Classified vs. Aggregate DoS Protection Profiles

Overview

Palo Alto Networks firewalls offer two types of DoS Protection profiles: Classified and Aggregate . Understanding the differences between these profiles is crucial for effectively protecting your network resources against Denial-of-Service (DoS) attacks.

Comparison Table

Feature	Classified Profile	Aggregate Profile
Scope of Protection	Applies thresholds to individual IP addresses (source, destination, or both)	Applies thresholds to the combined traffic matching the policy criteria
Use Case	Protect critical individual devices (e.g., web servers, DNS servers)	Protect groups of devices or services collectively
Threshold Application	Each IP address has its own threshold counters	All traffic shares a common threshold counter
Resource Consumption	Higher, due to per-IP tracking	Lower, as it tracks aggregate traffic
Configuration Complexity	More granular and complex	Simpler to configure
Recommended For	Environments where specific hosts need individual protection	Environments where collective protection is sufficient

Classified DoS Protection Profile

A Classified DoS Protection profile sets thresholds for each individual IP address. This is particularly useful for protecting critical devices that require dedicated protection. When configuring a Classified profile, you can specify the address type as:

• source-ip-only : Applies thresholds based on the source IP address.
• destination-ip-only : Applies thresholds based on the destination IP address.
• src-dest-ip-both : Applies thresholds based on the combination of source and destination IP addresses.

It's important to note that using source-ip-only or src-dest-ip-both in internet-facing zones is not recommended due to the high number of unique IP addresses, which can lead to resource exhaustion.

Aggregate DoS Protection Profile

An Aggregate DoS Protection profile sets thresholds for all traffic matching the policy criteria collectively. This approach is suitable for protecting groups of devices or services where individual tracking is not necessary. The thresholds apply to the combined traffic, and once exceeded, mitigation actions are triggered for all traffic matching the policy.

Sequence Diagram: DoS Protection Workflow

sequenceDiagram
    participant Client
    participant Firewall
    participant Server

    Client->>Firewall: Initiates connection
    alt Classified Profile
        Firewall->>Firewall: Check per-IP thresholds
        alt Threshold exceeded
            Firewall-->>Client: Block connection
        else
            Firewall-->>Server: Allow connection
        end
    else Aggregate Profile
        Firewall->>Firewall: Check aggregate thresholds
        alt Threshold exceeded
            Firewall-->>Client: Block connection
        else
            Firewall-->>Server: Allow connection
        end
    end
    

Best Practices

• Use Classified profiles to protect critical individual devices that require dedicated thresholds.
• Use Aggregate profiles to protect groups of devices or services collectively.
• Monitor and adjust thresholds based on normal traffic patterns to minimize false positives.
• In internet-facing zones, prefer destination-ip-only for Classified profiles to reduce resource consumption.
• Combine both profile types in a single policy rule when both individual and collective protections are needed.

References

• Classified Versus Aggregate DoS Protection
• DoS Protection Profiles
• DoS Protection Profiles and Policy Rules
• Plan DoS and Zone Protection Best Practice Deployment
• Security Profile: DoS Protection Profile