Classified Versus Aggregate DoS Protection
Table of Contents
Expand All
|
Collapse All
Next-Generation Firewall Docs
-
-
- Cloud Management of NGFWs
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
- PAN-OS 9.1 (EoL)
-
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1 & Later
-
-
- Cloud Management and AIOps for NGFW
- PAN-OS 10.0 (EoL)
- PAN-OS 10.1
- PAN-OS 10.2
- PAN-OS 11.0
- PAN-OS 11.1
- PAN-OS 11.2
- PAN-OS 8.1 (EoL)
- PAN-OS 9.0 (EoL)
- PAN-OS 9.1 (EoL)
Classified Versus Aggregate DoS Protection
Protect groups of devices with aggregate DoS protection
and protect critical individual devices with classified DoS protection.
You can configure aggregate and classified DoS Protection Profiles, and apply
one profile or one of each type of profile to DoS Protection Policy Rules when you configure DoS Protection.
- Aggregate—Sets thresholds that apply to the entire group of devices specified in a DoS Protection policy rule instead of to each individual device, so one device could receive the majority of the allowed connection traffic. For example, a Max Rate of 20,000 CPS means the total CPS for the group is 20,000, and an individual device can receive up to 20,000 CPS if other devices don’t have connections. Aggregate DoS Protection policies provide another layer of broad protection (after your dedicated DDoS device at the internet perimeter and Zone Protection profiles) for a particular group of critical devices when you want to apply extra constraints on specific subnets, users, or services.
- Classified—Sets flood thresholds that apply to each individual device specified in a DoS Protection policy rule. For example, if you set an Max Rate of 5,000 CPS, each device specified in the rule can accept up to 5,000 CPS before it drops new connections. If you apply a classified DoS Protection policy rule to more than one device, the devices governed by the rule should be similar in terms of capacity and how you want to control their CPS rates because classified thresholds apply to each individual device. Classified profiles protect individual critical resources.When you configure a DoS Protection policy rule with a classified DoS Protection profile (Option/ProtectionClassifiedAddress), use the Address field to specify whether incoming connections count toward the profile thresholds based on matching the source-ip-only, destination-ip-only, or scr-dest-ip-both (the firewall counts both the source and the destination IP address matches toward the thresholds). Counters consume resources, so the way you count address matches affects firewall resource consumption. You can use classified DoS protection to:
- Protect critical individual devices, especially servers that users access from the internet and are often attack targets, such as web servers, database servers, and DNS servers. Set appropriate flood and resource protection thresholds in a classified DoS Protection profile. Create a DoS Protection policy rule that applies the profile to each server’s IP address by adding the IP addresses as the rule’s destination criteria, and set the Address to destination-ip-only.Do not use source-IP-only or src-dest-ip-both classification for internet-facing zones in classified DoS Protection policy rules because the firewall doesn’t have the capacity to store counters for every possible IP address on the internet. Increment the threshold counter for source IPs only for internal zone or same-zone rules. In perimeter zones, use destination-ip-only.
- Monitor the CPS rate for a suspect host or group of hosts (the zone that contains the hosts cannot be internet-facing). Set an appropriate alarm threshold in a classified DoS Protection profile to notify you if a host initiates an unusually large number of connections. Create a DoS Protection policy rule that applies the profile to the individual source or source address group and set the Address to source-ip-only. Investigate hosts that initiate enough new connections to set off the alarm.
How you configure the Address (source-ip-only, destination-ip-only,
or src-dest-ip-both) for classified profiles
depends on your DoS protection goals, what you are protecting, and
whether the protected device(s) are in internet-facing zones.
The firewall uses more resources to track src-dest-ip-both as
the Address than to track source-IP-only or destination-ip-only because
the counters consume resources for both the source and destination
IP addresses instead of just one of the two.
(PAN-OS 11.2.3 and later versions) When you configure a classified DoS profile
with destination-ip-only, you enable the firewall to block
offending source IP addresses using both the hardware and software block tables. This
method helps keep network connectivity up while protecting firewall resources from
overconsumption.
- Hardware ACL blocking must be supported and enabled on your firewall to use both the hardware and software block tables. The firewalls that support hardware ACL blocking are the PA-3200 Series, PA-5200 Series, PA-7000 Series, and PA-7500 firewalls.
- By default, the hardware ACL blocking duration is set to 30 seconds. Enter set system setting hardware-acl-blocking-duration <seconds> into the CLI to adjust the duration, where <seconds> is a value between 1 and 3,600.
If you apply both an aggregate and a classified DoS Protection
profile to the same DoS Protection policy rule, the firewall applies the
aggregate profile first and then applies the classified profile
if needed. For example, we protect a group of five web servers with both
types of profiles in a DoS Protection policy rule. The aggregate
profile configuration drops new connections when the combined total
for the group reaches a Max Rate of 25,000
CPS. The classified profile configuration drops new connections to
any individual web server in the group when it reaches a Max
Rate of 6,000 CPS. There are three scenarios where new
connection traffic crosses Max Rate thresholds:
- The new CPS rate exceeds the aggregate Max Rate but doesn’t exceed the classified Max Rate. In this scenario, the firewall applies the aggregate profile and blocks all new connections for the configured Block Duration.
- The new CPS rate doesn’t exceed the aggregate Max Rate, but the CPS to one of the web servers exceeds the classified Max Rate. In this scenario, the firewall checks the aggregate profile and finds that the rate for the group is less than 25,000 CPS, so the firewall doesn’t block new connections based on that. Next, the firewall checks the classified profile and finds that the rate for a particular server exceeds 6,000 CPS. The firewall applies the classified profile and blocks new connections to that particular server for the configured Block Duration. Because the other servers in the group are within the classified profile’s Max Rate, their traffic is not affected.
- The new CPS rate exceeds the aggregate Max Rate and also exceeds the classified Max Rate for one of the web servers. In this scenario, the firewall checks the aggregate profile and finds that the rate for the group exceeds 25,000 CPS, so the firewall blocks new connections to limit the group’s total CPS. The firewall then checks the classified profile and finds that the rate for a particular server exceeds 6,000 CPS (so the aggregate profile enforced the group’s combined limit, but that wasn’t enough to protect this particular server). The firewall applies the classified profile and blocks new connections to that particular server for the configured Block Duration. Because the other servers in the group are within the classified profile’s Max Rate, their traffic is not affected.
If you want both an aggregate and a classified DoS Protection
profile to apply to the same traffic, you must apply both profiles
to the same DoS Protection policy rule. If you apply the aggregate
profile to one rule and the classified profile to a different rule,
even if they specify exactly the same traffic, the firewall can
apply only one profile because when the traffic matches the first
DoS Protection policy rule, the firewall executes the Action specified
in that rule and doesn’t compare to the traffic to any subsequent
rules, so the traffic never matches the second rule and the firewall
can’t apply its action. (This is the same way that Security policy
rules work.)