>
    Security Profile: DoS Protection Profile
    Focus
    Download PDF
    Focus
    1. Home
    2. Network Security
    3. Network Security: Security Policy
    4. Security Profiles
    5. Security Profile: DoS Protection Profile
    Download PDF
    Network Security

    Security Profile: DoS Protection Profile

    Table of Contents

    Security Profile: DoS Protection Profile

    Where Can I Use This?
    What Do I Need?
    • NGFW (Cloud Managed)
    • NGFW (PAN-OS & Panorama Managed)
    • In Prisma Access, the Prisma Access infrastructure manages DoS protection, so there's nothing you need to configure.
    Check for any license or role requirements for the products you're using.
    DoS Protection profiles provide detailed control for Denial of Service (DoS) protection security rules. DoS security rules allow you to control the number of sessions between interfaces, zones, addresses, and countries based on aggregate sessions or source and/or destination IP addresses. There are two DoS protection mechanisms that Palo Alto Networks supports.
    • Flood Protection
      —Detects and prevents attacks where the network is flooded with packets resulting in too many half-open sessions and/or services being unable to respond to each request. In this case the source address of the attack is usually spoofed.
    • Resource Protection
      — Detects and prevent session exhaustion attacks. In this type of attack, a large number of hosts (bots) are used to establish as many fully established sessions as possible to consume all of a system’s resources.
    You can enable both types of protection mechanisms in a single DoS Protection profile.
    The DoS profile is used to specify the type of action to take and details on matching criteria for the DoS policy. The DoS profile defines settings for SYN, UDP, and ICMP floods, can enable resource protection and defines the maximum number of concurrent connections. After you configure the DoS Protection profile, you then attach it to a DoS policy.
    When configuring DoS protection, it's important to analyze your environment to set the correct thresholds. See DoS Protection Profiles to learn more.

    Configure a DoS Protection Profile

    Cloud Managed

    Specify the threshold rates at which new connections per second (CPS) trigger an alarm and an action (specified in the DoS Protection policy)
    DoS Protection profiles are designed for high-precision targeting and they augment Zone Protection profiles. A DoS Protection profile specifies the threshold rates at which new connections per second (CPS) trigger an alarm and an action (specified in the DoS Protection policy). The DoS Protection profile also specifies the maximum CPS rate and how long a blocked IP address remains on the Block IP list. You specify a DoS Protection profile in a DoS Protection security rule, where you specify the criteria for packets to match the rule, and the security rule determines the devices to which the profile applies.
    Create DoS Protection profiles and security rules to protect critical individual devices or small groups of devices, especially internet-facing devices such as web servers and database servers.
    You can configure Aggregate and Classified DoS Protection profiles. You can apply an Aggregate profile, a Classified profile, or one of each type to a DoS Protection security rule. If you apply both profile types to a rule, your configuration applies the Aggregate profile first and then applies the Classified profile if needed.
    • A Classified DoS Protection profile has
      Classified
       selected as the
      Type
      . When you apply a Classified DoS Protection profile to a DoS Protection rule whose action is
      Protect
      , your configuration counts connections toward the profile’s CPS thresholds if the packet meets the specified Address type: source-ip-only, destination-ip-only, or src-dest-ip-both.
    • An Aggregate DoS Protection profile has
      Aggregate
       selected as the
      Type
      . When you apply an Aggregate DoS Protection profile a DoS Protection rule whose action is
      Protect
      , your configuration counts all connections (the combined number of connections for the group of devices specified in the rule) that meet the criteria for the rule toward the profile’s CPS thresholds.
    Follow these steps to configure a DoS Protection profile.
    1. Go to
      Manage
      Configuration
      NGFW and Prisma Access
      Security Services
      DoS Protection
      .
    2. Add Profile
      .
    3. Configure the settings in this table:
      DoS Protection Profile Settings
      Name
      Enter a profile name (up to 31 characters). This name appears in the list of Log Forwarding profiles when defining security rules. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
      Description
      Enter a description of the profile (up to 255 characters).
      Type
      Select one of the following profile types:
      • Aggregate
        —Apply the DoS thresholds configured in the profile to all connections that match the rule criteria on which this profile is applied. For example, an aggregate rule with a SYN flood
        Alarm Rate
         threshold of 10,000 CPS counts the combined connections of all the devices that match the DoS rule. When the total CPS for the group exceeds 10,000 CPS that triggers the alarm, regardless of how the CPS are spread across the devices.
      • Classified
        —Apply the DoS thresholds configured in the profile to each individual connection that matches the classification criteria (source IP address, destination IP address, or source-and-destination IP address pair). For example, a classified rule with a SYN flood
        Alarm Rate
         threshold of 10,000 CPS allows up to 10,000 CPS per device and triggers an alarm when any individual device specified in the DoS rule exceeds 10,000 CPS.
      Flood Protection Tab
      SYN Flood tab
      UDP Flood tab
      ICMP Flood tab
      ICMPv6 Flood tab
      Other IP Flood tab
      Select this option to enable the type of flood protection indicated on the tab and specify the following settings:
      • Action
        —(
        SYN Flood
         only) Action that your configuration performs if the DoS Protection policy action is
        Protect
         and if incoming CPS reach the
        Activate Rate
        . Choose one of the following:
        • Random Early Drop
          —Drop packets randomly when connections per second reach the
          Activate Rate
           threshold.
        • SYN cookies
          —Use SYN cookies to generate acknowledgments so that it's not necessary to drop connections during a SYN flood attack.
        Start with SYN Cookies, which treat legitimate traffic fairly but consumes more resources. Monitor CPU and memory utilization, and if SYN Cookies consume too many resources, switch to RED. Always use RED if you don’t have a dedicated DDoS prevention device at the network (internet) edge to protect against large-volume DoS attacks.
      • Alarm Rate
        —Specify the threshold rate (CPS) to generate a DoS alarm (range is 0 to 2,000,000 cps; default is 10,000 cps).
        For Classified profiles, the best practice is to set the threshold to 15-20% above the device’s average CPS rate to accommodate normal fluctuations and adjust the threshold if you receive too many alarms. For Aggregate profiles, the best practice is to set the threshold to 15-20% above the group’s average CPS rate. Monitor and adjust the thresholds as needed.
      • Activate Rate
        —Specify the threshold rate (cps) at which a DoS response is activated. The DoS response is configured in the
        Action
         field of the DoS Protection profile (Random Early Detection or SYN cookies). The
        Activate Rate
         range is 0 to 2,000,000 cps; default is 10,000 cps.
        If the profile
        Action
         is
        Random Early Drop
         (RED), when incoming connections per second reach the
        Activate Rate
         threshold, RED occurs. If the CPS rate increases, the RED rate increases according to an algorithm. Your configuration continues with RED until the CPS rate reaches the
        Max Rate
         threshold.
        Classified profiles apply exact CPS limits to individual devices and you base those limits on the capacity of the protected devices, so you don’t need to throttle CPS gradually and can set the
        Activate Rate
         to the same threshold as the
        Max Rate
        . Set the
        Activate Rate
         lower than the
        Max Rate
         only if you want to begin dropping traffic to an individual server before it reaches the
        Max Rate
        . For Aggregate profiles, set the threshold just above the peak CPS rate for the group. Monitor and adjust the thresholds as needed.
      • Max Rate
        —Specify the threshold rate of incoming connections per second your configuration allows. At the
        Max Rate
         threshold, your configuration drops 100% of new connections (range is 2 to 2,000,000 cps; default is 40,000 cps.)
        For Classified profiles, base the
        Max Rate
         on the capacity of the devices you’re protecting so they can’t be flooded. For Aggregate profiles, set the
        Max Rate
         to 80-90% of the group’s capacity. Monitor and adjust the thresholds as needed.
      • Block Duration
        —Specify the length of time (seconds) during which the offending IP address remains on the Block IP list and connections with the IP address are blocked. Your configuration doesn’t count packets that arrive during the block duration toward the Alarm Rate, Activate Rate, or Max Rate thresholds (range is 1 to 21,600 seconds; default is 300 seconds).
      Resources Protection Tab
      Sessions
      Select this option to enable resources protection.
      Maximum Concurrent Sessions
      Specify the maximum number of concurrent sessions.
      • For the
        Aggregate
         profile type, this limit applies to all traffic hitting the DoS Protection rule on which the DoS Protection profile is applied.
      • For the
        Classified
         profile type, this limit applies to the traffic on a classified basis (source IP, destination IP or source-and-destination IP) hitting the DoS Protection rule to which the DoS Protection profile is applied.
    4. Save
       your configuration.
      An DoS Protection profile is only active when it’s included in a profile group that a Security policy rule references. Follow the steps to activate a DoS Protection profile (and any Security profile).

    PAN-OS & Panorama

    Specify the threshold rates at which new connections per second (CPS) trigger an alarm and an action (specified in the DoS Protection policy)
    DoS Protection profiles are designed for high-precision targeting and they augment Zone Protection profiles. A DoS Protection profile specifies the threshold rates at which new connections per second (CPS) trigger an alarm and an action (specified in the DoS Protection policy). The DoS Protection profile also specifies the maximum CPS rate and how long a blocked IP address remains on the Block IP list. You specify a DoS Protection profile in a DoS Protection security rule, where you specify the criteria for packets to match the rule, and the security rule determines the devices to which the profile applies.
    Create DoS Protection profiles and security rules to protect critical individual devices or small groups of devices, especially internet-facing devices such as web servers and database servers.
    You can configure Aggregate and Classified DoS Protection profiles. You can apply an Aggregate profile, a Classified profile, or one of each type to a DoS Protection security rule. If you apply both profile types to a rule, the firewall applies the Aggregate profile first and then applies the Classified profile if needed.
    • A Classified DoS Protection profile has
      Classified
       selected as the
      Type
      . When you apply a Classified DoS Protection profile to a DoS Protection rule whose action is
      Protect
      , the firewall counts connections toward the profile’s CPS thresholds if the packet meets the specified Address type: source-ip-only, destination-ip-only, or src-dest-ip-both.
    • An Aggregate DoS Protection profile has
      Aggregate
       selected as the
      Type
      . When you apply an Aggregate DoS Protection profile a DoS Protection rule whose action is
      Protect
      , the firewall counts all connections (the combined number of connections for the group of devices specified in the rule) that meet the criteria for the rule toward the profile’s CPS thresholds.
    To apply a DoS Protection profile to a DoS Protection policy, see DoS Protection Profiles and Security Rules.
    If you have a multiple virtual system (multi-vsys) environment and have configured the following:
    • External zones to enable inter-virtual system communication and
    • Shared gateways to allow virtual systems to share a common interface and a single IP address for external communications, then
    The following zone and DoS protection mechanisms are disabled on the external zone:
    • SYN cookies
    • IP fragmentation
    • ICMPv6
    To enable IP fragmentation and ICMPv6 protection, create a separate Zone Protection profile for the shared gateway.
    To protect against SYN floods on a shared gateway, you can apply a SYN Flood protection profile with either Random Early Detection or SYN cookies. On an external zone, only Random Early Detection is available for SYN Flood protection.
    Follow these steps to configure a DoS Protection profile.
    1. Go to
      Objects
      Security Profiles
      Dos Protection
      .
    2. Add
       a profile.
    3. Configure the settings in this table:
      DoS Protection Profile Settings
      Name
      Enter a profile name (up to 31 characters). This name appears in the list of Log Forwarding profiles when defining security rules. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
      Description
      Enter a description of the profile (up to 255 characters).
      Shared (
      Panorama only
      )
      Select this option if you want the profile to be available to:
      • Every virtual system (vsys) on a multi-vsys firewall. If you clear this selection, the profile will be available only to the
        Virtual System
         selected in the
        Objects
         tab.
      • Every device group on Panorama. If you clear this selection, the profile will be available only to the
        Device Group
         selected in the
        Objects
         tab.
      Disable override (
      Panorama only
      )
      Select this option to prevent administrators from overriding the settings of this DoS Protection profile in device groups that inherit the profile. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the profile.
      Type
      Select one of the following profile types:
      • Aggregate
        —Apply the DoS thresholds configured in the profile to all connections that match the rule criteria on which this profile is applied. For example, an aggregate rule with a SYN flood
        Alarm Rate
         threshold of 10,000 CPS counts the combined connections of all the devices that match the DoS rule. When the total CPS for the group exceeds 10,000 CPS that triggers the alarm, regardless of how the CPS are spread across the devices.
      • Classified
        —Apply the DoS thresholds configured in the profile to each individual connection that matches the classification criteria (source IP address, destination IP address, or source-and-destination IP address pair). For example, a classified rule with a SYN flood
        Alarm Rate
         threshold of 10,000 CPS allows up to 10,000 CPS per device and triggers an alarm when any individual device specified in the DoS rule exceeds 10,000 CPS.
      Flood Protection Tab
      SYN Flood tab
      UDP Flood tab
      ICMP Flood tab
      ICMPv6 Flood tab
      Other IP Flood tab
      Select this option to enable the type of flood protection indicated on the tab and specify the following settings:
      • Action
        —(
        SYN Flood
         only) Action that the firewall performs if the DoS Protection policy action is
        Protect
         and if incoming CPS reach the
        Activate Rate
        . Choose one of the following:
        • Random Early Drop
          —Drop packets randomly when connections per second reach the
          Activate Rate
           threshold.
        • SYN cookies
          —Use SYN cookies to generate acknowledgments so that it's not necessary to drop connections during a SYN flood attack.
        Start with SYN Cookies, which treat legitimate traffic fairly but consumes more firewall resources. Monitor CPU and memory utilization, and if SYN Cookies consume too many resources, switch to RED. Always use RED if you don’t have a dedicated DDoS prevention device at the network (internet) edge to protect against large-volume DoS attacks.
      • Alarm Rate
        —Specify the threshold rate (CPS) to generate a DoS alarm (range is 0 to 2,000,000 cps; default is 10,000 cps).
        For Classified profiles, the best practice is to set the threshold to 15-20% above the device’s average CPS rate to accommodate normal fluctuations and adjust the threshold if you receive too many alarms. For Aggregate profiles, the best practice is to set the threshold to 15-20% above the group’s average CPS rate. Monitor and adjust the thresholds as needed.
      • Activate Rate
        —Specify the threshold rate (cps) at which a DoS response is activated. The DoS response is configured in the
        Action
         field of the DoS Protection profile (Random Early Detection or SYN cookies). The
        Activate Rate
         range is 0 to 2,000,000 cps; the default is 10,000 cps.
        If the profile
        Action
         is
        Random Early Drop
         (RED), when incoming connections per second reach the
        Activate Rate
         threshold, RED occurs. If the CPS rate increases, the RED rate increases according to an algorithm. The firewall continues with RED until the CPS rate reaches the
        Max Rate
         threshold.
        Classified profiles apply exact CPS limits to individual devices and you base those limits on the capacity of the protected devices, so you don’t need to throttle CPS gradually and can set the
        Activate Rate
         to the same threshold as the
        Max Rate
        . Set the
        Activate Rate
         lower than the
        Max Rate
         only if you want to begin dropping traffic to an individual server before it reaches the
        Max Rate
        . For Aggregate profiles, set the threshold just above the peak CPS rate for the group. Monitor and adjust the thresholds as needed.
      • Max Rate
        —Specify the threshold rate of incoming connections per second the firewall allows. At the
        Max Rate
         threshold, the firewall drops 100% of new connections (range is 2 to 2,000,000 cps; default is 40,000 cps.)
        For Classified profiles, base the
        Max Rate
         on the capacity of the devices you’re protecting so they can’t be flooded. For Aggregate profiles, set the
        Max Rate
         to 80-90% of the group’s capacity. Monitor and adjust the thresholds as needed.
      • Block Duration
        —Specify the length of time (seconds) during which the offending IP address remains on the Block IP list and connections with the IP address are blocked. The firewall doesn’t count packets that arrive during the block duration toward the Alarm Rate, Activate Rate, or Max Rate thresholds (range is 1 to 21,600 seconds; default is 300 seconds).
      Resources Protection Tab
      Sessions
      Select this option to enable resources protection.
      Maximum Concurrent Sessions
      Specify the maximum number of concurrent sessions.
      • For the
        Aggregate
         profile type, this limit applies to all traffic hitting the DoS Protection rule on which the DoS Protection profile is applied.
      • For the
        Classified
         profile type, this limit applies to the traffic on a classified basis (source IP, destination IP or source-and-destination IP) hitting the DoS Protection rule to which the DoS Protection profile is applied.
    4. Select
      OK
       to save your configuration.

    Recommended For You

    © 2024 Palo Alto Networks, Inc. All rights reserved.