DoS Protection Profiles
When you create DoS protection policy rules, you apply DoS protection profiles to the policy rules if the rules have an action of Protect (if the action is Deny or Allow, no DoS protection profile is used).
Configuring flood protection thresholds in a DoS protection profile is similar to configuring Flood Protection in a zone protection profile. The difference is where you apply flood protection. Applying flood protection with a zone protection profile protects the ingress zone, while applying flood protection with a DoS protection profile and policy rule is more granular and targeted, and can even be classified to a single IP address.
For both aggregate and classified DoS protection profiles, as with zone protection profiles, you can:
- Configure SYN, UDP, ICMP, ICMPv6, and other IP flood protection.
- Set alarm, activate, and maximum connections-per-second thresholds. When incoming connections-per-second reach the activate threshold, the firewall begins to drop packets. When the incoming connections-per-second reach the maximum threshold, the firewall drops additional incoming connections.
- Use SYN cookies instead of RED for SYN flood packets.
The advice in zone protection profile Flood Protection about adjusting the default flood threshold values for your network’s traffic is valid for setting DoS protection profile flood protection thresholds. Take a baseline measurement of peak traffic loads over a period of time and adjust the flood thresholds to allow the expected legitimate traffic load and to throttle or drop traffic when the load indicates a flood attack. Monitor the traffic and continue to adjust the thresholds until they meet your protection objectives.
Configuring resource protection thresholds in a DoS protection profile sets the maximum number of concurrent sessions that a resource supports. When the number of concurrent sessions reaches its maximum limit, new sessions are dropped. You define the resource you are protecting in a DoS protection policy rule by the resource’s source IP address, destination IP address, or the source and destination IP address pair.
An aggregate DoS protection profile applies to all of the traffic that matches the associated DoS protection policy rule, for all sources, destinations, and services allowed for that rule. A classified DoS protection profile can enforce different session rate limits for different groups of end hosts or even for one particular end host.
Here are some examples of what you can do with a classified DoS protection profile:
- To prevent hosts on your network from starting a DoS attack, you can monitor the rate of traffic each host in a source address group initiates. To do this, set an appropriate alarm threshold in a DoS protection profile to notify you if a host initiates an unusually large amount of traffic, and create a DoS protection policy rule that applies the profile to the source address group. Investigate any hosts that initiate enough traffic to set off the alarm.
- To protect critical web or DNS servers on your network, protect the individual servers. To do this, set appropriate flooding and resource protection thresholds in a DoS protection profile, and create a DoS protection policy rule that applies the profile to each server’s IP address by adding the IP addresses as the rule’s destination criteria.
- Track the flow between a pair of endpoints by setting appropriate thresholds in the DoS protection profile and creating a DoS protection policy rule that specifies the source and destination IP addresses of the endpoints as the matching criteria.Do not use source IP classification for internet-facing zones in classified DoS protection policy rules. The firewall does not have the capacity to store counters for every possible IP address on the internet.
DoS Protection Policy Rules
DoS Protection Policy Rules DoS protection policy rules provide granular matching criteria so that you have flexibility in defining what you want to protect: Source ...
DoS Protection Profiles and Policy Rules
DoS Protection Profiles and Policy Rules DoS protection profiles and DoS protection policy rules combine to protect specific areas of your network against packet flood ...
Zone Defense Tools
Zone Defense Tools Palo Alto Networks firewalls provide three complementary tools to protect the zones in your network: Zone protection profiles defend the zone at ...
Protect your data center web servers and the firewall from DoS attacks to prevent attackers from taking down your data center network. ...
Objects > Security Profiles > DoS Protection
Objects > Security Profiles > DoS Protection DoS Protection profiles are designed for high-precision targeting and they augment Zone Protection profiles. A DoS Protection profile ...
DoS Protection Against Flooding of New Sessions
DoS Protection Against Flooding of New Sessions DoS protection against flooding of new sessions is beneficial against high-volume single-session and multiple-session attacks. In a single-session ...
DoS Protection Option/Protection Tab
DoS Protection Option/Protection Tab Select the Option/Protection tab to configure options for the DoS Protection policy rule, such as the type of service (http or ...
Flood Protection A zone protection profile with flood protection configured defends an entire ingress zone against SYN, ICMP, ICMPv6, UDP, and other IP floods. The ...
Configure DoS Protection Against Flooding of New Sessions
Configure DoS Protection Against Flooding of New Sessions Configure Security policy rules to deny traffic from the attacker’s IP address and allow other traffic based ...