Objects > Security Profiles > DoS Protection
DoS Protection profiles are designed for high-precision targeting and they augment Zone Protection profiles. A DoS Protection profile specifies the threshold rates at which new connections per second (cps) trigger an alarm and an action (specified in the DoS Protection policy). The DoS Protection profile also specifies the maximum rate of connections per second and how long a blocked IP address remains on the Block IP list. You apply a DoS protection profile to a DoS protection policy rule where you specify the criteria for packets to match the rule.
A DoS Protection profile is configured to be an Aggregate or Classified type. You can apply a Classified DoS Protection profile to a Classified DoS Protection rule.
- A Classified DoS Protection rule has Classified selected and specifies a Classified DoS Protection profile. When a DoS Protection rule action is Protect, the firewall counts connections toward the cps thresholds of the DoS Protection profile if the packet meets the specified Address type: source-ip-only, destination-ip-only, or src-dest-ip-both.
- By comparison, a DoS Protection rule is an Aggregate rule when Classified is not selected. When a DoS Protection rule action is Protect, an Aggregate rule causes the firewall to count all connections that meet the criteria for the rule (the aggregate) toward the cps thresholds that are specified in the Aggregate DoS Protection profile identified in the rule.
To apply a DoS Protection profile to a DoS Protection policy, see Policies > DoS Protection.
If you have a multiple virtual system (multi-vsys) environment and have configured the following:
- External zones to enable inter-virtual system communication and
- Shared gateways to allow virtual systems to share a common interface and a single IP address for external communications, then
The following Zone and DoS protection mechanisms are disabled on the external zone:
- SYN cookies
- IP fragmentation
To enable IP fragmentation and ICMPv6 protection, create a separate zone protection profile for the shared gateway.
To protect against SYN floods on a shared gateway, you can apply a SYN Flood protection profile with either Random Early Drop or SYN cookies. On an external zone, only Random Early Drop is available for SYN Flood protection.
DoS Protection Profile Settings
Enter a profile name (up to 31 characters). This name appears in the list of log forwarding profiles when defining security policies. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Select this option if you want the profile to be available to:
Disable override (Panorama only)
Select this option to prevent administrators from overriding the settings of this DoS Protection profile in device groups that inherit the profile. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the profile.
Enter a description of the profile (up to 255 characters).
Select one of the following profile types:
Flood Protection Tab
SYN Flood tab
UDP Flood tab
ICMP Flood tab
Other IP tab
Select this option to enable the type of flood protection indicated on the tab and specify the following settings:
Resources Protection Tab
Select this option to enable resources protection.
Max Concurrent Limit
Specify the maximum number of concurrent sessions.
Protect your data center web servers and the firewall from DoS attacks to prevent attackers from taking down your data center network. ...
DoS Protection Option/Protection Tab
DoS Protection Option/Protection Tab Select the Option/Protection tab to configure options for the DoS Protection policy rule, such as the type of service (http or ...
Configure DoS Protection Against Flooding of New Sessions
Configure DoS Protection Against Flooding of New Sessions Configure Security policy rules to deny traffic from the attacker’s IP address and allow other traffic based ...
DoS Protection Profiles
DoS Protection Profiles When you create DoS protection policy rules, you apply DoS protection profiles to the policy rules if the rules have an action ...
Flood Protection A zone protection profile with flood protection configured defends an entire ingress zone against SYN, ICMP, ICMPv6, UDP, and other IP floods. The ...
DoS Protection Policy Rules
DoS Protection Policy Rules DoS protection policy rules provide granular matching criteria so that you have flexibility in defining what you want to protect: Source ...
DoS Protection Profiles and Policy Rules
DoS Protection Profiles and Policy Rules DoS protection profiles and DoS protection policy rules combine to protect specific areas of your network against packet flood ...
Actions in Security Profiles
Actions in Security Profiles The action specifies how the firewall responds to a threat event. Every threat or virus signature that is defined by Palo ...
DoS Protection Against Flooding of New Sessions
DoS Protection Against Flooding of New Sessions DoS protection against flooding of new sessions is beneficial against high-volume single-session and multiple-session attacks. In a single-session ...