1. Home
    2. PAN-OS
    3. PAN-OS® Web Interface Reference
    4. Objects
    5. Objects > Security Profiles > DoS Protection
    End-of-Life (EoL)

    Objects > Security Profiles > DoS Protection

    DoS Protection profiles are designed for high-precision targeting and they augment Zone Protection profiles. A DoS Protection profile specifies the threshold rates at which new connections per second (cps) trigger an alarm and an action (specified in the DoS Protection policy). The DoS Protection profile also specifies the maximum rate of connections per second and how long a blocked IP address remains on the Block IP list. You apply a DoS protection profile to a DoS protection policy rule where you specify the criteria for packets to match the rule.
    A DoS Protection profile is configured to be an Aggregate or Classified type. You can apply a Classified DoS Protection profile to a Classified DoS Protection rule.
    • A Classified DoS Protection rule has
      Classified
       selected and specifies a Classified DoS Protection profile. When a DoS Protection rule action is
      Protect
      , the firewall counts connections toward the cps thresholds of the DoS Protection profile if the packet meets the specified Address type: source-ip-only, destination-ip-only, or src-dest-ip-both.
    • By comparison, a DoS Protection rule is an Aggregate rule when
      Classified
       is not selected. When a DoS Protection rule action is
      Protect
      , an Aggregate rule causes the firewall to count all connections that meet the criteria for the rule (the aggregate) toward the cps thresholds that are specified in the Aggregate DoS Protection profile identified in the rule.
    To apply a DoS Protection profile to a DoS Protection policy, see Policies > DoS Protection.
    If you have a multiple virtual system (multi-vsys) environment and have configured the following:
    • External zones to enable inter-virtual system communication and
    • Shared gateways to allow virtual systems to share a common interface and a single IP address for external communications, then
    The following Zone and DoS protection mechanisms are disabled on the external zone:
    • SYN cookies
    • IP fragmentation
    • ICMPv6
    To enable IP fragmentation and ICMPv6 protection, create a separate zone protection profile for the shared gateway.
    To protect against SYN floods on a shared gateway, you can apply a SYN Flood protection profile with either Random Early Drop or SYN cookies. On an external zone, only Random Early Drop is available for SYN Flood protection.
    DoS Protection Profile Settings
    Name
    Enter a profile name (up to 31 characters). This name appears in the list of log forwarding profiles when defining security policies. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
    Shared
    Select this option if you want the profile to be available to:
    • Every virtual system (vsys) on a multi-vsys firewall. If you clear this selection, the profile will be available only to the
      Virtual System
       selected in the
      Objects
       tab.
    • Every device group on Panorama. If you clear this selection, the profile will be available only to the
      Device Group
       selected in the
      Objects
       tab.
    Disable override (
    Panorama only
    )
    Select this option to prevent administrators from overriding the settings of this DoS Protection profile in device groups that inherit the profile. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the profile.
    Description
    Enter a description of the profile (up to 255 characters).
    Type
    Select one of the following profile types:
    • aggregate
      —Apply the DoS thresholds configured in the profile to all connections that match the rule criteria on which this profile is applied. For example, an aggregate rule with a SYN flood threshold of 10,000 connections per second (cps) counts all connections that hit that particular DoS rule.
    • classified
      —Apply the DoS thresholds configured in the profile to the connections that match the classification criterion (source IP address, destination IP address, or source-and-destination IP address pair).
    Flood Protection Tab
    SYN Flood tab
    UDP Flood tab
    ICMP Flood tab
    ICMPv6 tab
    Other IP tab
    Select this option to enable the type of flood protection indicated on the tab and specify the following settings:
    • Action
      —(
      SYN Flood
       only) Action that the firewall performs if the DoS Protection policy action is
      Protect
       and if incoming connections per second (cps) reach the
      Activate Rate
      . Choose one of the following:
      • Random Early Drop
        —Drop packets randomly when connections per second reach the
        Activate Rate
         threshold.
      • SYN cookies
        —Use SYN cookies to generate acknowledgments so that it is not necessary to drop connections during a SYN flood attack.
    • Alarm Rate
      —Specify the threshold rate (cps) at which a DoS alarm is generated (range is 0 to 2,000,000 cps; default is 10,000 cps).
    • Activate Rate
      —Specify the threshold rate (cps) at which a DoS response is activated. The DoS response is configured in the
      Action
       field of the DoS Protection profile (Random Early Drop or SYN cookies). The
      Activate Rate
       range is 0 to 2,000,000 cps; default is 10,000 cps.
      If the profile
      Action
       is
      Random Early Drop
       (RED), when incoming connections per second reach the
      Activate Rate
       threshold, RED occurs. If the cps rate increases, the RED rate increases according to an algorithm. The firewall continues with RED until the cps rate reaches the
      Max Rate
       threshold.
    • Max Rate
      —Specify the threshold rate of incoming connections per second the firewall allows. At the
      Max Rate
       threshold, the firewall drops 100% of new connections (range is 2 to 2,000,000 cps; default is 40,000 cps.)
    • Block Duration
      —Specify the length of time (seconds) during which the offending IP address remains on the Block IP list and connections with the IP address are blocked. The firewall doesn’t count packets that arrive during the block duration toward the Alarm Rate, Activate Rate, or Max Rate thresholds (range is 1 to 21,600 seconds; default is 300 seconds).
    Resources Protection Tab
    Sessions
    Select this option to enable resources protection.
    Max Concurrent Limit
    Specify the maximum number of concurrent sessions.
    • For the
      Aggregate
       profile type, this limit applies to all traffic hitting the DoS Protection rule on which the DoS Protection profile is applied.
    • For the
      Classified
       profile type, this limit applies to the traffic on a classified basis (source IP, destination IP or source-and-destination IP) hitting the DoS Protection rule to which the DoS Protection profile is applied.

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo