>
    DoS and PBP Configurations Protect Firewalls from Internet-Based DoS Attacks
    Focus
    Download PDF
    Focus
    1. Home
    2. What's New in the NetSec Platform
    3. What's New in the NetSec Platform
    4. September 2024
    5. DoS and PBP Configurations Protect Firewalls from Internet-Based DoS Attacks
    Download PDF
    What's New in the NetSec Platform

    DoS and PBP Configurations Protect Firewalls from Internet-Based DoS Attacks

    Table of Contents

    DoS and PBP Configurations Protect Firewalls from Internet-Based DoS Attacks

    Enhanced DoS and PBP configurations help you protect your Palo Alto Networks firewalls from DoS attacks originating from the internet.
    Due to the large number of source IP addresses on the internet, best practice has been to configure DoS Protection policy rules using IP addresses that you classify based only on their destination IP address (destination-ip-only). This method eliminates the need to account for every source IP address that has the potential to connect to your internet-facing zones. However, this also causes your firewalls to unintentionally block traffic that isn’t a threat or, worse, it can leave your firewalls exposed.
    With enhanced DoS protection and packet buffer protection (PBP), you can now configure your edge zones (those that connect directly to the internet) using both the destination and source IP addresses (source-ip-only and src-dest-ip-both). This helps you to block DoS attacks more efficiently and without accidentally blocking safe traffic from reaching your network.
    By using the software and hardware block tables, you're now able to more effectively protect against these attacks.
    We introduced the following improvements to help protect your Palo Alto Networks firewalls from DoS attacks:
    EnhancementBenefit
    Firewalls can now block source IP addresses using your software and hardware ACL blocking settings by classifying the IP address based on only the destination IP address method.
    You can now configure a DoS policy rule with a destination IP address only classification for internet-facing zones. This method strengthens the protection of your firewall from DoS attacks that originate from the internet.
    Improved packet buffer protection, which monitors session latency and buffer utilization concurrently and activates mitigation when exceeding either the latency or buffer threshold.
    You can now configure both the buffer-based and latency-based activation settings at the same time while configuring packet buffer protection. This protects your firewall resources by activating mitigation when they exceed either latency or buffer thresholds.
    Ability to increase or decrease the software block duration setting for software block table entries.
    Increased efficiency for software-based firewalls and, for hardware products, the software block table acts as additional protection along with the hardware block table.
    SNMP support for buffer and on-chip packet descriptor utilization.
    You can now monitor software tags (on-chip descriptors), buffer utilization (in percentage), and firewall resources from your SNMP server.

    © 2025 Palo Alto Networks, Inc. All rights reserved.