whereby a source of a datagram provides routing information and a gateway or host is allowed to choose any route of a number of intermediate gateways to get the datagram to the next address in the route.
    malformed_option_discard bool
    Discard packets if they have incorrect combinations of class, number, and length based on RFCs 791, 1108, 1393, and 2113.
    mismatched_overlapping_tcp_segment_discard bool
    Drop packets with mismatched overlapping TCP segments.
    mptcp_option_strip str
    MPTCP is an extension of TCP that allows a client to maintain a connection by simultaneously using multiple paths to connect to the destination host. By default, MPTCP support is disabled, based on the global MPTCP setting. Review or adjust the MPTCP settings for the security zones associated with this profile:

    • no — Enable MPTCP support (do not strip the MPTCP option).
    • yes — Disable MPTCP support (strip the MPTCP option). With this configured, MPTCP connections are converted to standard TCP connections, as MPTCP is backwards compatible with TCP.
    • global — Support MPTCP based on the global MPTCP setting. By default, the global MPTCP setting is set to yes so that MPTCP is disabled (the MPTCP option is stripped from the packet).
    name str
    The profile name
    non_ip_protocol ZoneProtectionProfileNonIpProtocolArgs
    Non ip protocol
    record_route_discard bool
    Discard packets with the Record Route IP option set. When a datagram has this option, each router that routes the datagram adds its own IP address to the header, thus providing the path to the recipient.
    reject_non_syn_tcp str
    Determine whether to reject the packet if the first packet for the TCP session setup is not a SYN packet:

    • global — Use system-wide setting that is assigned through the CLI.
    • yes — Reject non-SYN TCP.
    • no — Accept non-SYN TCP.
    scan_white_lists Sequence[ZoneProtectionProfileScanWhiteListArgs]
    Scan white list
    scans Sequence[ZoneProtectionProfileScanArgs]
    Scan
    security_discard bool
    Discard packets if the security option is defined.
    snippet str
    The snippet in which the resource is defined
    spoofed_ip_discard bool
    Check that the source IP address of the ingress packet is routable and the routing interface is in the same zone as the ingress interface. If either condition is not true, discard the packet.
    stream_id_discard bool
    Discard packets if the Stream ID option is defined.
    strict_ip_check bool
    Check that both conditions are true:

    • The source IP address is not the subnet broadcast IP address of the ingress interface.
    • The source IP address is routable over the exact ingress interface. If either condition is not true, discard the packet.
    strict_source_routing_discard bool
    Discard packets with the Strict Source Routing IP option set. Strict Source Routing is an option whereby a source of a datagram provides routing information through which a gateway or host must send the datagram.
    suppress_icmp_needfrag bool
    Stop sending ICMP fragmentation needed messages in response to packets that exceed the interface MTU and have the do not fragment (DF) bit set. This setting will interfere with the PMTUD process performed by hosts behind the firewall.
    suppress_icmp_timeexceeded bool
    Stop sending ICMP TTL expired messages.
    tcp_fast_open_and_data_strip bool
    Strip the TCP Fast Open option (and data payload, if any) from the TCP SYN or SYN-ACK packet during a TCP three-way handshake.
    tcp_handshake_discard bool
    Drop packets with split handshakes.
    tcp_syn_with_data_discard bool
    Prevent a TCP session from being established if the TCP SYN packet contains data during a three-way handshake.
    tcp_synack_with_data_discard bool
    Prevent a TCP session from being established if the TCP SYN-ACK packet contains data during a three-way handshake.
    tcp_timestamp_strip bool
    Determine whether the packet has a TCP timestamp in the header and, if it does, strip the timestamp from the header.
    timestamp_discard bool
    Discard packets with the Timestamp IP option set.
    unknown_option_discard bool
    Discard packets if the class and number are unknown.
    asymmetricPath String
    Determine whether to drop or bypass packets that contain out-of-sync ACKs or out-of-window sequence numbers:

    • global — Use system-wide setting that is assigned through TCP Settings or the CLI.
    • drop — Drop packets that contain an asymmetric path.
    • bypass — Bypass scanning on packets that contain an asymmetric path.
    description String
    The description of the profile
    device String
    The device in which the resource is defined
    discardIcmpEmbeddedError Boolean
    Discard ICMP packets that are embedded with an error message.
    flood Property Map
    Flood
    folder String
    The folder in which the resource is defined
    fragmentedTrafficDiscard Boolean
    Discard fragmented IP packets.
    icmpFragDiscard Boolean
    Discard packets that consist of ICMP fragments.
    icmpLargePacketDiscard Boolean
    Discard ICMP packets that are larger than 1024 bytes.
    icmpPingZeroIdDiscard Boolean
    Discard packets if the ICMP ping packet has an identifier value of 0.
    ipv6 Property Map
    Ipv6
    l2SecGroupTagProtection Property Map
    L2 sec group tag protection
    looseSourceRoutingDiscard Boolean
    Discard packets with the Loose Source Routing IP option set. Loose Source Routing is an option whereby a source of a datagram provides routing information and a gateway or host is allowed to choose any route of a number of intermediate gateways to get the datagram to the next address in the route.
    malformedOptionDiscard Boolean
    Discard packets if they have incorrect combinations of class, number, and length based on RFCs 791, 1108, 1393, and 2113.
    mismatchedOverlappingTcpSegmentDiscard Boolean
    Drop packets with mismatched overlapping TCP segments.
    mptcpOptionStrip String
    MPTCP is an extension of TCP that allows a client to maintain a connection by simultaneously using multiple paths to connect to the destination host. By default, MPTCP support is disabled, based on the global MPTCP setting. Review or adjust the MPTCP settings for the security zones associated with this profile:

    • no — Enable MPTCP support (do not strip the MPTCP option).
    • yes — Disable MPTCP support (strip the MPTCP option). With this configured, MPTCP connections are converted to standard TCP connections, as MPTCP is backwards compatible with TCP.
    • global — Support MPTCP based on the global MPTCP setting. By default, the global MPTCP setting is set to yes so that MPTCP is disabled (the MPTCP option is stripped from the packet).
    name String
    The profile name
    nonIpProtocol Property Map
    Non ip protocol
    recordRouteDiscard Boolean
    Discard packets with the Record Route IP option set. When a datagram has this option, each router that routes the datagram adds its own IP address to the header, thus providing the path to the recipient.
    rejectNonSynTcp String
    Determine whether to reject the packet if the first packet for the TCP session setup is not a SYN packet:

    • global — Use system-wide setting that is assigned through the CLI.
    • yes — Reject non-SYN TCP.
    • no — Accept non-SYN TCP.
    scanWhiteLists List<Property Map>
    Scan white list
    scans List<Property Map>
    Scan
    securityDiscard Boolean
    Discard packets if the security option is defined.
    snippet String
    The snippet in which the resource is defined
    spoofedIpDiscard Boolean
    Check that the source IP address of the ingress packet is routable and the routing interface is in the same zone as the ingress interface. If either condition is not true, discard the packet.
    streamIdDiscard Boolean
    Discard packets if the Stream ID option is defined.
    strictIpCheck Boolean
    Check that both conditions are true:

    • The source IP address is not the subnet broadcast IP address of the ingress interface.
    • The source IP address is routable over the exact ingress interface. If either condition is not true, discard the packet.
    strictSourceRoutingDiscard Boolean
    Discard packets with the Strict Source Routing IP option set. Strict Source Routing is an option whereby a source of a datagram provides routing information through which a gateway or host must send the datagram.
    suppressIcmpNeedfrag Boolean
    Stop sending ICMP fragmentation needed messages in response to packets that exceed the interface MTU and have the do not fragment (DF) bit set. This setting will interfere with the PMTUD process performed by hosts behind the firewall.
    suppressIcmpTimeexceeded Boolean
    Stop sending ICMP TTL expired messages.
    tcpFastOpenAndDataStrip Boolean
    Strip the TCP Fast Open option (and data payload, if any) from the TCP SYN or SYN-ACK packet during a TCP three-way handshake.
    tcpHandshakeDiscard Boolean
    Drop packets with split handshakes.
    tcpSynWithDataDiscard Boolean
    Prevent a TCP session from being established if the TCP SYN packet contains data during a three-way handshake.
    tcpSynackWithDataDiscard Boolean
    Prevent a TCP session from being established if the TCP SYN-ACK packet contains data during a three-way handshake.
    tcpTimestampStrip Boolean
    Determine whether the packet has a TCP timestamp in the header and, if it does, strip the timestamp from the header.
    timestampDiscard Boolean
    Discard packets with the Timestamp IP option set.
    unknownOptionDiscard Boolean
    Discard packets if the class and number are unknown.

    Outputs

    All input properties are implicitly available as output properties. Additionally, the ZoneProtectionProfile resource produces the following output properties:

    Id string
    The provider-assigned unique ID for this managed resource.
    Tfid string
    Id string
    The provider-assigned unique ID for this managed resource.
    Tfid string
    id String
    The provider-assigned unique ID for this managed resource.
    tfid String
    id string
    The provider-assigned unique ID for this managed resource.
    tfid string
    id str
    The provider-assigned unique ID for this managed resource.
    tfid str
    id String
    The provider-assigned unique ID for this managed resource.
    tfid String

    Look up Existing ZoneProtectionProfile Resource

    Get an existing ZoneProtectionProfile resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.

    public static get(name: string, id: Input<ID>, state?: ZoneProtectionProfileState, opts?: CustomResourceOptions): ZoneProtectionProfile
    @staticmethod
def get(resource_name: str,
        id: str,
        opts: Optional[ResourceOptions] = None,
        asymmetric_path: Optional[str] = None,
        description: Optional[str] = None,
        device: Optional[str] = None,
        discard_icmp_embedded_error: Optional[bool] = None,
        flood: Optional[ZoneProtectionProfileFloodArgs] = None,
        folder: Optional[str] = None,
        fragmented_traffic_discard: Optional[bool] = None,
        icmp_frag_discard: Optional[bool] = None,
        icmp_large_packet_discard: Optional[bool] = None,
        icmp_ping_zero_id_discard: Optional[bool] = None,
        ipv6: Optional[ZoneProtectionProfileIpv6Args] = None,
        l2_sec_group_tag_protection: Optional[ZoneProtectionProfileL2SecGroupTagProtectionArgs] = None,
        loose_source_routing_discard: Optional[bool] = None,
        malformed_option_discard: Optional[bool] = None,
        mismatched_overlapping_tcp_segment_discard: Optional[bool] = None,
        mptcp_option_strip: Optional[str] = None,
        name: Optional[str] = None,
        non_ip_protocol: Optional[ZoneProtectionProfileNonIpProtocolArgs] = None,
        record_route_discard: Optional[bool] = None,
        reject_non_syn_tcp: Optional[str] = None,
        scan_white_lists: Optional[Sequence[ZoneProtectionProfileScanWhiteListArgs]] = None,
        scans: Optional[Sequence[ZoneProtectionProfileScanArgs]] = None,
        security_discard: Optional[bool] = None,
        snippet: Optional[str] = None,
        spoofed_ip_discard: Optional[bool] = None,
        stream_id_discard: Optional[bool] = None,
        strict_ip_check: Optional[bool] = None,
        strict_source_routing_discard: Optional[bool] = None,
        suppress_icmp_needfrag: Optional[bool] = None,
        suppress_icmp_timeexceeded: Optional[bool] = None,
        tcp_fast_open_and_data_strip: Optional[bool] = None,
        tcp_handshake_discard: Optional[bool] = None,
        tcp_syn_with_data_discard: Optional[bool] = None,
        tcp_synack_with_data_discard: Optional[bool] = None,
        tcp_timestamp_strip: Optional[bool] = None,
        tfid: Optional[str] = None,
        timestamp_discard: Optional[bool] = None,
        unknown_option_discard: Optional[bool] = None) -> ZoneProtectionProfile
    func GetZoneProtectionProfile(ctx *Context, name string, id IDInput, state *ZoneProtectionProfileState, opts ...ResourceOption) (*ZoneProtectionProfile, error)
    public static ZoneProtectionProfile Get(string name, Input<string> id, ZoneProtectionProfileState? state, CustomResourceOptions? opts = null)
    public static ZoneProtectionProfile get(String name, Output<String> id, ZoneProtectionProfileState state, CustomResourceOptions options)
    resources:  _:    type: scm:ZoneProtectionProfile    get:      id: ${id}
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    resource_name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    name
    The unique name of the resulting resource.
    id
    The unique provider ID of the resource to lookup.
    state
    Any extra arguments used during the lookup.
    opts
    A bag of options that control this resource's behavior.
    The following state arguments are supported:
    AsymmetricPath string
    Determine whether to drop or bypass packets that contain out-of-sync ACKs or out-of-window sequence numbers:

    • global — Use system-wide setting that is assigned through TCP Settings or the CLI.
    • drop — Drop packets that contain an asymmetric path.
    • bypass — Bypass scanning on packets that contain an asymmetric path.
    Description string
    The description of the profile
    Device string
    The device in which the resource is defined
    DiscardIcmpEmbeddedError bool
    Discard ICMP packets that are embedded with an error message.
    Flood ZoneProtectionProfileFlood
    Flood
    Folder string
    The folder in which the resource is defined
    FragmentedTrafficDiscard bool
    Discard fragmented IP packets.
    IcmpFragDiscard bool
    Discard packets that consist of ICMP fragments.
    IcmpLargePacketDiscard bool
    Discard ICMP packets that are larger than 1024 bytes.
    IcmpPingZeroIdDiscard bool
    Discard packets if the ICMP ping packet has an identifier value of 0.
    Ipv6 ZoneProtectionProfileIpv6
    Ipv6
    L2SecGroupTagProtection ZoneProtectionProfileL2SecGroupTagProtection
    L2 sec group tag protection
    LooseSourceRoutingDiscard bool
    Discard packets with the Loose Source Routing IP option set. Loose Source Routing is an option whereby a source of a datagram provides routing information and a gateway or host is allowed to choose any route of a number of intermediate gateways to get the datagram to the next address in the route.
    MalformedOptionDiscard bool
    Discard packets if they have incorrect combinations of class, number, and length based on RFCs 791, 1108, 1393, and 2113.
    MismatchedOverlappingTcpSegmentDiscard bool
    Drop packets with mismatched overlapping TCP segments.
    MptcpOptionStrip string
    MPTCP is an extension of TCP that allows a client to maintain a connection by simultaneously using multiple paths to connect to the destination host. By default, MPTCP support is disabled, based on the global MPTCP setting. Review or adjust the MPTCP settings for the security zones associated with this profile:

    • no — Enable MPTCP support (do not strip the MPTCP option).
    • yes — Disable MPTCP support (strip the MPTCP option). With this configured, MPTCP connections are converted to standard TCP connections, as MPTCP is backwards compatible with TCP.
    • global — Support MPTCP based on the global MPTCP setting. By default, the global MPTCP setting is set to yes so that MPTCP is disabled (the MPTCP option is stripped from the packet).
    Name string
    The profile name
    NonIpProtocol ZoneProtectionProfileNonIpProtocol
    Non ip protocol
    RecordRouteDiscard bool
    Discard packets with the Record Route IP option set. When a datagram has this option, each router that routes the datagram adds its own IP address to the header, thus providing the path to the recipient.
    RejectNonSynTcp string
    Determine whether to reject the packet if the first packet for the TCP session setup is not a SYN packet:

    • global — Use system-wide setting that is assigned through the CLI.
    • yes — Reject non-SYN TCP.
    • no — Accept non-SYN TCP.
    ScanWhiteLists List<ZoneProtectionProfileScanWhiteList>
    Scan white list
    Scans List<ZoneProtectionProfileScan>
    Scan
    SecurityDiscard bool
    Discard packets if the security option is defined.
    Snippet string
    The snippet in which the resource is defined
    SpoofedIpDiscard bool
    Check that the source IP address of the ingress packet is routable and the routing interface is in the same zone as the ingress interface. If either condition is not true, discard the packet.
    StreamIdDiscard bool
    Discard packets if the Stream ID option is defined.
    StrictIpCheck bool
    Check that both conditions are true:

    • The source IP address is not the subnet broadcast IP address of the ingress interface.
    • The source IP address is routable over the exact ingress interface. If either condition is not true, discard the packet.
    StrictSourceRoutingDiscard bool
    Discard packets with the Strict Source Routing IP option set. Strict Source Routing is an option whereby a source of a datagram provides routing information through which a gateway or host must send the datagram.
    SuppressIcmpNeedfrag bool
    Stop sending ICMP fragmentation needed messages in response to packets that exceed the interface MTU and have the do not fragment (DF) bit set. This setting will interfere with the PMTUD process performed by hosts behind the firewall.
    SuppressIcmpTimeexceeded bool
    Stop sending ICMP TTL expired messages.
    TcpFastOpenAndDataStrip bool
    Strip the TCP Fast Open option (and data payload, if any) from the TCP SYN or SYN-ACK packet during a TCP three-way handshake.
    TcpHandshakeDiscard bool
    Drop packets with split handshakes.
    TcpSynWithDataDiscard bool
    Prevent a TCP session from being established if the TCP SYN packet contains data during a three-way handshake.
    TcpSynackWithDataDiscard bool
    Prevent a TCP session from being established if the TCP SYN-ACK packet contains data during a three-way handshake.
    TcpTimestampStrip bool
    Determine whether the packet has a TCP timestamp in the header and, if it does, strip the timestamp from the header.
    Tfid string
    TimestampDiscard bool
    Discard packets with the Timestamp IP option set.
    UnknownOptionDiscard bool
    Discard packets if the class and number are unknown.
    AsymmetricPath string
    Determine whether to drop or bypass packets that contain out-of-sync ACKs or out-of-window sequence numbers:

    • global — Use system-wide setting that is assigned through TCP Settings or the CLI.
    • drop — Drop packets that contain an asymmetric path.
    • bypass — Bypass scanning on packets that contain an asymmetric path.
    Description string
    The description of the profile
    Device string
    The device in which the resource is defined
    DiscardIcmpEmbeddedError bool
    Discard ICMP packets that are embedded with an error message.
    Flood ZoneProtectionProfileFloodArgs
    Flood
    Folder string
    The folder in which the resource is defined
    FragmentedTrafficDiscard bool
    Discard fragmented IP packets.
    IcmpFragDiscard bool
    Discard packets that consist of ICMP fragments.
    IcmpLargePacketDiscard bool
    Discard ICMP packets that are larger than 1024 bytes.
    IcmpPingZeroIdDiscard bool
    Discard packets if the ICMP ping packet has an identifier value of 0.
    Ipv6 ZoneProtectionProfileIpv6Args
    Ipv6
    L2SecGroupTagProtection ZoneProtectionProfileL2SecGroupTagProtectionArgs
    L2 sec group tag protection
    LooseSourceRoutingDiscard bool
    Discard packets with the Loose Source Routing IP option set. Loose Source Routing is an option whereby a source of a datagram provides routing information and a gateway or host is allowed to choose any route of a number of intermediate gateways to get the datagram to the next address in the route.
    MalformedOptionDiscard bool
    Discard packets if they have incorrect combinations of class, number, and length based on RFCs 791, 1108, 1393, and 2113.
    MismatchedOverlappingTcpSegmentDiscard bool
    Drop packets with mismatched overlapping TCP segments.
    MptcpOptionStrip string
    MPTCP is an extension of TCP that allows a client to maintain a connection by simultaneously using multiple paths to connect to the destination host. By default, MPTCP support is disabled, based on the global MPTCP setting. Review or adjust the MPTCP settings for the security zones associated with this profile:

    • no — Enable MPTCP support (do not strip the MPTCP option).
    • yes — Disable MPTCP support (strip the MPTCP option). With this configured, MPTCP connections are converted to standard TCP connections, as MPTCP is backwards compatible with TCP.
    • global — Support MPTCP based on the global MPTCP setting. By default, the global MPTCP setting is set to yes so that MPTCP is disabled (the MPTCP option is stripped from the packet).
    Name string
    The profile name
    NonIpProtocol ZoneProtectionProfileNonIpProtocolArgs
    Non ip protocol
    RecordRouteDiscard bool
    Discard packets with the Record Route IP option set. When a datagram has this option, each router that routes the datagram adds its own IP address to the header, thus providing the path to the recipient.
    RejectNonSynTcp string
    Determine whether to reject the packet if the first packet for the TCP session setup is not a SYN packet:

    • global — Use system-wide setting that is assigned through the CLI.
    • yes — Reject non-SYN TCP.
    • no — Accept non-SYN TCP.
    ScanWhiteLists []ZoneProtectionProfileScanWhiteListArgs
    Scan white list
    Scans []ZoneProtectionProfileScanArgs
    Scan
    SecurityDiscard bool
    Discard packets if the security option is defined.
    Snippet string
    The snippet in which the resource is defined
    SpoofedIpDiscard bool
    Check that the source IP address of the ingress packet is routable and the routing interface is in the same zone as the ingress interface. If either condition is not true, discard the packet.
    StreamIdDiscard bool
    Discard packets if the Stream ID option is defined.
    StrictIpCheck bool
    Check that both conditions are true:

    • The source IP address is not the subnet broadcast IP address of the ingress interface.
    • The source IP address is routable over the exact ingress interface. If either condition is not true, discard the packet.
    StrictSourceRoutingDiscard bool
    Discard packets with the Strict Source Routing IP option set. Strict Source Routing is an option whereby a source of a datagram provides routing information through which a gateway or host must send the datagram.
    SuppressIcmpNeedfrag bool
    Stop sending ICMP fragmentation needed messages in response to packets that exceed the interface MTU and have the do not fragment (DF) bit set. This setting will interfere with the PMTUD process performed by hosts behind the firewall.
    SuppressIcmpTimeexceeded bool
    Stop sending ICMP TTL expired messages.
    TcpFastOpenAndDataStrip bool
    Strip the TCP Fast Open option (and data payload, if any) from the TCP SYN or SYN-ACK packet during a TCP three-way handshake.
    TcpHandshakeDiscard bool
    Drop packets with split handshakes.
    TcpSynWithDataDiscard bool
    Prevent a TCP session from being established if the TCP SYN packet contains data during a three-way handshake.
    TcpSynackWithDataDiscard bool
    Prevent a TCP session from being established if the TCP SYN-ACK packet contains data during a three-way handshake.
    TcpTimestampStrip bool
    Determine whether the packet has a TCP timestamp in the header and, if it does, strip the timestamp from the header.
    Tfid string
    TimestampDiscard bool
    Discard packets with the Timestamp IP option set.
    UnknownOptionDiscard bool
    Discard packets if the class and number are unknown.
    asymmetricPath String
    Determine whether to drop or bypass packets that contain out-of-sync ACKs or out-of-window sequence numbers:

    • global — Use system-wide setting that is assigned through TCP Settings or the CLI.
    • drop — Drop packets that contain an asymmetric path.
    • bypass — Bypass scanning on packets that contain an asymmetric path.
    description String
    The description of the profile
    device String
    The device in which the resource is defined
    discardIcmpEmbeddedError Boolean
    Discard ICMP packets that are embedded with an error message.
    flood ZoneProtectionProfileFlood
    Flood
    folder String
    The folder in which the resource is defined
    fragmentedTrafficDiscard Boolean
    Discard fragmented IP packets.
    icmpFragDiscard Boolean
    Discard packets that consist of ICMP fragments.
    icmpLargePacketDiscard Boolean
    Discard ICMP packets that are larger than 1024 bytes.
    icmpPingZeroIdDiscard Boolean
    Discard packets if the ICMP ping packet has an identifier value of 0.
    ipv6 ZoneProtectionProfileIpv6
    Ipv6
    l2SecGroupTagProtection ZoneProtectionProfileL2SecGroupTagProtection
    L2 sec group tag protection
    looseSourceRoutingDiscard Boolean
    Discard packets with the Loose Source Routing IP option set. Loose Source Routing is an option whereby a source of a datagram provides routing information and a gateway or host is allowed to choose any route of a number of intermediate gateways to get the datagram to the next address in the route.
    malformedOptionDiscard Boolean
    Discard packets if they have incorrect combinations of class, number, and length based on RFCs 791, 1108, 1393, and 2113.
    mismatchedOverlappingTcpSegmentDiscard Boolean
    Drop packets with mismatched overlapping TCP segments.
    mptcpOptionStrip String
    MPTCP is an extension of TCP that allows a client to maintain a connection by simultaneously using multiple paths to connect to the destination host. By default, MPTCP support is disabled, based on the global MPTCP setting. Review or adjust the MPTCP settings for the security zones associated with this profile:

    • no — Enable MPTCP support (do not strip the MPTCP option).
    • yes — Disable MPTCP support (strip the MPTCP option). With this configured, MPTCP connections are converted to standard TCP connections, as MPTCP is backwards compatible with TCP.
    • global — Support MPTCP based on the global MPTCP setting. By default, the global MPTCP setting is set to yes so that MPTCP is disabled (the MPTCP option is stripped from the packet).
    name String
    The profile name
    nonIpProtocol ZoneProtectionProfileNonIpProtocol
    Non ip protocol
    recordRouteDiscard Boolean
    Discard packets with the Record Route IP option set. When a datagram has this option, each router that routes the datagram adds its own IP address to the header, thus providing the path to the recipient.
    rejectNonSynTcp String
    Determine whether to reject the packet if the first packet for the TCP session setup is not a SYN packet:

    • global — Use system-wide setting that is assigned through the CLI.
    • yes — Reject non-SYN TCP.
    • no — Accept non-SYN TCP.
    scanWhiteLists List<ZoneProtectionProfileScanWhiteList>
    Scan white list
    scans List<ZoneProtectionProfileScan>
    Scan
    securityDiscard Boolean
    Discard packets if the security option is defined.
    snippet String
    The snippet in which the resource is defined
    spoofedIpDiscard Boolean
    Check that the source IP address of the ingress packet is routable and the routing interface is in the same zone as the ingress interface. If either condition is not true, discard the packet.
    streamIdDiscard Boolean
    Discard packets if the Stream ID option is defined.
    strictIpCheck Boolean
    Check that both conditions are true:

    • The source IP address is not the subnet broadcast IP address of the ingress interface.
    • The source IP address is routable over the exact ingress interface. If either condition is not true, discard the packet.
    strictSourceRoutingDiscard Boolean
    Discard packets with the Strict Source Routing IP option set. Strict Source Routing is an option whereby a source of a datagram provides routing information through which a gateway or host must send the datagram.
    suppressIcmpNeedfrag Boolean
    Stop sending ICMP fragmentation needed messages in response to packets that exceed the interface MTU and have the do not fragment (DF) bit set. This setting will interfere with the PMTUD process performed by hosts behind the firewall.
    suppressIcmpTimeexceeded Boolean
    Stop sending ICMP TTL expired messages.
    tcpFastOpenAndDataStrip Boolean
    Strip the TCP Fast Open option (and data payload, if any) from the TCP SYN or SYN-ACK packet during a TCP three-way handshake.
    tcpHandshakeDiscard Boolean
    Drop packets with split handshakes.
    tcpSynWithDataDiscard Boolean
    Prevent a TCP session from being established if the TCP SYN packet contains data during a three-way handshake.
    tcpSynackWithDataDiscard Boolean
    Prevent a TCP session from being established if the TCP SYN-ACK packet contains data during a three-way handshake.
    tcpTimestampStrip Boolean
    Determine whether the packet has a TCP timestamp in the header and, if it does, strip the timestamp from the header.
    tfid String
    timestampDiscard Boolean
    Discard packets with the Timestamp IP option set.
    unknownOptionDiscard Boolean
    Discard packets if the class and number are unknown.
    asymmetricPath string
    Determine whether to drop or bypass packets that contain out-of-sync ACKs or out-of-window sequence numbers:

    • global — Use system-wide setting that is assigned through TCP Settings or the CLI.
    • drop — Drop packets that contain an asymmetric path.
    • bypass — Bypass scanning on packets that contain an asymmetric path.
    description string
    The description of the profile
    device string
    The device in which the resource is defined
    discardIcmpEmbeddedError boolean
    Discard ICMP packets that are embedded with an error message.
    flood ZoneProtectionProfileFlood
    Flood
    folder string
    The folder in which the resource is defined
    fragmentedTrafficDiscard boolean
    Discard fragmented IP packets.
    icmpFragDiscard boolean
    Discard packets that consist of ICMP fragments.
    icmpLargePacketDiscard boolean
    Discard ICMP packets that are larger than 1024 bytes.
    icmpPingZeroIdDiscard boolean
    Discard packets if the ICMP ping packet has an identifier value of 0.
    ipv6 ZoneProtectionProfileIpv6
    Ipv6
    l2SecGroupTagProtection ZoneProtectionProfileL2SecGroupTagProtection
    L2 sec group tag protection
    looseSourceRoutingDiscard boolean
    Discard packets with the Loose Source Routing IP option set. Loose Source Routing is an option whereby a source of a datagram provides routing information and a gateway or host is allowed to choose any route of a number of intermediate gateways to get the datagram to the next address in the route.
    malformedOptionDiscard boolean
    Discard packets if they have incorrect combinations of class, number, and length based on RFCs 791, 1108, 1393, and 2113.
    mismatchedOverlappingTcpSegmentDiscard boolean
    Drop packets with mismatched overlapping TCP segments.
    mptcpOptionStrip string
    MPTCP is an extension of TCP that allows a client to maintain a connection by simultaneously using multiple paths to connect to the destination host. By default, MPTCP support is disabled, based on the global MPTCP setting. Review or adjust the MPTCP settings for the security zones associated with this profile:

    • no — Enable MPTCP support (do not strip the MPTCP option).
    • yes — Disable MPTCP support (strip the MPTCP option). With this configured, MPTCP connections are converted to standard TCP connections, as MPTCP is backwards compatible with TCP.
    • global — Support MPTCP based on the global MPTCP setting. By default, the global MPTCP setting is set to yes so that MPTCP is disabled (the MPTCP option is stripped from the packet).
    name string
    The profile name
    nonIpProtocol ZoneProtectionProfileNonIpProtocol
    Non ip protocol
    recordRouteDiscard boolean
    Discard packets with the Record Route IP option set. When a datagram has this option, each router that routes the datagram adds its own IP address to the header, thus providing the path to the recipient.
    rejectNonSynTcp string
    Determine whether to reject the packet if the first packet for the TCP session setup is not a SYN packet:

    • global — Use system-wide setting that is assigned through the CLI.
    • yes — Reject non-SYN TCP.
    • no — Accept non-SYN TCP.
    scanWhiteLists ZoneProtectionProfileScanWhiteList[]
    Scan white list
    scans ZoneProtectionProfileScan[]
    Scan
    securityDiscard boolean
    Discard packets if the security option is defined.
    snippet string
    The snippet in which the resource is defined
    spoofedIpDiscard boolean
    Check that the source IP address of the ingress packet is routable and the routing interface is in the same zone as the ingress interface. If either condition is not true, discard the packet.
    streamIdDiscard boolean
    Discard packets if the Stream ID option is defined.
    strictIpCheck boolean
    Check that both conditions are true:

    • The source IP address is not the subnet broadcast IP address of the ingress interface.
    • The source IP address is routable over the exact ingress interface. If either condition is not true, discard the packet.
    strictSourceRoutingDiscard boolean
    Discard packets with the Strict Source Routing IP option set. Strict Source Routing is an option whereby a source of a datagram provides routing information through which a gateway or host must send the datagram.
    suppressIcmpNeedfrag boolean
    Stop sending ICMP fragmentation needed messages in response to packets that exceed the interface MTU and have the do not fragment (DF) bit set. This setting will interfere with the PMTUD process performed by hosts behind the firewall.
    suppressIcmpTimeexceeded boolean
    Stop sending ICMP TTL expired messages.
    tcpFastOpenAndDataStrip boolean
    Strip the TCP Fast Open option (and data payload, if any) from the TCP SYN or SYN-ACK packet during a TCP three-way handshake.
    tcpHandshakeDiscard boolean
    Drop packets with split handshakes.
    tcpSynWithDataDiscard boolean
    Prevent a TCP session from being established if the TCP SYN packet contains data during a three-way handshake.
    tcpSynackWithDataDiscard boolean
    Prevent a TCP session from being established if the TCP SYN-ACK packet contains data during a three-way handshake.
    tcpTimestampStrip boolean
    Determine whether the packet has a TCP timestamp in the header and, if it does, strip the timestamp from the header.
    tfid string
    timestampDiscard boolean
    Discard packets with the Timestamp IP option set.
    unknownOptionDiscard boolean
    Discard packets if the class and number are unknown.
    asymmetric_path str
    Determine whether to drop or bypass packets that contain out-of-sync ACKs or out-of-window sequence numbers:

    • global — Use system-wide setting that is assigned through TCP Settings or the CLI.
    • drop — Drop packets that contain an asymmetric path.
    • bypass — Bypass scanning on packets that contain an asymmetric path.
    description str
    The description of the profile
    device str
    The device in which the resource is defined
    discard_icmp_embedded_error bool
    Discard ICMP packets that are embedded with an error message.
    flood ZoneProtectionProfileFloodArgs
    Flood
    folder str
    The folder in which the resource is defined
    fragmented_traffic_discard bool
    Discard fragmented IP packets.
    icmp_frag_discard bool
    Discard packets that consist of ICMP fragments.
    icmp_large_packet_discard bool
    Discard ICMP packets that are larger than 1024 bytes.
    icmp_ping_zero_id_discard bool
    Discard packets if the ICMP ping packet has an identifier value of 0.
    ipv6 ZoneProtectionProfileIpv6Args
    Ipv6
    l2_sec_group_tag_protection ZoneProtectionProfileL2SecGroupTagProtectionArgs
    L2 sec group tag protection
    loose_source_routing_discard bool
    Discard packets with the Loose Source Routing IP option set. Loose Source Routing is an option whereby a source of a datagram provides routing information and a gateway or host is allowed to choose any route of a number of intermediate gateways to get the datagram to the next address in the route.
    malformed_option_discard bool
    Discard packets if they have incorrect combinations of class, number, and length based on RFCs 791, 1108, 1393, and 2113.
    mismatched_overlapping_tcp_segment_discard bool
    Drop packets with mismatched overlapping TCP segments.
    mptcp_option_strip str
    MPTCP is an extension of TCP that allows a client to maintain a connection by simultaneously using multiple paths to connect to the destination host. By default, MPTCP support is disabled, based on the global MPTCP setting. Review or adjust the MPTCP settings for the security zones associated with this profile:

    • no — Enable MPTCP support (do not strip the MPTCP option).
    • yes — Disable MPTCP support (strip the MPTCP option). With this configured, MPTCP connections are converted to standard TCP connections, as MPTCP is backwards compatible with TCP.
    • global — Support MPTCP based on the global MPTCP setting. By default, the global MPTCP setting is set to yes so that MPTCP is disabled (the MPTCP option is stripped from the packet).
    name str
    The profile name
    non_ip_protocol ZoneProtectionProfileNonIpProtocolArgs
    Non ip protocol
    record_route_discard bool
    Discard packets with the Record Route IP option set. When a datagram has this option, each router that routes the datagram adds its own IP address to the header, thus providing the path to the recipient.
    reject_non_syn_tcp str
    Determine whether to reject the packet if the first packet for the TCP session setup is not a SYN packet:

    • global — Use system-wide setting that is assigned through the CLI.
    • yes — Reject non-SYN TCP.
    • no — Accept non-SYN TCP.
    scan_white_lists Sequence[ZoneProtectionProfileScanWhiteListArgs]
    Scan white list
    scans Sequence[ZoneProtectionProfileScanArgs]
    Scan
    security_discard bool
    Discard packets if the security option is defined.
    snippet str
    The snippet in which the resource is defined
    spoofed_ip_discard bool
    Check that the source IP address of the ingress packet is routable and the routing interface is in the same zone as the ingress interface. If either condition is not true, discard the packet.
    stream_id_discard bool
    Discard packets if the Stream ID option is defined.
    strict_ip_check bool
    Check that both conditions are true:

    • The source IP address is not the subnet broadcast IP address of the ingress interface.
    • The source IP address is routable over the exact ingress interface. If either condition is not true, discard the packet.
    strict_source_routing_discard bool
    Discard packets with the Strict Source Routing IP option set. Strict Source Routing is an option whereby a source of a datagram provides routing information through which a gateway or host must send the datagram.
    suppress_icmp_needfrag bool
    Stop sending ICMP fragmentation needed messages in response to packets that exceed the interface MTU and have the do not fragment (DF) bit set. This setting will interfere with the PMTUD process performed by hosts behind the firewall.
    suppress_icmp_timeexceeded bool
    Stop sending ICMP TTL expired messages.
    tcp_fast_open_and_data_strip bool
    Strip the TCP Fast Open option (and data payload, if any) from the TCP SYN or SYN-ACK packet during a TCP three-way handshake.
    tcp_handshake_discard bool
    Drop packets with split handshakes.
    tcp_syn_with_data_discard bool
    Prevent a TCP session from being established if the TCP SYN packet contains data during a three-way handshake.
    tcp_synack_with_data_discard bool
    Prevent a TCP session from being established if the TCP SYN-ACK packet contains data during a three-way handshake.
    tcp_timestamp_strip bool
    Determine whether the packet has a TCP timestamp in the header and, if it does, strip the timestamp from the header.
    tfid str
    timestamp_discard bool
    Discard packets with the Timestamp IP option set.
    unknown_option_discard bool
    Discard packets if the class and number are unknown.
    asymmetricPath String
    Determine whether to drop or bypass packets that contain out-of-sync ACKs or out-of-window sequence numbers:

    • global — Use system-wide setting that is assigned through TCP Settings or the CLI.
    • drop — Drop packets that contain an asymmetric path.
    • bypass — Bypass scanning on packets that contain an asymmetric path.
    description String
    The description of the profile
    device String
    The device in which the resource is defined
    discardIcmpEmbeddedError Boolean
    Discard ICMP packets that are embedded with an error message.
    flood Property Map
    Flood
    folder String
    The folder in which the resource is defined
    fragmentedTrafficDiscard Boolean
    Discard fragmented IP packets.
    icmpFragDiscard Boolean
    Discard packets that consist of ICMP fragments.
    icmpLargePacketDiscard Boolean
    Discard ICMP packets that are larger than 1024 bytes.
    icmpPingZeroIdDiscard Boolean
    Discard packets if the ICMP ping packet has an identifier value of 0.
    ipv6 Property Map
    Ipv6
    l2SecGroupTagProtection Property Map
    L2 sec group tag protection
    looseSourceRoutingDiscard Boolean
    Discard packets with the Loose Source Routing IP option set. Loose Source Routing is an option whereby a source of a datagram provides routing information and a gateway or host is allowed to choose any route of a number of intermediate gateways to get the datagram to the next address in the route.
    malformedOptionDiscard Boolean
    Discard packets if they have incorrect combinations of class, number, and length based on RFCs 791, 1108, 1393, and 2113.
    mismatchedOverlappingTcpSegmentDiscard Boolean
    Drop packets with mismatched overlapping TCP segments.
    mptcpOptionStrip String
    MPTCP is an extension of TCP that allows a client to maintain a connection by simultaneously using multiple paths to connect to the destination host. By default, MPTCP support is disabled, based on the global MPTCP setting. Review or adjust the MPTCP settings for the security zones associated with this profile:

    • no — Enable MPTCP support (do not strip the MPTCP option).
    • yes — Disable MPTCP support (strip the MPTCP option). With this configured, MPTCP connections are converted to standard TCP connections, as MPTCP is backwards compatible with TCP.
    • global — Support MPTCP based on the global MPTCP setting. By default, the global MPTCP setting is set to yes so that MPTCP is disabled (the MPTCP option is stripped from the packet).
    name String
    The profile name
    nonIpProtocol Property Map
    Non ip protocol
    recordRouteDiscard Boolean
    Discard packets with the Record Route IP option set. When a datagram has this option, each router that routes the datagram adds its own IP address to the header, thus providing the path to the recipient.
    rejectNonSynTcp String
    Determine whether to reject the packet if the first packet for the TCP session setup is not a SYN packet:

    • global — Use system-wide setting that is assigned through the CLI.
    • yes — Reject non-SYN TCP.
    • no — Accept non-SYN TCP.
    scanWhiteLists List<Property Map>
    Scan white list
    scans List<Property Map>
    Scan
    securityDiscard Boolean
    Discard packets if the security option is defined.
    snippet String
    The snippet in which the resource is defined
    spoofedIpDiscard Boolean
    Check that the source IP address of the ingress packet is routable and the routing interface is in the same zone as the ingress interface. If either condition is not true, discard the packet.
    streamIdDiscard Boolean
    Discard packets if the Stream ID option is defined.
    strictIpCheck Boolean
    Check that both conditions are true:

    • The source IP address is not the subnet broadcast IP address of the ingress interface.
    • The source IP address is routable over the exact ingress interface. If either condition is not true, discard the packet.
    strictSourceRoutingDiscard Boolean
    Discard packets with the Strict Source Routing IP option set. Strict Source Routing is an option whereby a source of a datagram provides routing information through which a gateway or host must send the datagram.
    suppressIcmpNeedfrag Boolean
    Stop sending ICMP fragmentation needed messages in response to packets that exceed the interface MTU and have the do not fragment (DF) bit set. This setting will interfere with the PMTUD process performed by hosts behind the firewall.
    suppressIcmpTimeexceeded Boolean
    Stop sending ICMP TTL expired messages.
    tcpFastOpenAndDataStrip Boolean
    Strip the TCP Fast Open option (and data payload, if any) from the TCP SYN or SYN-ACK packet during a TCP three-way handshake.
    tcpHandshakeDiscard Boolean
    Drop packets with split handshakes.
    tcpSynWithDataDiscard Boolean
    Prevent a TCP session from being established if the TCP SYN packet contains data during a three-way handshake.
    tcpSynackWithDataDiscard Boolean
    Prevent a TCP session from being established if the TCP SYN-ACK packet contains data during a three-way handshake.
    tcpTimestampStrip Boolean
    Determine whether the packet has a TCP timestamp in the header and, if it does, strip the timestamp from the header.
    tfid String
    timestampDiscard Boolean
    Discard packets with the Timestamp IP option set.
    unknownOptionDiscard Boolean
    Discard packets if the class and number are unknown.

    Supporting Types

    ZoneProtectionProfileFlood, ZoneProtectionProfileFloodArgs

    ZoneProtectionProfileFloodIcmp, ZoneProtectionProfileFloodIcmpArgs

    Enable bool
    Enable protection against ICMP floods?
    Red ZoneProtectionProfileFloodIcmpRed
    Red
    Enable bool
    Enable protection against ICMP floods?
    Red ZoneProtectionProfileFloodIcmpRed
    Red
    enable Boolean
    Enable protection against ICMP floods?
    red ZoneProtectionProfileFloodIcmpRed
    Red
    enable boolean
    Enable protection against ICMP floods?
    red ZoneProtectionProfileFloodIcmpRed
    Red
    enable bool
    Enable protection against ICMP floods?
    red ZoneProtectionProfileFloodIcmpRed
    Red
    enable Boolean
    Enable protection against ICMP floods?
    red Property Map
    Red

    ZoneProtectionProfileFloodIcmpRed, ZoneProtectionProfileFloodIcmpRedArgs

    ActivateRate int
    The number of ICMP packets (not matching an existing session) that the zone receives per second before subsequent ICMP packets are dropped.
    AlarmRate int
    The number of ICMP echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
    MaximalRate int
    The maximum number of ICMP packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.
    ActivateRate int
    The number of ICMP packets (not matching an existing session) that the zone receives per second before subsequent ICMP packets are dropped.
    AlarmRate int
    The number of ICMP echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
    MaximalRate int
    The maximum number of ICMP packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.
    activateRate Integer
    The number of ICMP packets (not matching an existing session) that the zone receives per second before subsequent ICMP packets are dropped.
    alarmRate Integer
    The number of ICMP echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
    maximalRate Integer
    The maximum number of ICMP packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.
    activateRate number
    The number of ICMP packets (not matching an existing session) that the zone receives per second before subsequent ICMP packets are dropped.
    alarmRate number
    The number of ICMP echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
    maximalRate number
    The maximum number of ICMP packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.
    activate_rate int
    The number of ICMP packets (not matching an existing session) that the zone receives per second before subsequent ICMP packets are dropped.
    alarm_rate int
    The number of ICMP echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
    maximal_rate int
    The maximum number of ICMP packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.
    activateRate Number
    The number of ICMP packets (not matching an existing session) that the zone receives per second before subsequent ICMP packets are dropped.
    alarmRate Number
    The number of ICMP echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
    maximalRate Number
    The maximum number of ICMP packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.

    ZoneProtectionProfileFloodIcmpv6, ZoneProtectionProfileFloodIcmpv6Args

    Enable bool
    Enable protection against ICMPv6 floods?
    Red ZoneProtectionProfileFloodIcmpv6Red
    Red
    Enable bool
    Enable protection against ICMPv6 floods?
    Red ZoneProtectionProfileFloodIcmpv6Red
    Red
    enable Boolean
    Enable protection against ICMPv6 floods?
    red ZoneProtectionProfileFloodIcmpv6Red
    Red
    enable boolean
    Enable protection against ICMPv6 floods?
    red ZoneProtectionProfileFloodIcmpv6Red
    Red
    enable bool
    Enable protection against ICMPv6 floods?
    red ZoneProtectionProfileFloodIcmpv6Red
    Red
    enable Boolean
    Enable protection against ICMPv6 floods?
    red Property Map
    Red

    ZoneProtectionProfileFloodIcmpv6Red, ZoneProtectionProfileFloodIcmpv6RedArgs

    ActivateRate int
    The number of ICMPv6 packets (not matching an existing session) that the zone receives per second before subsequent ICMPv6 packets are dropped.
    AlarmRate int
    The number of ICMPv6 echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
    MaximalRate int
    The maximum number of ICMPv6 packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.
    ActivateRate int
    The number of ICMPv6 packets (not matching an existing session) that the zone receives per second before subsequent ICMPv6 packets are dropped.
    AlarmRate int
    The number of ICMPv6 echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
    MaximalRate int
    The maximum number of ICMPv6 packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.
    activateRate Integer
    The number of ICMPv6 packets (not matching an existing session) that the zone receives per second before subsequent ICMPv6 packets are dropped.
    alarmRate Integer
    The number of ICMPv6 echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
    maximalRate Integer
    The maximum number of ICMPv6 packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.
    activateRate number
    The number of ICMPv6 packets (not matching an existing session) that the zone receives per second before subsequent ICMPv6 packets are dropped.
    alarmRate number
    The number of ICMPv6 echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
    maximalRate number
    The maximum number of ICMPv6 packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.
    activate_rate int
    The number of ICMPv6 packets (not matching an existing session) that the zone receives per second before subsequent ICMPv6 packets are dropped.
    alarm_rate int
    The number of ICMPv6 echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
    maximal_rate int
    The maximum number of ICMPv6 packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.
    activateRate Number
    The number of ICMPv6 packets (not matching an existing session) that the zone receives per second before subsequent ICMPv6 packets are dropped.
    alarmRate Number
    The number of ICMPv6 echo requests (pings not matching an existing session) that the zone receives per second that triggers an attack alarm.
    maximalRate Number
    The maximum number of ICMPv6 packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.

    ZoneProtectionProfileFloodOtherIp, ZoneProtectionProfileFloodOtherIpArgs

    Enable bool
    Enable protection against other IP (non-TCP, non-ICMP, non-ICMPv6, non-SCTP, and non-UDP) floods?
    Red ZoneProtectionProfileFloodOtherIpRed
    Red
    Enable bool
    Enable protection against other IP (non-TCP, non-ICMP, non-ICMPv6, non-SCTP, and non-UDP) floods?
    Red ZoneProtectionProfileFloodOtherIpRed
    Red
    enable Boolean
    Enable protection against other IP (non-TCP, non-ICMP, non-ICMPv6, non-SCTP, and non-UDP) floods?
    red ZoneProtectionProfileFloodOtherIpRed
    Red
    enable boolean
    Enable protection against other IP (non-TCP, non-ICMP, non-ICMPv6, non-SCTP, and non-UDP) floods?
    red ZoneProtectionProfileFloodOtherIpRed
    Red
    enable bool
    Enable protection against other IP (non-TCP, non-ICMP, non-ICMPv6, non-SCTP, and non-UDP) floods?
    red ZoneProtectionProfileFloodOtherIpRed
    Red
    enable Boolean
    Enable protection against other IP (non-TCP, non-ICMP, non-ICMPv6, non-SCTP, and non-UDP) floods?
    red Property Map
    Red

    ZoneProtectionProfileFloodOtherIpRed, ZoneProtectionProfileFloodOtherIpRedArgs

    ActivateRate int
    Activate rate
    AlarmRate int
    Alarm rate
    MaximalRate int
    Maximal rate
    ActivateRate int
    Activate rate
    AlarmRate int
    Alarm rate
    MaximalRate int
    Maximal rate
    activateRate Integer
    Activate rate
    alarmRate Integer
    Alarm rate
    maximalRate Integer
    Maximal rate
    activateRate number
    Activate rate
    alarmRate number
    Alarm rate
    maximalRate number
    Maximal rate
    activate_rate int
    Activate rate
    alarm_rate int
    Alarm rate
    maximal_rate int
    Maximal rate
    activateRate Number
    Activate rate
    alarmRate Number
    Alarm rate
    maximalRate Number
    Maximal rate

    ZoneProtectionProfileFloodSctpInit, ZoneProtectionProfileFloodSctpInitArgs

    Enable bool
    Enable protection against floods of Stream Control Transmission Protocol (SCTP) packets that contain an Initiation (INIT) chunk?
    Red ZoneProtectionProfileFloodSctpInitRed
    Red
    Enable bool
    Enable protection against floods of Stream Control Transmission Protocol (SCTP) packets that contain an Initiation (INIT) chunk?
    Red ZoneProtectionProfileFloodSctpInitRed
    Red
    enable Boolean
    Enable protection against floods of Stream Control Transmission Protocol (SCTP) packets that contain an Initiation (INIT) chunk?
    red ZoneProtectionProfileFloodSctpInitRed
    Red
    enable boolean
    Enable protection against floods of Stream Control Transmission Protocol (SCTP) packets that contain an Initiation (INIT) chunk?
    red ZoneProtectionProfileFloodSctpInitRed
    Red
    enable bool
    Enable protection against floods of Stream Control Transmission Protocol (SCTP) packets that contain an Initiation (INIT) chunk?
    red ZoneProtectionProfileFloodSctpInitRed
    Red
    enable Boolean
    Enable protection against floods of Stream Control Transmission Protocol (SCTP) packets that contain an Initiation (INIT) chunk?
    red Property Map
    Red

    ZoneProtectionProfileFloodSctpInitRed, ZoneProtectionProfileFloodSctpInitRedArgs

    ActivateRate int
    The number of SCTP INIT packets (not matching an existing session) that the zone receives per second before subsequent SCTP INIT packets are dropped.
    AlarmRate int
    The number of SCTP INIT packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
    MaximalRate int
    The maximum number of SCTP INIT packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.
    ActivateRate int
    The number of SCTP INIT packets (not matching an existing session) that the zone receives per second before subsequent SCTP INIT packets are dropped.
    AlarmRate int
    The number of SCTP INIT packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
    MaximalRate int
    The maximum number of SCTP INIT packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.
    activateRate Integer
    The number of SCTP INIT packets (not matching an existing session) that the zone receives per second before subsequent SCTP INIT packets are dropped.
    alarmRate Integer
    The number of SCTP INIT packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
    maximalRate Integer
    The maximum number of SCTP INIT packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.
    activateRate number
    The number of SCTP INIT packets (not matching an existing session) that the zone receives per second before subsequent SCTP INIT packets are dropped.
    alarmRate number
    The number of SCTP INIT packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
    maximalRate number
    The maximum number of SCTP INIT packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.
    activate_rate int
    The number of SCTP INIT packets (not matching an existing session) that the zone receives per second before subsequent SCTP INIT packets are dropped.
    alarm_rate int
    The number of SCTP INIT packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
    maximal_rate int
    The maximum number of SCTP INIT packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.
    activateRate Number
    The number of SCTP INIT packets (not matching an existing session) that the zone receives per second before subsequent SCTP INIT packets are dropped.
    alarmRate Number
    The number of SCTP INIT packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
    maximalRate Number
    The maximum number of SCTP INIT packets (not matching an existing session) that the zone receives per second before packets exceeding the maximum are dropped.

    ZoneProtectionProfileFloodTcpSyn, ZoneProtectionProfileFloodTcpSynArgs

    enable Boolean
    Enable protection against SYN floods?
    red Property Map
    Red
    synCookies Property Map
    Syn cookies

    ZoneProtectionProfileFloodTcpSynRed, ZoneProtectionProfileFloodTcpSynRedArgs

    ActivateRate int
    When the flow exceeds the activate_rate` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
    AlarmRate int
    When the flow exceeds the alert_rate` threshold, an alarm is generated.
    MaximalRate int
    When the flow exceeds the maximal_rate threshold, 100% of incoming SYN packets are dropped.
    ActivateRate int
    When the flow exceeds the activate_rate` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
    AlarmRate int
    When the flow exceeds the alert_rate` threshold, an alarm is generated.
    MaximalRate int
    When the flow exceeds the maximal_rate threshold, 100% of incoming SYN packets are dropped.
    activateRate Integer
    When the flow exceeds the activate_rate` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
    alarmRate Integer
    When the flow exceeds the alert_rate` threshold, an alarm is generated.
    maximalRate Integer
    When the flow exceeds the maximal_rate threshold, 100% of incoming SYN packets are dropped.
    activateRate number
    When the flow exceeds the activate_rate` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
    alarmRate number
    When the flow exceeds the alert_rate` threshold, an alarm is generated.
    maximalRate number
    When the flow exceeds the maximal_rate threshold, 100% of incoming SYN packets are dropped.
    activate_rate int
    When the flow exceeds the activate_rate` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
    alarm_rate int
    When the flow exceeds the alert_rate` threshold, an alarm is generated.
    maximal_rate int
    When the flow exceeds the maximal_rate threshold, 100% of incoming SYN packets are dropped.
    activateRate Number
    When the flow exceeds the activate_rate` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
    alarmRate Number
    When the flow exceeds the alert_rate` threshold, an alarm is generated.
    maximalRate Number
    When the flow exceeds the maximal_rate threshold, 100% of incoming SYN packets are dropped.

    ZoneProtectionProfileFloodTcpSynSynCookies, ZoneProtectionProfileFloodTcpSynSynCookiesArgs

    ActivateRate int
    When the flow exceeds the activate_rate` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
    AlarmRate int
    When the flow exceeds the alert_rate` threshold, an alarm is generated.
    MaximalRate int
    When the flow exceeds the maximal_rate threshold, 100% of incoming SYN packets are dropped.
    ActivateRate int
    When the flow exceeds the activate_rate` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
    AlarmRate int
    When the flow exceeds the alert_rate` threshold, an alarm is generated.
    MaximalRate int
    When the flow exceeds the maximal_rate threshold, 100% of incoming SYN packets are dropped.
    activateRate Integer
    When the flow exceeds the activate_rate` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
    alarmRate Integer
    When the flow exceeds the alert_rate` threshold, an alarm is generated.
    maximalRate Integer
    When the flow exceeds the maximal_rate threshold, 100% of incoming SYN packets are dropped.
    activateRate number
    When the flow exceeds the activate_rate` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
    alarmRate number
    When the flow exceeds the alert_rate` threshold, an alarm is generated.
    maximalRate number
    When the flow exceeds the maximal_rate threshold, 100% of incoming SYN packets are dropped.
    activate_rate int
    When the flow exceeds the activate_rate` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
    alarm_rate int
    When the flow exceeds the alert_rate` threshold, an alarm is generated.
    maximal_rate int
    When the flow exceeds the maximal_rate threshold, 100% of incoming SYN packets are dropped.
    activateRate Number
    When the flow exceeds the activate_rate` threshold, the firewall drops individual SYN packets randomly to restrict the flow.
    alarmRate Number
    When the flow exceeds the alert_rate` threshold, an alarm is generated.
    maximalRate Number
    When the flow exceeds the maximal_rate threshold, 100% of incoming SYN packets are dropped.

    ZoneProtectionProfileFloodUdp, ZoneProtectionProfileFloodUdpArgs

    Enable bool
    Enable protection against UDP floods?
    Red ZoneProtectionProfileFloodUdpRed
    Red
    Enable bool
    Enable protection against UDP floods?
    Red ZoneProtectionProfileFloodUdpRed
    Red
    enable Boolean
    Enable protection against UDP floods?
    red ZoneProtectionProfileFloodUdpRed
    Red
    enable boolean
    Enable protection against UDP floods?
    red ZoneProtectionProfileFloodUdpRed
    Red
    enable bool
    Enable protection against UDP floods?
    red ZoneProtectionProfileFloodUdpRed
    Red
    enable Boolean
    Enable protection against UDP floods?
    red Property Map
    Red

    ZoneProtectionProfileFloodUdpRed, ZoneProtectionProfileFloodUdpRedArgs

    ActivateRate int
    The number of UDP packets (not matching an existing session) that the zone receives per second that triggers random dropping of UDP packets.
    AlarmRate int
    The number of UDP packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
    MaximalRate int
    The maximum number of UDP packets (not matching an existing session) the zone receives per second before packets exceeding the maximum are dropped.
    ActivateRate int
    The number of UDP packets (not matching an existing session) that the zone receives per second that triggers random dropping of UDP packets.
    AlarmRate int
    The number of UDP packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
    MaximalRate int
    The maximum number of UDP packets (not matching an existing session) the zone receives per second before packets exceeding the maximum are dropped.
    activateRate Integer
    The number of UDP packets (not matching an existing session) that the zone receives per second that triggers random dropping of UDP packets.
    alarmRate Integer
    The number of UDP packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
    maximalRate Integer
    The maximum number of UDP packets (not matching an existing session) the zone receives per second before packets exceeding the maximum are dropped.
    activateRate number
    The number of UDP packets (not matching an existing session) that the zone receives per second that triggers random dropping of UDP packets.
    alarmRate number
    The number of UDP packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
    maximalRate number
    The maximum number of UDP packets (not matching an existing session) the zone receives per second before packets exceeding the maximum are dropped.
    activate_rate int
    The number of UDP packets (not matching an existing session) that the zone receives per second that triggers random dropping of UDP packets.
    alarm_rate int
    The number of UDP packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
    maximal_rate int
    The maximum number of UDP packets (not matching an existing session) the zone receives per second before packets exceeding the maximum are dropped.
    activateRate Number
    The number of UDP packets (not matching an existing session) that the zone receives per second that triggers random dropping of UDP packets.
    alarmRate Number
    The number of UDP packets (not matching an existing session) that the zone receives per second that triggers an attack alarm.
    maximalRate Number
    The maximum number of UDP packets (not matching an existing session) the zone receives per second before packets exceeding the maximum are dropped.

    ZoneProtectionProfileIpv6, ZoneProtectionProfileIpv6Args

    AnycastSource bool
    Discard IPv6 packets that contain an anycast source address.
    FilterExtHdr ZoneProtectionProfileIpv6FilterExtHdr
    Filter ext hdr
    Icmpv6TooBigSmallMtuDiscard bool
    Discard IPv6 packets that contain a Packet Too Big ICMPv6 message when the maximum transmission unit (MTU) is less than 1,280 bytes.
    IgnoreInvPkt ZoneProtectionProfileIpv6IgnoreInvPkt
    Ignore inv pkt
    Ipv4CompatibleAddress bool
    Discard IPv6 packets that are defined as an RFC 4291 IPv4-Compatible IPv6 address.
    NeedlessFragmentHdr bool
    Discard IPv6 packets with the last fragment flag (M=0) and offset of zero.
    OptionsInvalidIpv6Discard bool
    Discard IPv6 packets that contain invalid IPv6 options in an extension header.
    ReservedFieldSetDiscard bool
    Discard IPv6 packets that have a header with a reserved field not set to zero.
    RoutingHeader0 bool
    Drop packets with type 0 routing header.
    RoutingHeader1 bool
    Drop packets with type 1 routing header.
    RoutingHeader253 bool
    Drop packets with type 253 routing header.
    RoutingHeader254 bool
    Drop packets with type 254 routing header.
    RoutingHeader255 bool
    Drop packets with type 255 routing header.
    RoutingHeader3 bool
    Drop packets with type 3 routing header.
    RoutingHeader4252 bool
    Drop packets with type 4 to type 252 routing header.
    AnycastSource bool
    Discard IPv6 packets that contain an anycast source address.
    FilterExtHdr ZoneProtectionProfileIpv6FilterExtHdr
    Filter ext hdr
    Icmpv6TooBigSmallMtuDiscard bool
    Discard IPv6 packets that contain a Packet Too Big ICMPv6 message when the maximum transmission unit (MTU) is less than 1,280 bytes.
    IgnoreInvPkt ZoneProtectionProfileIpv6IgnoreInvPkt
    Ignore inv pkt
    Ipv4CompatibleAddress bool
    Discard IPv6 packets that are defined as an RFC 4291 IPv4-Compatible IPv6 address.
    NeedlessFragmentHdr bool
    Discard IPv6 packets with the last fragment flag (M=0) and offset of zero.
    OptionsInvalidIpv6Discard bool
    Discard IPv6 packets that contain invalid IPv6 options in an extension header.
    ReservedFieldSetDiscard bool
    Discard IPv6 packets that have a header with a reserved field not set to zero.
    RoutingHeader0 bool
    Drop packets with type 0 routing header.
    RoutingHeader1 bool
    Drop packets with type 1 routing header.
    RoutingHeader253 bool
    Drop packets with type 253 routing header.
    RoutingHeader254 bool
    Drop packets with type 254 routing header.
    RoutingHeader255 bool
    Drop packets with type 255 routing header.
    RoutingHeader3 bool
    Drop packets with type 3 routing header.
    RoutingHeader4252 bool
    Drop packets with type 4 to type 252 routing header.
    anycastSource Boolean
    Discard IPv6 packets that contain an anycast source address.
    filterExtHdr ZoneProtectionProfileIpv6FilterExtHdr
    Filter ext hdr
    icmpv6TooBigSmallMtuDiscard Boolean
    Discard IPv6 packets that contain a Packet Too Big ICMPv6 message when the maximum transmission unit (MTU) is less than 1,280 bytes.
    ignoreInvPkt ZoneProtectionProfileIpv6IgnoreInvPkt
    Ignore inv pkt
    ipv4CompatibleAddress Boolean
    Discard IPv6 packets that are defined as an RFC 4291 IPv4-Compatible IPv6 address.
    needlessFragmentHdr Boolean
    Discard IPv6 packets with the last fragment flag (M=0) and offset of zero.
    optionsInvalidIpv6Discard Boolean
    Discard IPv6 packets that contain invalid IPv6 options in an extension header.
    reservedFieldSetDiscard Boolean
    Discard IPv6 packets that have a header with a reserved field not set to zero.
    routingHeader0 Boolean
    Drop packets with type 0 routing header.
    routingHeader1 Boolean
    Drop packets with type 1 routing header.
    routingHeader253 Boolean
    Drop packets with type 253 routing header.
    routingHeader254 Boolean
    Drop packets with type 254 routing header.
    routingHeader255 Boolean
    Drop packets with type 255 routing header.
    routingHeader3 Boolean
    Drop packets with type 3 routing header.
    routingHeader4252 Boolean
    Drop packets with type 4 to type 252 routing header.
    anycastSource boolean
    Discard IPv6 packets that contain an anycast source address.
    filterExtHdr ZoneProtectionProfileIpv6FilterExtHdr
    Filter ext hdr
    icmpv6TooBigSmallMtuDiscard boolean
    Discard IPv6 packets that contain a Packet Too Big ICMPv6 message when the maximum transmission unit (MTU) is less than 1,280 bytes.
    ignoreInvPkt ZoneProtectionProfileIpv6IgnoreInvPkt
    Ignore inv pkt
    ipv4CompatibleAddress boolean
    Discard IPv6 packets that are defined as an RFC 4291 IPv4-Compatible IPv6 address.
    needlessFragmentHdr boolean
    Discard IPv6 packets with the last fragment flag (M=0) and offset of zero.
    optionsInvalidIpv6Discard boolean
    Discard IPv6 packets that contain invalid IPv6 options in an extension header.
    reservedFieldSetDiscard boolean
    Discard IPv6 packets that have a header with a reserved field not set to zero.
    routingHeader0 boolean
    Drop packets with type 0 routing header.
    routingHeader1 boolean
    Drop packets with type 1 routing header.
    routingHeader253 boolean
    Drop packets with type 253 routing header.
    routingHeader254 boolean
    Drop packets with type 254 routing header.
    routingHeader255 boolean
    Drop packets with type 255 routing header.
    routingHeader3 boolean
    Drop packets with type 3 routing header.
    routingHeader4252 boolean
    Drop packets with type 4 to type 252 routing header.
    anycast_source bool
    Discard IPv6 packets that contain an anycast source address.
    filter_ext_hdr ZoneProtectionProfileIpv6FilterExtHdr
    Filter ext hdr
    icmpv6_too_big_small_mtu_discard bool
    Discard IPv6 packets that contain a Packet Too Big ICMPv6 message when the maximum transmission unit (MTU) is less than 1,280 bytes.
    ignore_inv_pkt ZoneProtectionProfileIpv6IgnoreInvPkt
    Ignore inv pkt
    ipv4_compatible_address bool
    Discard IPv6 packets that are defined as an RFC 4291 IPv4-Compatible IPv6 address.
    needless_fragment_hdr bool
    Discard IPv6 packets with the last fragment flag (M=0) and offset of zero.
    options_invalid_ipv6_discard bool
    Discard IPv6 packets that contain invalid IPv6 options in an extension header.
    reserved_field_set_discard bool
    Discard IPv6 packets that have a header with a reserved field not set to zero.
    routing_header0 bool
    Drop packets with type 0 routing header.
    routing_header1 bool
    Drop packets with type 1 routing header.
    routing_header253 bool
    Drop packets with type 253 routing header.
    routing_header254 bool
    Drop packets with type 254 routing header.
    routing_header255 bool
    Drop packets with type 255 routing header.
    routing_header3 bool
    Drop packets with type 3 routing header.
    routing_header4252 bool
    Drop packets with type 4 to type 252 routing header.
    anycastSource Boolean
    Discard IPv6 packets that contain an anycast source address.
    filterExtHdr Property Map
    Filter ext hdr
    icmpv6TooBigSmallMtuDiscard Boolean
    Discard IPv6 packets that contain a Packet Too Big ICMPv6 message when the maximum transmission unit (MTU) is less than 1,280 bytes.
    ignoreInvPkt Property Map
    Ignore inv pkt
    ipv4CompatibleAddress Boolean
    Discard IPv6 packets that are defined as an RFC 4291 IPv4-Compatible IPv6 address.
    needlessFragmentHdr Boolean
    Discard IPv6 packets with the last fragment flag (M=0) and offset of zero.
    optionsInvalidIpv6Discard Boolean
    Discard IPv6 packets that contain invalid IPv6 options in an extension header.
    reservedFieldSetDiscard Boolean
    Discard IPv6 packets that have a header with a reserved field not set to zero.
    routingHeader0 Boolean
    Drop packets with type 0 routing header.
    routingHeader1 Boolean
    Drop packets with type 1 routing header.
    routingHeader253 Boolean
    Drop packets with type 253 routing header.
    routingHeader254 Boolean
    Drop packets with type 254 routing header.
    routingHeader255 Boolean
    Drop packets with type 255 routing header.
    routingHeader3 Boolean
    Drop packets with type 3 routing header.
    routingHeader4252 Boolean
    Drop packets with type 4 to type 252 routing header.

    ZoneProtectionProfileIpv6FilterExtHdr, ZoneProtectionProfileIpv6FilterExtHdrArgs

    DestOptionHdr bool
    Discard IPv6 packets that contain the Destination Options extension, which contains options intended only for the destination of the packet.
    HopByHopHdr bool
    Discard IPv6 packets that contain the Hop-by-Hop Options extension header.
    RoutingHdr bool
    Discard IPv6 packets that contain the Routing extension header, which directs packets to one or more intermediate nodes on its way to its destination.
    DestOptionHdr bool
    Discard IPv6 packets that contain the Destination Options extension, which contains options intended only for the destination of the packet.
    HopByHopHdr bool
    Discard IPv6 packets that contain the Hop-by-Hop Options extension header.
    RoutingHdr bool
    Discard IPv6 packets that contain the Routing extension header, which directs packets to one or more intermediate nodes on its way to its destination.
    destOptionHdr Boolean
    Discard IPv6 packets that contain the Destination Options extension, which contains options intended only for the destination of the packet.
    hopByHopHdr Boolean
    Discard IPv6 packets that contain the Hop-by-Hop Options extension header.
    routingHdr Boolean
    Discard IPv6 packets that contain the Routing extension header, which directs packets to one or more intermediate nodes on its way to its destination.
    destOptionHdr boolean
    Discard IPv6 packets that contain the Destination Options extension, which contains options intended only for the destination of the packet.
    hopByHopHdr boolean
    Discard IPv6 packets that contain the Hop-by-Hop Options extension header.
    routingHdr boolean
    Discard IPv6 packets that contain the Routing extension header, which directs packets to one or more intermediate nodes on its way to its destination.
    dest_option_hdr bool
    Discard IPv6 packets that contain the Destination Options extension, which contains options intended only for the destination of the packet.
    hop_by_hop_hdr bool
    Discard IPv6 packets that contain the Hop-by-Hop Options extension header.
    routing_hdr bool
    Discard IPv6 packets that contain the Routing extension header, which directs packets to one or more intermediate nodes on its way to its destination.
    destOptionHdr Boolean
    Discard IPv6 packets that contain the Destination Options extension, which contains options intended only for the destination of the packet.
    hopByHopHdr Boolean
    Discard IPv6 packets that contain the Hop-by-Hop Options extension header.
    routingHdr Boolean
    Discard IPv6 packets that contain the Routing extension header, which directs packets to one or more intermediate nodes on its way to its destination.

    ZoneProtectionProfileIpv6IgnoreInvPkt, ZoneProtectionProfileIpv6IgnoreInvPktArgs

    DestUnreach bool
    Require an explicit Security policy match for Destination Unreachable ICMPv6 messages, even when the message is associated with an existing session.
    ParamProblem bool
    Require an explicit Security policy match for Parameter Problem ICMPv6 messages, even when the message is associated with an existing session.
    PktTooBig bool
    Require an explicit Security policy match for Packet Too Big ICMPv6 messages, even when the message is associated with an existing session.
    Redirect bool
    Require an explicit Security policy match for Redirect Message ICMPv6 messages, even when the message is associated with an existing session.
    TimeExceeded bool
    Require an explicit Security policy match for Time Exceeded ICMPv6 messages, even when the message is associated with an existing session.
    DestUnreach bool
    Require an explicit Security policy match for Destination Unreachable ICMPv6 messages, even when the message is associated with an existing session.
    ParamProblem bool
    Require an explicit Security policy match for Parameter Problem ICMPv6 messages, even when the message is associated with an existing session.
    PktTooBig bool
    Require an explicit Security policy match for Packet Too Big ICMPv6 messages, even when the message is associated with an existing session.
    Redirect bool
    Require an explicit Security policy match for Redirect Message ICMPv6 messages, even when the message is associated with an existing session.
    TimeExceeded bool
    Require an explicit Security policy match for Time Exceeded ICMPv6 messages, even when the message is associated with an existing session.
    destUnreach Boolean
    Require an explicit Security policy match for Destination Unreachable ICMPv6 messages, even when the message is associated with an existing session.
    paramProblem Boolean
    Require an explicit Security policy match for Parameter Problem ICMPv6 messages, even when the message is associated with an existing session.
    pktTooBig Boolean
    Require an explicit Security policy match for Packet Too Big ICMPv6 messages, even when the message is associated with an existing session.
    redirect Boolean
    Require an explicit Security policy match for Redirect Message ICMPv6 messages, even when the message is associated with an existing session.
    timeExceeded Boolean
    Require an explicit Security policy match for Time Exceeded ICMPv6 messages, even when the message is associated with an existing session.
    destUnreach boolean
    Require an explicit Security policy match for Destination Unreachable ICMPv6 messages, even when the message is associated with an existing session.
    paramProblem boolean
    Require an explicit Security policy match for Parameter Problem ICMPv6 messages, even when the message is associated with an existing session.
    pktTooBig boolean
    Require an explicit Security policy match for Packet Too Big ICMPv6 messages, even when the message is associated with an existing session.
    redirect boolean
    Require an explicit Security policy match for Redirect Message ICMPv6 messages, even when the message is associated with an existing session.
    timeExceeded boolean
    Require an explicit Security policy match for Time Exceeded ICMPv6 messages, even when the message is associated with an existing session.
    dest_unreach bool
    Require an explicit Security policy match for Destination Unreachable ICMPv6 messages, even when the message is associated with an existing session.
    param_problem bool
    Require an explicit Security policy match for Parameter Problem ICMPv6 messages, even when the message is associated with an existing session.
    pkt_too_big bool
    Require an explicit Security policy match for Packet Too Big ICMPv6 messages, even when the message is associated with an existing session.
    redirect bool
    Require an explicit Security policy match for Redirect Message ICMPv6 messages, even when the message is associated with an existing session.
    time_exceeded bool
    Require an explicit Security policy match for Time Exceeded ICMPv6 messages, even when the message is associated with an existing session.
    destUnreach Boolean
    Require an explicit Security policy match for Destination Unreachable ICMPv6 messages, even when the message is associated with an existing session.
    paramProblem Boolean
    Require an explicit Security policy match for Parameter Problem ICMPv6 messages, even when the message is associated with an existing session.
    pktTooBig Boolean
    Require an explicit Security policy match for Packet Too Big ICMPv6 messages, even when the message is associated with an existing session.
    redirect Boolean
    Require an explicit Security policy match for Redirect Message ICMPv6 messages, even when the message is associated with an existing session.
    timeExceeded Boolean
    Require an explicit Security policy match for Time Exceeded ICMPv6 messages, even when the message is associated with an existing session.

    ZoneProtectionProfileL2SecGroupTagProtection, ZoneProtectionProfileL2SecGroupTagProtectionArgs

    ZoneProtectionProfileL2SecGroupTagProtectionTag, ZoneProtectionProfileL2SecGroupTagProtectionTagArgs

    Name string
    Name for the list of Security Group Tags (SGTs).
    Tag string
    The Layer 2 SGTs in headers of packets that you want to exclude (drop) when the SGT matches this list in the Zone Protection profile applied to a zone (range is 0 to 65,535).
    Enable bool
    Enable this exclude list for Ethernet SGT protection.
    Name string
    Name for the list of Security Group Tags (SGTs).
    Tag string
    The Layer 2 SGTs in headers of packets that you want to exclude (drop) when the SGT matches this list in the Zone Protection profile applied to a zone (range is 0 to 65,535).
    Enable bool
    Enable this exclude list for Ethernet SGT protection.
    name String
    Name for the list of Security Group Tags (SGTs).
    tag String
    The Layer 2 SGTs in headers of packets that you want to exclude (drop) when the SGT matches this list in the Zone Protection profile applied to a zone (range is 0 to 65,535).
    enable Boolean
    Enable this exclude list for Ethernet SGT protection.
    name string
    Name for the list of Security Group Tags (SGTs).
    tag string
    The Layer 2 SGTs in headers of packets that you want to exclude (drop) when the SGT matches this list in the Zone Protection profile applied to a zone (range is 0 to 65,535).
    enable boolean
    Enable this exclude list for Ethernet SGT protection.
    name str
    Name for the list of Security Group Tags (SGTs).
    tag str
    The Layer 2 SGTs in headers of packets that you want to exclude (drop) when the SGT matches this list in the Zone Protection profile applied to a zone (range is 0 to 65,535).
    enable bool
    Enable this exclude list for Ethernet SGT protection.
    name String
    Name for the list of Security Group Tags (SGTs).
    tag String
    The Layer 2 SGTs in headers of packets that you want to exclude (drop) when the SGT matches this list in the Zone Protection profile applied to a zone (range is 0 to 65,535).
    enable Boolean
    Enable this exclude list for Ethernet SGT protection.

    ZoneProtectionProfileNonIpProtocol, ZoneProtectionProfileNonIpProtocolArgs

    ListType string
    Specify the type of list you are creating for protocol protection:

    • Include List—Only the protocols on the list are allowed—in addition to IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), and VLAN tagged frames (0x8100). All other protocols are implicitly denied (blocked).
    • Exclude List—Only the protocols on the list are denied; all other protocols are implicitly allowed. You cannot exclude IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), or VLAN tagged frames (0x8100).
    Protocols List<ZoneProtectionProfileNonIpProtocolProtocol>
    Protocol
    ListType string
    Specify the type of list you are creating for protocol protection:

    • Include List—Only the protocols on the list are allowed—in addition to IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), and VLAN tagged frames (0x8100). All other protocols are implicitly denied (blocked).
    • Exclude List—Only the protocols on the list are denied; all other protocols are implicitly allowed. You cannot exclude IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), or VLAN tagged frames (0x8100).
    Protocols []ZoneProtectionProfileNonIpProtocolProtocol
    Protocol
    listType String
    Specify the type of list you are creating for protocol protection:

    • Include List—Only the protocols on the list are allowed—in addition to IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), and VLAN tagged frames (0x8100). All other protocols are implicitly denied (blocked).
    • Exclude List—Only the protocols on the list are denied; all other protocols are implicitly allowed. You cannot exclude IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), or VLAN tagged frames (0x8100).
    protocols List<ZoneProtectionProfileNonIpProtocolProtocol>
    Protocol
    listType string
    Specify the type of list you are creating for protocol protection:

    • Include List—Only the protocols on the list are allowed—in addition to IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), and VLAN tagged frames (0x8100). All other protocols are implicitly denied (blocked).
    • Exclude List—Only the protocols on the list are denied; all other protocols are implicitly allowed. You cannot exclude IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), or VLAN tagged frames (0x8100).
    protocols ZoneProtectionProfileNonIpProtocolProtocol[]
    Protocol
    list_type str
    Specify the type of list you are creating for protocol protection:

    • Include List—Only the protocols on the list are allowed—in addition to IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), and VLAN tagged frames (0x8100). All other protocols are implicitly denied (blocked).
    • Exclude List—Only the protocols on the list are denied; all other protocols are implicitly allowed. You cannot exclude IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), or VLAN tagged frames (0x8100).
    protocols Sequence[ZoneProtectionProfileNonIpProtocolProtocol]
    Protocol
    listType String
    Specify the type of list you are creating for protocol protection:

    • Include List—Only the protocols on the list are allowed—in addition to IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), and VLAN tagged frames (0x8100). All other protocols are implicitly denied (blocked).
    • Exclude List—Only the protocols on the list are denied; all other protocols are implicitly allowed. You cannot exclude IPv4 (0x0800), IPv6 (0x86DD), ARP (0x0806), or VLAN tagged frames (0x8100).
    protocols List<Property Map>
    Protocol

    ZoneProtectionProfileNonIpProtocolProtocol, ZoneProtectionProfileNonIpProtocolProtocolArgs

    EtherType string
    Enter an Ethertype code (protocol) preceded by 0x to indicate hexadecimal (range is 0x0000 to 0xFFFF). A list can have a maximum of 64 Ethertypes. Some sources of Ethertype codes are:

    Name string
    Enter the protocol name that corresponds to the Ethertype code you are adding to the list. The firewall does not verify that the protocol name matches the Ethertype code but the Ethertype code does determine the protocol filter.
    Enable bool
    Enable the Ethertype code on the list.
    EtherType string
    Enter an Ethertype code (protocol) preceded by 0x to indicate hexadecimal (range is 0x0000 to 0xFFFF). A list can have a maximum of 64 Ethertypes. Some sources of Ethertype codes are:

    Name string
    Enter the protocol name that corresponds to the Ethertype code you are adding to the list. The firewall does not verify that the protocol name matches the Ethertype code but the Ethertype code does determine the protocol filter.
    Enable bool
    Enable the Ethertype code on the list.
    etherType String
    Enter an Ethertype code (protocol) preceded by 0x to indicate hexadecimal (range is 0x0000 to 0xFFFF). A list can have a maximum of 64 Ethertypes. Some sources of Ethertype codes are:

    name String
    Enter the protocol name that corresponds to the Ethertype code you are adding to the list. The firewall does not verify that the protocol name matches the Ethertype code but the Ethertype code does determine the protocol filter.
    enable Boolean
    Enable the Ethertype code on the list.
    etherType string
    Enter an Ethertype code (protocol) preceded by 0x to indicate hexadecimal (range is 0x0000 to 0xFFFF). A list can have a maximum of 64 Ethertypes. Some sources of Ethertype codes are:

    name string
    Enter the protocol name that corresponds to the Ethertype code you are adding to the list. The firewall does not verify that the protocol name matches the Ethertype code but the Ethertype code does determine the protocol filter.
    enable boolean
    Enable the Ethertype code on the list.
    ether_type str
    Enter an Ethertype code (protocol) preceded by 0x to indicate hexadecimal (range is 0x0000 to 0xFFFF). A list can have a maximum of 64 Ethertypes. Some sources of Ethertype codes are:

    name str
    Enter the protocol name that corresponds to the Ethertype code you are adding to the list. The firewall does not verify that the protocol name matches the Ethertype code but the Ethertype code does determine the protocol filter.
    enable bool
    Enable the Ethertype code on the list.
    etherType String
    Enter an Ethertype code (protocol) preceded by 0x to indicate hexadecimal (range is 0x0000 to 0xFFFF). A list can have a maximum of 64 Ethertypes. Some sources of Ethertype codes are:

    name String
    Enter the protocol name that corresponds to the Ethertype code you are adding to the list. The firewall does not verify that the protocol name matches the Ethertype code but the Ethertype code does determine the protocol filter.
    enable Boolean
    Enable the Ethertype code on the list.

    ZoneProtectionProfileScan, ZoneProtectionProfileScanArgs

    Name string
    The threat ID number. These can be found in Palo Alto Networks ThreatVault.

    • "8001" - TCP Port Scan
    • "8002" - Host Sweep
    • "8003" - UDP Port Scan
    • "8006" - Port Scan
    Action ZoneProtectionProfileScanAction
    Action
    Interval int
    Interval
    Threshold int
    Threshold
    Name string
    The threat ID number. These can be found in Palo Alto Networks ThreatVault.

    • "8001" - TCP Port Scan
    • "8002" - Host Sweep
    • "8003" - UDP Port Scan
    • "8006" - Port Scan
    Action ZoneProtectionProfileScanAction
    Action
    Interval int
    Interval
    Threshold int
    Threshold
    name String
    The threat ID number. These can be found in Palo Alto Networks ThreatVault.

    • "8001" - TCP Port Scan
    • "8002" - Host Sweep
    • "8003" - UDP Port Scan
    • "8006" - Port Scan
    action ZoneProtectionProfileScanAction
    Action
    interval Integer
    Interval
    threshold Integer
    Threshold
    name string
    The threat ID number. These can be found in Palo Alto Networks ThreatVault.

    • "8001" - TCP Port Scan
    • "8002" - Host Sweep
    • "8003" - UDP Port Scan
    • "8006" - Port Scan
    action ZoneProtectionProfileScanAction
    Action
    interval number
    Interval
    threshold number
    Threshold
    name str
    The threat ID number. These can be found in Palo Alto Networks ThreatVault.

    • "8001" - TCP Port Scan
    • "8002" - Host Sweep
    • "8003" - UDP Port Scan
    • "8006" - Port Scan
    action ZoneProtectionProfileScanAction
    Action
    interval int
    Interval
    threshold int
    Threshold
    name String
    The threat ID number. These can be found in Palo Alto Networks ThreatVault.

    • "8001" - TCP Port Scan
    • "8002" - Host Sweep
    • "8003" - UDP Port Scan
    • "8006" - Port Scan
    action Property Map
    Action
    interval Number
    Interval
    threshold Number
    Threshold

    ZoneProtectionProfileScanAction, ZoneProtectionProfileScanActionArgs

    ZoneProtectionProfileScanActionBlockIp, ZoneProtectionProfileScanActionBlockIpArgs

    Duration int
    Duration
    TrackBy string
    Track by
    Duration int
    Duration
    TrackBy string
    Track by
    duration Integer
    Duration
    trackBy String
    Track by
    duration number
    Duration
    trackBy string
    Track by
    duration int
    Duration
    track_by str
    Track by
    duration Number
    Duration
    trackBy String
    Track by

    ZoneProtectionProfileScanWhiteList, ZoneProtectionProfileScanWhiteListArgs

    Name string
    A descriptive name for the address to exclude.
    Ipv4 string
    Ipv4
    Ipv6 string
    Ipv6
    Name string
    A descriptive name for the address to exclude.
    Ipv4 string
    Ipv4
    Ipv6 string
    Ipv6
    name String
    A descriptive name for the address to exclude.
    ipv4 String
    Ipv4
    ipv6 String
    Ipv6
    name string
    A descriptive name for the address to exclude.
    ipv4 string
    Ipv4
    ipv6 string
    Ipv6
    name str
    A descriptive name for the address to exclude.
    ipv4 str
    Ipv4
    ipv6 str
    Ipv6
    name String
    A descriptive name for the address to exclude.
    ipv4 String
    Ipv4
    ipv6 String
    Ipv6

    Package Details

    Repository
    scm pulumi/pulumi-scm
    License
    Apache-2.0
    Notes
    This Pulumi package is based on the scm Terraform Provider.
    scm logo
    Strata Cloud Manager v0.4.3 published on Saturday, Nov 8, 2025 by Pulumi
    Schema (JSON)
    pulumi/pulumi-scm
      Meet Neo: Your AI Platform Teammate