Next-Generation Firewall
Configure Flood Protection
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
Cloud Management of NGFWs
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- Cloud Management of NGFWs
-
-
-
- Configure a Filter Access List
- Configure a Filter Prefix List
- Configure a Filter Community List
- Configure a BGP Filter Route Map
- Configure a Filter Route Maps Redistribution List
- Configure a Filter AS Path Access List
- Configure an Address Family Profile
- Configure a BGP Authentication Profile
- Configure a BGP Redistribution Profile
- Configure a BGP Filtering Profile
- Configure an OSPF Authentication Profile
- Configure a Logical Router
- Configure a Static Route
- Configure OSPF
- Configure BGP
- Configure an IPSec Tunnel
- Web Proxy
- Cheat Sheet: GlobalProtect for Cloud Management of NGFWs
-
PAN-OS 11.1 & Later
- PAN-OS 11.1 & Later
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
-
- Tap Interfaces
-
- Layer 2 and Layer 3 Packets over a Virtual Wire
- Port Speeds of Virtual Wire Interfaces
- LLDP over a Virtual Wire
- Aggregated Interfaces for a Virtual Wire
- Virtual Wire Support of High Availability
- Zone Protection for a Virtual Wire Interface
- VLAN-Tagged Traffic
- Virtual Wire Subinterfaces
- Configure Virtual Wires
- Configure a PPPoE Client on a Subinterface
- Configure an IPv6 PPPoE Client
- Configure an Aggregate Interface Group
- Configure Bonjour Reflector for Network Segmentation
- Use Interface Management Profiles to Restrict Access
-
- DHCP Overview
- Firewall as a DHCP Server and Client
- Firewall as a DHCPv6 Client
- DHCP Messages
- Dynamic IPv6 Addressing on the Management Interface
- Configure an Interface as a DHCP Server
- Configure an Interface as a DHCPv4 Client
- Configure an Interface as a DHCPv6 Client with Prefix Delegation
- Configure the Management Interface as a DHCP Client
- Configure the Management Interface for Dynamic IPv6 Address Assignment
- Configure an Interface as a DHCP Relay Agent
-
- DNS Overview
- DNS Proxy Object
- DNS Server Profile
- Multi-Tenant DNS Deployments
- Configure a DNS Proxy Object
- Configure a DNS Server Profile
- Use Case 1: Firewall Requires DNS Resolution
- Use Case 2: ISP Tenant Uses DNS Proxy to Handle DNS Resolution for Security Policies, Reporting, and Services within its Virtual System
- Use Case 3: Firewall Acts as DNS Proxy Between Client and Server
- DNS Proxy Rule and FQDN Matching
-
- NAT Rule Capacities
- Dynamic IP and Port NAT Oversubscription
- Dataplane NAT Memory Statistics
-
- Translate Internal Client IP Addresses to Your Public IP Address (Source DIPP NAT)
- Create a Source NAT Rule with Persistent DIPP
- PAN-OS
- Strata Cloud Manager
- Enable Clients on the Internal Network to Access your Public Servers (Destination U-Turn NAT)
- Enable Bi-Directional Address Translation for Your Public-Facing Servers (Static Source NAT)
- Configure Destination NAT with DNS Rewrite
- Configure Destination NAT Using Dynamic IP Addresses
- Modify the Oversubscription Rate for DIPP NAT
- Reserve Dynamic IP NAT Addresses
- Disable NAT for a Specific Host or Interface
-
- Network Packet Broker Overview
- How Network Packet Broker Works
- Prepare to Deploy Network Packet Broker
- Configure Transparent Bridge Security Chains
- Configure Routed Layer 3 Security Chains
- Network Packet Broker HA Support
- User Interface Changes for Network Packet Broker
- Limitations of Network Packet Broker
- Troubleshoot Network Packet Broker
-
- Enable Advanced Routing
- Logical Router Overview
- Configure a Logical Router
- Create a Static Route
- Configure BGP on an Advanced Routing Engine
- Create BGP Routing Profiles
- Create Filters for the Advanced Routing Engine
- Configure OSPFv2 on an Advanced Routing Engine
- Create OSPF Routing Profiles
- Configure OSPFv3 on an Advanced Routing Engine
- Create OSPFv3 Routing Profiles
- Configure RIPv2 on an Advanced Routing Engine
- Create RIPv2 Routing Profiles
- Create BFD Profiles
- Configure IPv4 Multicast
- Configure MSDP
- Create Multicast Routing Profiles
- Create an IPv4 MRoute
-
-
PAN-OS 11.2
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
- Cloud Management and AIOps for NGFW
Configure Flood Protection
Defend an entire ingress zone against flood attacks.
Contact your account team to enable Cloud Management for NGFWs using
Strata Cloud Manager.
| Where Can I Use This? | What Do I Need? |
|---|---|
|
One of these:
|
A Zone Protection profile with flood protection
configured defends against SYN, UDP, ICMP, ICMPv6, and other IP
flood attacks. The firewall measures the aggregate amount of each
flood type entering the zone in new connections-per-second (CPS)
and compares the totals to the thresholds you configure in the Zone
Protection profile.
For each flood type, you set three thresholds
for new CPS enter the zone and can set a drop action for SYN floods.
If you know the baseline CPS rates for the zone, use these guidelines
to set the initial thresholds, and then monitor and adjust the thresholds
as necessary.
If you don’t know the baseline CPS rates for the zone, start by setting the Maximum CPS rate to
approximately 80-90% of firewall capacity and use it to derive reasonable flood
mitigation alarm and activation rates. Set the Alarm Rate and Activate Rate based on
the Maximum rate. For example, you could set the Alarm Rate to half the Maximum rate
and adjust it depending on how many alarms you receive and the firewall resources
being consumed. Be careful setting the Activate Rate since it begins to drop
connections. Because normal traffic loads experience some fluctuation, it’s best not
to drop connections too aggressively. Err on the high side and adjust the rate if
firewall resources are impacted.
The default threshold values are high so that activating a Zone Protection profile doesn’t
unexpectedly drop legitimate traffic. Adjust the thresholds to values appropriate
for your network traffic. The best method for understanding how to set reasonable
flood thresholds is to take baseline measurements of average and peak CPS for each
flood type to determine the normal traffic conditions for each zone and to
understand the capacity of the firewall, including the impact of other
resource-consuming features such as decryption. Monitor and adjust the flood
thresholds as needed and as your network evolves.
- Log in to Strata Cloud Manager.
- Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesDoS Protection and select the Configuration Scope where you want to create the Zone Protection profile.You can select a folder or firewall from your Folders or select Snippets to configure the Zone Protection profile in a snippet.
- Navigate to the Zone Protection Profiles and Add Profile.
- Enter a descriptive Name.
- (Optional) Enter a Description.
- Select Flood.
- Select the type of flood attack that you want to defend against and Enable.A single Zone Protection profile supports defense against multiple types of flood attacks.
- (SYN flood only) Select the Action the firewall takes.SYN Flood Protection is the only type for which you set the drop Action. Start by setting the Action to SYN Cookies. SYN Cookies treats legitimate traffic fairly and only drops traffic that fails the SYN handshake, while using Random Early Detection (RED) drops traffic randomly, so RED might affect legitimate traffic. However, SYN Cookies are more resource-intensive because the firewall acts as a proxy for the target server and handles the three-way handshake for the server. The tradeoff isn’t dropping legitimate traffic (SYN Cookies) versus preserving firewall resources (RED). Monitor the firewall, and if SYN Cookies consume too many resources, switch to RED. If you don’t have a dedicated DDoS prevention device in front of the firewall, always use RED as the drop mechanism.When SYN Cookies is activated, the firewall doesn’t honor the TCP options that the server sends because it doesn’t know these values at the time that it proxies the SYN-ACK. Therefore, values such as the TCP server’s window size and MSS values can’t be negotiated during the TCP handshake and the firewall will use its own default values. In the scenario where the MSS of the path to the server is smaller than the firewall’s default MSS value, the packet will need to be fragmented.
- Set the Alarm Rate.This is the CPS threshold to trigger an alarm. Target setting the Alarm Rate to 15-20% above the average CPS rate for the zone so that normal fluctuations don't cause alerts.
- Set the Activation Rate.This is the CPS threshold to activate the flood protection mechanism and begin dropping new connections. For ICMP, ICMPv6, UDP, and other IP floods, the protection mechanism is RED.(SYN flood only) You can set the drop Action to SYN Cookies or RED. Target setting the Activate Rate to just above the peak CPS rate for the zone to begin mitigating potential floods.
- Set the Maximum Rate.This is the CPS to drop incoming packets when RED is the protection mechanism. Target setting the Maximum Rate to approximately 80-90% of firewall capacity, taking into account other features that consume firewall resources.
- Save.