Follow Post Deployment DoS and Zone Protection Best Practices
DoS and Zone Protection post-deployment best practices ensure that everything is functioning as expected and help you maintain the deployment.
After you deploy zone and DoS protection, ensure that everything is working as expected and take steps to ensure that it keeps working as expected as you network evolves.
- Measure firewall performance to ensure it’s within acceptable
norms and so you understand the effect of zone and DoS protection on
firewall resources.If the levels of zone and DoS protection (combined with other resource-consuming features such as decryption) consume too many firewall resources, the best practice is to scale up the resources rather than to compromise security.
- Configure log forwarding. For easier management, use separate log forwarding profiles to forward DoS and zone threshold event logs separately from other Threat logs. Send DoS and zone logs directly to the relevant administrators via email and also to a log server, so notifications contain only events that are potential DoS attacks. Configure DoS event log forwarding on the DoS Protection policy rule (PoliciesDoS Protection) and configure Zone event log forwarding on each zone (NetworkZones).Set Alarm Rate threshold event log messages to low or informational severity. Set DoS protection Activate and Maximum and zone protection Activate Rate and Max Rate threshold event log messages to critical severity. After you set the flood thresholds properly, the logs show you the potential flood attacks on the network because you only see threats and anomalous events. If you see too many false alerts, the thresholds are set too low or the firewall isn’t properly sized for the traffic it handles.The firewall takes cumulative logs every 10 seconds to keep log volume manageable, avoid overwhelming log servers, and preserve firewall resources.
- Watch for and investigate other indicators of DoS attacks.In addition to configuring log forwarding so administrators receive notifications when flood thresholds are crossed, check attack indicators and investigate potential DoS attacks:
Flood threshold breaches may indicate a DoS attack, but they may also indicate misconfigured CPS values or incorrect firewall sizing.
- Review DoS threat activity (ACCThreat Activity) and look for patterns of abuse.
- On firewall models that support it (PA-3050, PA-3060, PA-3200 Series, PA-5200 Series, and PA-7000 Series), monitor blocked IP addresses (MonitorBlock IP List) for IP addresses the firewall blocked because of a potential DoS attack. The Block Source column identifies the name of the classified DoS Protection profile that blocked the IP address.
- A partial or complete traffic outage on the firewall, slow web browsing or endpoint connectivity, or new sessions failing may indicate a DoS attack. High CPU utilization, packet buffer and descriptor depletion, and a spike in the number of active sessions can also indicate a DoS attack.
- Learn more about Zone and DoS Protection Event Logs and Global Counters to monitor DoS activity.
- Network traffic patterns change over time, new devices
are added to the network and old device are removed, and special
events can temporarily affect traffic patterns. For these reasons, periodically take new CPS measurements and revisit the zone and DoS flood threshold settings—because networks constantly evolve, DoS and zone protection require an iterative approach.
Objects > Security Profiles > DoS Protection
Objects > Security Profiles > DoS Protection DoS Protection profiles are designed for high-precision targeting and they augment Zone Protection profiles. A DoS Protection profile ...
Deploy DoS and Zone Protection Using Best Practices
DoS and Zone Protection deployment best practices help to ensure a smooth rollout that protects your network and your most critical servers. ...
DoS Protection Policy Rules
Specify which resources to protect from DoS attacks and how to protect them. ...
Plan DoS and Zone Protection Best Practice Deployment
Before deploying DoS protection, consider the types of DoS attacks you may face, take a layered approach, and understand normal and peak CPS rates of ...
Protect your data center web servers and the firewall from DoS attacks to prevent attackers from taking down your data center network. ...
DoS Protection Option/Protection Tab
DoS Protection Option/Protection Tab Select the Option/Protection tab to configure options for the DoS Protection policy rule, such as the type of service to which ...
Take Baseline CPS Measurements for Setting Flood Thresholds
Taking baseline measurements of average and peak CPS for each zone helps define reasonable thresholds to prevent floods without unnecessarily throttling traffic. ...
DoS and Zone Protection Best Practices
What’s the best way to protect against DoS attacks that try to take down your network? Layers at the perimeter, at zone borders, and for ...
Packet Buffer Protection
Protect the firewall’s packet buffers from single-session DoS attacks that attempt to take down the firewall. ...