DoS Protection Policy with Source and Destination IP Classification
Focus
Focus
What's New in the NetSec Platform

DoS Protection Policy with Source and Destination IP Classification

Table of Contents

DoS Protection Policy with Source and Destination IP Classification

Enhanced DoS and PBP configurations help you protect your Palo Alto Networks firewalls from DoS attacks originating from the internet.
Destination IP address-only DoS Protection policy rules pose a risk: they either unintentionally block safe traffic or leave your internet-facing firewalls exposed. Enhanced DoS protection and packet buffer protection (PBP) address this security and operational challenge.
You can now configure edge zones—those that connect directly to the internet—using both the source and destination IP addresses. This capability enables you to block DoS attacks more efficiently without accidentally blocking safe traffic from reaching your network. You are now able to use the software and hardware block tables to protect against these attacks more effectively.
We introduced the following improvements to help protect your Palo Alto Networks firewalls from DoS attacks:
  • Configure a DoS policy rule with a destination IP address-only classification for internet-facing zones. This strengthens your firewall’s protection from internet-originated DoS attacks by enabling it to block source IP addresses using software and hardware ACL blocking settings.
  • Set both buffer-based and latency-based activation settings simultaneously for improved PBP. PBP monitors session latency and buffer utilization concurrently and activates mitigation when either threshold is exceeded, protecting your firewall resources.
  • Increase or decrease the software block duration setting for software block table entries. This improves efficiency for software-based firewalls, while the software block table acts as additional protection alongside the hardware block table for hardware products.
  • Monitor software tags (on-chip descriptors), buffer utilization (in percentage), and firewall resources from your SNMP server using new SNMP support for buffer and on-chip packet descriptor utilization.