Follow Post Deployment DoS and Zone Protection Best Practices

1. Measure firewall performance to ensure it’s within acceptable norms and so you understand the effect of zone and DoS protection on firewall resources.
   If the levels of zone and DoS protection (combined with other resource-consuming features such as decryption) consume too many firewall resources, the best practice is to scale up the resources rather than to compromise security.
2. Configure log forwarding.
   For easier management, use separate log forwarding profiles to forward DoS and zone threshold event logs separately from other Threat logs. Send DoS and zone logs directly to the relevant administrators via email and also to a log server, so notifications contain only events that are potential DoS attacks. Configure DoS event log forwarding on the DoS Protection policy rule (PoliciesDoS Protection) and configure Zone event log forwarding on each zone (NetworkZones).

   Set Alarm Rate threshold event log messages to low or informational severity. Set DoS protection Activate and Maximum and zone protection Activate Rate and Max Rate threshold event log messages to critical severity. After you set the flood thresholds properly, the logs show you the potential flood attacks on the network because you only see threats and anomalous events. If you see too many false alerts, the thresholds are set too low or the firewall isn’t properly sized for the traffic it handles.

   The firewall takes cumulative logs every 10 seconds to keep log volume manageable, avoid overwhelming log servers, and preserve firewall resources.
3. Watch for and investigate other indicators of DoS attacks.
   In addition to configuring log forwarding so administrators receive notifications when flood thresholds are crossed, check attack indicators and investigate potential DoS attacks:

   • Review DoS threat activity (ACCThreat Activity) and look for patterns of abuse.
   • On firewall models that support it (PA-3050, PA-3060, PA-3200 Series, PA-5200 Series, and PA-7000 Series), monitor blocked IP addresses (MonitorBlock IP List) for IP addresses the firewall blocked because of a potential DoS attack. The Block Source column identifies the name of the classified DoS Protection profile that blocked the IP address.
   • A partial or complete traffic outage on the firewall, slow web browsing or endpoint connectivity, or new sessions failing may indicate a DoS attack. High CPU utilization, packet buffer and descriptor depletion, and a spike in the number of active sessions can also indicate a DoS attack.
   • Learn more about Zone and DoS Protection Event Logs and Global Counters to monitor DoS activity.

   Flood threshold breaches may indicate a DoS attack, but they may also indicate misconfigured CPS values, misconfiguration of another internal device, faulty NIC adapters, potential threats from insiders, or incorrect firewall sizing.
4. Network traffic patterns change over time, new devices are added to the network and old device are removed, and special events can temporarily affect traffic patterns.
   For these reasons, periodically take new CPS measurements and revisit the zone and DoS flood threshold settings—because networks constantly evolve, DoS and zone protection require an iterative approach.