Follow Post Deployment DoS and Zone Protection Best Practices

DoS and Zone Protection post-deployment best practices ensure that everything is functioning as expected and help you maintain the deployment.
After you deploy zone and DoS protection, ensure that everything is working as expected and take steps to ensure that it keeps working as expected as you network evolves.
  1. Measure firewall performance to ensure it’s within acceptable norms and so you understand the effect of zone and DoS protection on firewall resources.
    If the levels of zone and DoS protection (combined with other resource-consuming features such as decryption) consume too many firewall resources, the best practice is to scale up the resources rather than to compromise security.
  2. For easier management, use separate log forwarding profiles to forward DoS and zone threshold event logs separately from other Threat logs. Send DoS and zone logs directly to the relevant administrators via email and also to a log server, so notifications contain only events that are potential DoS attacks. Configure DoS event log forwarding on the DoS Protection policy rule (
    Policies
    DoS Protection
    ) and configure Zone event log forwarding on each zone (
    Network
    Zones
    ).
    Set
    Alarm Rate
    threshold event log messages to low or informational severity. Set DoS protection
    Activate
    and
    Maximum
    and zone protection
    Activate Rate
    and
    Max Rate
    threshold event log messages to critical severity. After you set the flood thresholds properly, the logs show you the potential flood attacks on the network because you only see threats and anomalous events. If you see too many false alerts, the thresholds are set too low or the firewall isn’t properly sized for the traffic it handles.
    The firewall takes cumulative logs every 10 seconds to keep log volume manageable, avoid overwhelming log servers, and preserve firewall resources.
  3. Watch for and investigate other indicators of DoS attacks.
    In addition to configuring log forwarding so administrators receive notifications when flood thresholds are crossed, check attack indicators and investigate potential DoS attacks:
    • Review DoS threat activity (
      ACC
      Threat Activity
      ) and look for patterns of abuse.
    • On firewall models that support it (PA-3050, PA-3060, PA-3200 Series, PA-5000 Series, PA-5200 Series, and PA-7000 Series), monitor blocked IP addresses (
      Monitor
      Block IP List
      ) for IP addresses the firewall blocked because of a potential DoS attack. The
      Block Source
      column identifies the name of the classified DoS Protection profile that blocked the IP address.
    • A partial or complete traffic outage on the firewall, slow web browsing or endpoint connectivity, or new sessions failing may indicate a DoS attack. High CPU utilization, packet buffer and descriptor depletion, and a spike in the number of active sessions can also indicate a DoS attack.
    • Learn more about Zone and DoS Protection Event Logs and Global Counters to monitor DoS activity.
    Flood threshold breaches may indicate a DoS attack, but they may also indicate misconfigured CPS values or incorrect firewall sizing.
  4. Network traffic patterns change over time, new devices are added to the network and old device are removed, and special events can temporarily affect traffic patterns.
    For these reasons, periodically take new CPS measurements and revisit the zone and DoS flood threshold settings—because networks constantly evolve, DoS and zone protection require an iterative approach.

Related Documentation