DoS protection profiles provide detailed control for
Denial of Service (DoS) protection policies. DoS policies allow
you to control the number of sessions between interfaces, zones,
addresses, and countries based on aggregate sessions or source and/or
destination IP addresses. There are two DoS protection mechanisms
that the Palo Alto Networks firewalls support.
—Detects and prevents attacks
where the network is flooded with packets resulting in too many
half-open sessions and/or services being unable to respond to each
request. In this case the source address of the attack is usually spoofed.
See DoS Protection Against Flooding of New Sessions.
— Detects and prevents session
exhaustion attacks. In this type of attack, a large number of hosts
(bots) are used to establish as many fully established sessions
as possible to consume all of a system’s resources.
You can enable both types of protection mechanisms in a single
DoS protection profile.
The DoS profile is used to specify the type of action to take
and details on matching criteria for the DoS policy. The DoS profile
defines settings for SYN, UDP, and ICMP floods, can enable resource
protect and defines the maximum number of concurrent connections.
After you configure the DoS protection profile, you then attach
it to a DoS policy.
When configuring DoS protection, it is important to analyze your
environment in order to set the correct thresholds and due to some
of the complexities of defining DoS protection policies, this guide
will not go into detailed examples. For more information, refer
to the Threat Prevention Tech Note.