Follow Post Deployment DoS and Zone Protection Best Practices
Expand all | Collapse all
Follow Post Deployment DoS and Zone Protection Best Practices
DoS and Zone Protection post-deployment best practices
ensure that everything is functioning as expected and help you maintain
the deployment.
After you deploy zone and DoS protection,
ensure that everything is working as expected and take steps to
ensure that it keeps working as expected as you network evolves.
Measure firewall performance to ensure it’s within acceptable
norms and so you understand the effect of zone and DoS protection on
firewall resources.
If the levels of zone and DoS protection (combined with
other resource-consuming features such as decryption) consume too
many firewall resources, the best practice is to scale up the resources
rather than to compromise security.
For easier management, use separate log forwarding profiles
to forward DoS and zone threshold event logs separately from other
Threat logs. Send DoS and zone logs directly to the relevant administrators
via email and also to a log server,
so notifications contain only events that are potential DoS attacks. Configure
DoS event log forwarding on the DoS Protection policy rule ()
and configure Zone event log forwarding on each zone ().
Set
Alarm
Rate
threshold event log messages to low or informational
severity. Set DoS protection
Activate
and
Maximum
and
zone protection
Activate Rate
and
Max
Rate
threshold event log messages to critical severity.
After you set the flood thresholds properly, the logs show you the potential
flood attacks on the network because you only see threats and anomalous events.
If you see too many false alerts, the thresholds are set too low
or the firewall isn’t properly sized for the traffic it handles.
The
firewall takes cumulative logs every 10 seconds to keep log volume
manageable, avoid overwhelming log servers, and preserve firewall resources.
Watch for and investigate other indicators of DoS attacks.
In addition to configuring log forwarding so administrators
receive notifications when flood thresholds are crossed, check attack
indicators and investigate potential DoS attacks:
Review
DoS threat activity ()
and look for patterns of abuse.
On firewall models that support it (PA-3050, PA-3060, PA-3200
Series, PA-5200 Series, and PA-7000 Series),
monitor blocked IP addresses ()
for IP addresses the firewall blocked because of a potential DoS
attack. The
Block Source
column identifies
the name of the classified DoS Protection profile that blocked the IP
address.
A partial or complete traffic outage on the firewall, slow
web browsing or endpoint connectivity, or new sessions failing may
indicate a DoS attack. High CPU utilization, packet buffer and descriptor
depletion, and a spike in the number of active sessions can also
indicate a DoS attack.
Flood
threshold breaches may indicate a DoS attack, but they may also
indicate misconfigured CPS values, misconfiguration of another internal
device, faulty NIC adapters, potential threats from insiders, or
incorrect firewall sizing.
Network traffic patterns change over time, new devices
are added to the network and old device are removed, and special
events can temporarily affect traffic patterns.
For these reasons, periodically take new
CPS measurements and revisit
the zone and DoS flood threshold settings—because networks constantly
evolve, DoS and zone protection require an iterative approach.