DoS Protection Policy with Source and Destination IP Classification
Enhanced DoS and PBP configurations help you protect your Palo Alto Networks
firewalls from DoS attacks originating from the internet.
Destination IP address-only DoS Protection policy rules pose a risk: they either
unintentionally block safe traffic or leave your internet-facing firewalls exposed.
Enhanced DoS protection and packet buffer protection (PBP) address this security and
operational challenge.
You can now configure edge zones—those that connect directly to the internet—using
both the source and destination IP addresses. This capability enables you to block
DoS attacks more efficiently without accidentally blocking safe traffic from
reaching your network. You are now able to use the software and hardware block
tables to protect against these attacks more effectively.
We introduced the following improvements to help protect your Palo Alto Networks
firewalls from DoS attacks:
- Configure a DoS policy rule with a destination IP address-only
classification for internet-facing zones. This strengthens your firewall’s
protection from internet-originated DoS attacks by enabling it to block source
IP addresses using software and hardware ACL blocking settings.
- Set both buffer-based and latency-based activation settings simultaneously for
improved PBP. PBP monitors session
latency and buffer utilization concurrently and activates mitigation when either
threshold is exceeded, protecting your firewall resources.
- Increase or decrease the software block duration setting for software block
table entries. This improves efficiency for software-based firewalls, while the
software block table acts as additional protection alongside the hardware block
table for hardware products.
- Monitor software tags (on-chip descriptors), buffer utilization (in percentage),
and firewall resources from your SNMP server using new SNMP support for buffer and on-chip
packet descriptor utilization.