Configure a DoS Protection Profile (Strata Cloud Manager)

1. Go to ConfigurationNGFW and Prisma AccessSecurity ServicesDoS Protection.
2. Add Profile.
3. Configure the settings in this table:

   DoS Protection Profile Settings
   Name	Enter a profile name (up to 31 characters). This name appears in the list of Log Forwarding profiles when defining security rules. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
   Description	Enter a description of the profile (up to 255 characters).
   Type	Select one of the following profile types: Aggregate—Apply the DoS thresholds configured in the profile to all connections that match the rule criteria on which this profile is applied. For example, an aggregate rule with a SYN flood Alarm Rate threshold of 10,000 CPS counts the combined connections of all the devices that match the DoS rule. When the total CPS for the group exceeds 10,000 CPS that triggers the alarm, regardless of how the CPS are spread across the devices. Classified—Apply the DoS thresholds configured in the profile to each individual connection that matches the classification criteria (source IP address, destination IP address, or source-and-destination IP address pair). For example, a classified rule with a SYN flood Alarm Rate threshold of 10,000 CPS allows up to 10,000 CPS per device and triggers an alarm when any individual device specified in the DoS rule exceeds 10,000 CPS.
   Flood Protection Tab
   SYN Flood tab UDP Flood tab ICMP Flood tab ICMPv6 Flood tab Other IP Flood tab	Select this option to enable the type of flood protection indicated on the tab and specify the following settings: Action—(SYN Flood only) Action that your configuration performs if the DoS Protection policy action is Protect and if incoming CPS reach the Activate Rate. Choose one of the following: Random Early Drop—Drop packets randomly when connections per second reach the Activate Rate threshold. SYN cookies—Use SYN cookies to generate acknowledgments so that it's not necessary to drop connections during a SYN flood attack. Start with SYN Cookies, which treat legitimate traffic fairly but consumes more resources. Monitor CPU and memory utilization, and if SYN Cookies consume too many resources, switch to RED. Always use RED if you don’t have a dedicated DDoS prevention device at the network (internet) edge to protect against large-volume DoS attacks. Alarm Rate—Specify the threshold rate (CPS) to generate a DoS alarm (range is 0 to 2,000,000 cps; default is 10,000 cps). For Classified profiles, the best practice is to set the threshold to 15-20% above the device’s average CPS rate to accommodate normal fluctuations and adjust the threshold if you receive too many alarms. For Aggregate profiles, the best practice is to set the threshold to 15-20% above the group’s average CPS rate. Monitor and adjust the thresholds as needed. Activate Rate—Specify the threshold rate (cps) at which a DoS response is activated. The DoS response is configured in the Action field of the DoS Protection profile (Random Early Detection or SYN cookies). The Activate Rate range is 0 to 2,000,000 cps; default is 10,000 cps. If the profile Action is Random Early Drop (RED), when incoming connections per second reach the Activate Rate threshold, RED occurs. If the CPS rate increases, the RED rate increases according to an algorithm. Your configuration continues with RED until the CPS rate reaches the Max Rate threshold. Classified profiles apply exact CPS limits to individual devices and you base those limits on the capacity of the protected devices, so you don’t need to throttle CPS gradually and can set the Activate Rate to the same threshold as the Max Rate. Set the Activate Rate lower than the Max Rate only if you want to begin dropping traffic to an individual server before it reaches the Max Rate. For Aggregate profiles, set the threshold just above the peak CPS rate for the group. Monitor and adjust the thresholds as needed. Max Rate—Specify the threshold rate of incoming connections per second your configuration allows. At the Max Rate threshold, your configuration drops 100% of new connections (range is 2 to 2,000,000 cps; default is 40,000 cps.) For Classified profiles, base the Max Rate on the capacity of the devices you’re protecting so they can’t be flooded. For Aggregate profiles, set the Max Rate to 80-90% of the group’s capacity. Monitor and adjust the thresholds as needed. Block Duration—Specify the length of time (seconds) during which the offending IP address remains on the Block IP list and connections with the IP address are blocked. Your configuration doesn’t count packets that arrive during the block duration toward the Alarm Rate, Activate Rate, or Max Rate thresholds (range is 1 to 21,600 seconds; default is 300 seconds).
   Resources Protection Tab
   Sessions	Select this option to enable resources protection.
   Maximum Concurrent Sessions	Specify the maximum number of concurrent sessions. For the Aggregate profile type, this limit applies to all traffic hitting the DoS Protection rule on which the DoS Protection profile is applied. For the Classified profile type, this limit applies to the traffic on a classified basis (source IP, destination IP or source-and-destination IP) hitting the DoS Protection rule to which the DoS Protection profile is applied.

4. Save your configuration.

   An DoS Protection profile is only active when it’s included in a profile group that a Security policy rule references. Follow the steps to activate a DoS Protection profile (and any Security profile).