DoS and Zone Protection Best Practices

Protect against Denial-of-Service (DoS) attacks using layered defenses at the network perimeter, zone borders, and critical devices.
This checklist of pre-deployment, deployment, and post-deployment steps helps you implement Denial-of-Service (DoS) and Zone Protection best practices. Links to the PAN-OS Adminstrator’s Guide provide configuration details.
DoS attack
is a single source flooding a target server. A
Distributed Denial-of-Service (DDoS) attack
is multiple sources flooding a single target server. DDoS attacks attempt to initiate more sessions than DoS attacks and require more resources to defend against. Because firewalls are session-based, they are one part of a layered DoS/DDoS defense strategy, not the sole defense.
DoS attacks make a device or resource unavailable to legitimate users and come from the internet or misconfigured or compromised internal devices. The typical method is to flood the target with requests that consume its resources—memory, CPU cycles, and bandwidth—to make the target unavailable to legitimate users. Typical targets are internet-facing devices accessed from outside the corporate network, such as web and database servers. Palo Alto Networks firewalls provide three mitigation tools as part of a layered approach to DoS protection.
Zone Protection Profiles protect individual ingress zones based on the number of new sessions entering a zone. They limit the connections-per-second (CPS) to the firewall for broad protection against flood attacks and protect against reconnaissance (port scans and host sweeps), packet-based attacks, and layer 2 protocol-based attacks.
DoS Protection Profiles and Policy Rules protect critical devices against new session floods. Classified policies protect individual devices. Aggregate policies protect groups of devices.
A major benefit of classified DoS Protection is automatically placing source IP addresses that exceed the maximum CPS rate into the hardware block list (saves software resources on platforms that support it) or the software block list, based on the DoS Protection profile’s
Max Rate
. If the hardware block table fills up, the firewall uses the software block table.
DoS Protection handles most attacks that target individual servers and Zone Protection broadly protects the entire zone if DoS Protection isn’t enough. DoS Protection leverages the block tables, so it consumes fewer resources than Zone Protection.
Packet Buffer Protection—Protects against single-session DoS attacks from existing sessions that try to overwhelm the firewall packet buffer. Packet Buffer Protection quarantines attacking IP addresses in the hardware table if the platform supports it.
The Palo Alto Networks series of best practices books offers best practices advice on subjects such as decryption, securing administrative access, and much more.

Recommended For You