Focus

Next-Generation Firewall

End a Single Session DoS Attack

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Networking
Quick Start
Reference
Incidents & Alerts
Release Notes
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 11.0 (EoL)
- PAN-OS 10.2
- PAN-OS 10.1
- PAN-OS 10.0 (EoL)
- PAN-OS 9.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 8.1 (EoL)
Help
Select a Document
- PAN-OS 12.1
- PAN-OS 11.2
- PAN-OS 11.1
- PAN-OS 10.2
- PAN-OS 10.1

Configure DoS Protection Against Flooding of New Sessions

Identify Sessions That Use Too Much of the On-Chip Packet Descriptor

End a Single Session DoS Attack

Use DoS protection policy rules and Security policy rules to block single session DoS attacks.

Where Can I Use This?	What Do I Need?
NGFW (Managed by PAN-OS or Panorama)	No prerequisites needed

To mitigate a single-session DoS attack, you would still Configure DoS Protection Against Flooding of New Sessions in advance. At some point after you configure the feature, a session might be established before you realize a DoS attack (from the IP address of that session) is underway. When you see a single-session DoS attack, perform the following task to end the session, so that subsequent connection attempts from that IP address trigger the DoS protection against flooding of new sessions.

Identify the source IP address that is causing the attack.
For example, use the firewall Packet Capture feature with a destination filter to collect a sample of the traffic going to the destination IP address. Alternatively, use the ACC to filter on destination address to view the activity to the target host being attacked.
Create a DoS Protection policy rule that will block the attacker’s IP address after the attack thresholds are exceeded.
Create a Security policy rule to deny the source IP address and its attack traffic.
End any existing attacks from the attacking source IP address by executing the clear session all filter source <ip-address> operational command.
Alternatively, if you know the session ID, you can execute the clear session id <value> command to end that session only.

If you use the clear session all filter source <ip-address> command, all sessions matching the source IP address are discarded, which can include both good and bad sessions.

After you end the existing attack session, any subsequent attempts to form an attack session are blocked by the Security policy. The DoS Protection policy counts all connection attempts toward the thresholds. When the Max Rate threshold is exceeded, the source IP address is blocked for the Block Duration, as described in Multiple-Session DoS Attack.

Configure DoS Protection Against Flooding of New Sessions

Identify Sessions That Use Too Much of the On-Chip Packet Descriptor

Next-Generation Firewall Docs

End a Single Session DoS Attack

Next-Generation Firewall Docs

End a Single Session DoS Attack

Activation and Onboarding

Next-Generation Firewalls

SASE

Cloud-Delivered Security Services

Network Security

Endpoints

Visibility & Monitoring

FedRAMP

Hardware Reference

Hardware Quick Start Guides

Virtual ION Deployment

3rd Party Integrations

Best Practices

Experts Corner