Objects > Security Profiles > DoS Protection
Table of Contents
10.0 (EoL)
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
End-of-Life (EoL)
Objects > Security Profiles > DoS Protection
DoS Protection profiles are designed for high-precision
targeting and they augment Zone Protection profiles. A DoS Protection
profile specifies the threshold rates at which new connections per
second (CPS) trigger an alarm and an action (specified in the DoS
Protection policy). The DoS Protection profile also specifies the
maximum CPS rate and how long a blocked IP address remains on the
Block IP list. You specify a DoS protection profile in a DoS protection
policy rule, where you specify the criteria for packets to match
the rule, and the policy rule determines the devices to which the
profile applies.
Create DoS Protection profiles and policies
to protect critical individual devices or small groups of devices,
especially internet-facing devices such as web servers and database
servers.
You can configure Aggregate and Classified DoS
Protection profiles. You can apply an Aggregate profile,
a Classified profile, or one of each type to a DoS Protection policy
rule. If you apply both profile types to a rule, the firewall applies
the Aggregate profile first and then applies the Classified profile
if needed.
- A Classified DoS Protection profile has Classified selected as the Type. When you apply a Classified DoS Protection profile to a DoS Protection rule whose action is Protect, the firewall counts connections toward the profile’s CPS thresholds if the packet meets the specified Address type: source-ip-only, destination-ip-only, or src-dest-ip-both.
- An Aggregate DoS Protection profile has Aggregate selected as the Type. When you apply an Aggregate DoS Protection profile a DoS Protection rule whose action is Protect, the firewall counts all connections (the combined number of connections for the group of devices specified in the rule) that meet the criteria for the rule toward the profile’s CPS thresholds.
To apply a DoS Protection profile to a DoS Protection policy,
see Policies
> DoS Protection.
If you have a multiple virtual system (multi-vsys) environment
and have configured the following:
- External zones to enable inter-virtual system communication and
- Shared gateways to allow virtual systems to share a common interface and a single IP address for external communications, then
The
following Zone and DoS protection mechanisms are disabled on the
external zone:
- SYN cookies
- IP fragmentation
- ICMPv6
To enable IP fragmentation and ICMPv6 protection,
create a separate zone protection profile for the shared gateway.
To
protect against SYN floods on a shared gateway, you can apply a
SYN Flood protection profile with either Random Early Drop or SYN
cookies. On an external zone, only Random Early Drop is available
for SYN Flood protection.
DoS
Protection Profile Settings | |
---|---|
Name | Enter a profile name (up to 31 characters).
This name appears in the list of log forwarding profiles when defining
security policies. The name is case-sensitive and must be unique.
Use only letters, numbers, spaces, hyphens, and underscores. |
Description | Enter a description of the profile (up to
255 characters). |
Shared (Panorama only) | Select this option if you want the profile
to be available to:
|
Disable override (Panorama only) | Select this option to prevent administrators
from overriding the settings of this DoS Protection profile in device
groups that inherit the profile. This selection is cleared by default,
which means administrators can override the settings for any device
group that inherits the profile. |
Type | Select one of the following profile types:
|
Flood Protection Tab | |
SYN Flood tab UDP Flood tab ICMP
Flood tab ICMPv6 Flood tab Other IP Flood tab | Select this option to enable the type of
flood protection indicated on the tab and specify the following
settings:
|
Resources Protection Tab | |
Sessions | Select this option to enable resources protection. |
Maximum Concurrent Sessions | Specify the maximum number of concurrent
sessions.
|