This document is a streamlined checklist of pre-deployment, deployment, and post-deployment best practices you can follow to implement DoS and Zone Protection, including links to detailed configuration information in the PAN-OS 9.0 Admin Guide.

A Denial-of-Service (DoS) attack attempts to make a network device or resource unavailable to legitimate users by disrupting services. These attacks usually come from the internet but can come from misconfigured or compromised internal devices. The typical method is to flood the target with resource requests until the requests consume all of the target’s available resources—memory, CPU cycles, and bandwidth—and the target becomes unavailable. Typical targets are internet-facing devices users can access from outside the corporate network, such as web servers and database servers. As part of a layered approach to DoS protection, Palo Alto Networks firewalls provide three DoS attack mitigation tools.

Zone Protection Profiles—Apply only to new sessions in ingress zones and provide broad protection against flood attacks by limiting the connections-per-second (CPS) to the firewall, plus protection against reconnaissance (port scans and host sweeps), packet-based attacks, and layer 2 protocol-based attacks.

Dos Protection Profiles and Policy Rules—Provide granular protection of specific, critical devices for new sessions. Classified policies protect individual devices by limiting the CPS for a specific device or specific devices. Aggregate policies limit the total CPS for a group of devices but don’t limit the CPS for a particular device in the group to less than the total allowed for the group, so one device may still receive the majority of the connection requests.

Packet Buffer Protection—Protects against single-session DoS attacks from existing sessions that attempt to overwhelm the firewall’s packet buffer.