Focus

Classified Versus Aggregate DoS Protection

Table of Contents

Filter

Expand All | Collapse All

Next-Generation Firewall Docs

Getting Started
Administration
Version
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
Networking
Version
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
Incidents & Alerts
Release Notes
Version
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)

DoS Protection Profiles and Policy Rules

DoS Protection Profiles

Classified Versus Aggregate DoS Protection

Protect groups of devices with aggregate DoS protection and protect critical individual devices with classified DoS protection.

You can configure aggregate and classified DoS Protection Profiles, and apply one profile or one of each type of profile to DoS Protection Policy Rules when you configure DoS Protection.

Aggregate—Sets thresholds that apply to the entire group of devices specified in a DoS Protection policy rule instead of to each individual device, so one device could receive the majority of the allowed connection traffic. For example, a Max Rate of 20,000 CPS means the total CPS for the group is 20,000, and an individual device can receive up to 20,000 CPS if other devices don’t have connections. Aggregate DoS Protection policies provide another layer of broad protection (after your dedicated DDoS device at the internet perimeter and Zone Protection profiles) for a particular group of critical devices when you want to apply extra constraints on specific subnets, users, or services.
Classified—Sets flood thresholds that apply to each individual device specified in a DoS Protection policy rule. For example, if you set an Max Rate of 5,000 CPS, each device specified in the rule can accept up to 5,000 CPS before it drops new connections. If you apply a classified DoS Protection policy rule to more than one device, the devices governed by the rule should be similar in terms of capacity and how you want to control their CPS rates because classified thresholds apply to each individual device. Classified profiles protect individual critical resources.
When you configure a DoS Protection policy rule with a classified DoS Protection profile (Option/ProtectionClassifiedAddress), use the Address field to specify whether incoming connections count toward the profile thresholds based on matching the source-ip-only, destination-ip-only, or scr-dest-ip-both (the firewall counts both the source and the destination IP addresses matches toward the thresholds). Counters consume resources, so the way you count address matches affects firewall resource consumption. You can use classified DoS protection to:
- Protect critical individual devices, especially servers that users access from the internet and are often attack targets, such as web servers, database servers, and DNS servers. Set appropriate flood and resource protection thresholds in a classified DoS Protection profile. Create a DoS Protection policy rule that applies the profile to each server’s IP address by adding the IP addresses as the rule’s destination criteria, and set the Address to destination-ip-only.
  
  Do not use source-IP-only or src-dest-ip-both classification for internet-facing zones in classified DoS Protection policy rules because the firewall doesn’t have the capacity to store counters for every possible IP address on the internet. Increment the threshold counter for source IPs only for internal zone or same-zone rules. In perimeter zones, use destination-ip-only.
- Monitor the CPS rate for a suspect host or group of hosts (the zone that contains the hosts cannot be internet-facing). Set an appropriate alarm threshold in a classified DoS Protection profile to notify you if a host initiates an unusually large number of connections. Create a DoS Protection policy rule that applies the profile to the individual source or source address group and set the Address to source-ip-only. Investigate hosts that initiate enough new connections to set off the alarm.

How you configure the Address (source-ip-only, destination-ip-only, or src-dest-ip-both) for classified profiles depends on your DoS protection goals, what you are protecting, and whether the protected device(s) are in internet-facing zones.

The firewall uses more resources to track src-dest-ip-both as the Address than to track source-IP-only or destination-ip-only because the counters consume resources for both the source and destination IP addresses instead of just one of the two.

If you apply both an aggregate and a classified DoS Protection profile to the same DoS Protection policy rule, the firewall applies the aggregate profile first and then applies the classified profile if needed. For example, we protect a group of five web servers with both types of profiles in a DoS Protection policy rule. The aggregate profile configuration drops new connections when the combined total for the group reaches a Max Rate of 25,000 CPS. The classified profile configuration drops new connections to any individual web server in the group when it reaches a Max Rate of 6,000 CPS. There are three scenarios where new connection traffic crosses Max Rate thresholds:

The new CPS rate exceeds the aggregate Max Rate but doesn’t exceed the classified Max Rate. In this scenario, the firewall applies the aggregate profile and blocks all new connections for the configured Block Duration.
The new CPS rate doesn’t exceed the aggregate Max Rate, but the CPS to one of the web servers exceeds the classified Max Rate. In this scenario, the firewall checks the aggregate profile and finds that the rate for the group is less than 25,000 CPS, so the firewall doesn’t block new connections based on that. Next, the firewall checks the classified profile and finds that the rate for a particular server exceeds 6,000 CPS. The firewall applies the classified profile and blocks new connections to that particular server for the configured Block Duration. Because the other servers in the group are within the classified profile’s Max Rate, their traffic is not affected.
The new CPS rate exceeds the aggregate Max Rate and also exceeds the classified Max Rate for one of the web servers. In this scenario, the firewall checks the aggregate profile and finds that the rate for the group exceeds 25,000 CPS, so the firewall blocks new connections to limit the group’s total CPS. The firewall then checks the classified profile and finds that the rate for a particular server exceeds 6,000 CPS (so the aggregate profile enforced the group’s combined limit, but that wasn’t enough to protect this particular server). The firewall applies the classified profile and blocks new connections to that particular server for the configured Block Duration. Because the other servers in the group are within the classified profile’s Max Rate, their traffic is not affected.

If you want both an aggregate and a classified DoS Protection profile to apply to the same traffic, you must apply both profiles to the same DoS Protection policy rule. If you apply the aggregate profile to one rule and the classified profile to a different rule, even if they specify exactly the same traffic, the firewall can apply only one profile because when the traffic matches the first DoS Protection policy rule, the firewall executes the Action specified in that rule and doesn’t compare to the traffic to any subsequent rules, so the traffic never matches the second rule and the firewall can’t apply its action. (This is the same way that Security policy rules work.)

DoS Protection Profiles and Policy Rules

DoS Protection Profiles

Next-Generation Firewall Docs

Classified Versus Aggregate DoS Protection

Next-Generation Firewall Docs

Classified Versus Aggregate DoS Protection

Activation & Onboarding

Next-Generation Firewalls

Cloud-Delivered Security Services

Network Security

Visibility & Monitoring

Best Practices

Experts Corner