DoS Protection Profiles and Policy Rules

DoS Protection profiles and DoS Protection policy rules combine to protect specific groups of critical resources and individual critical resources against session floods. Compared to Zone Protection profiles, which protect entire zones from flood attacks, DoS protection provides granular defense for specific systems, especially critical systems that users access from the internet and are often attack targets, such as web servers and database servers.

Apply both Zone Protection and DoS Protection. If you only apply a Zone Protection profile, a DoS attack targeting a particular system in the zone can succeed if the total connections-per-second (CPS) doesn’t exceed the zone’s Activate and Maximum rates.

DoS Protection is resource-intensive, so use it only for critical systems.

Similar to Zone Protection profiles, DoS Protection profiles specify flood thresholds. DoS Protection policy rules determine the devices, users, zones, and services to which DoS Profiles apply.

In addition to configuring DoS protection and zone protection, apply the best practice Vulnerability Protection profile to each Security policy rule to help defend against DoS attacks.

Classified Versus Aggregate DoS Protection

You can configure aggregate and classified DoS Protection Profiles, and apply one profile or one of each type of profile to DoS Protection Policy Rules when you configure DoS Protection.

Aggregate: Sets thresholds that apply to the entire group of devices specified in a DoS Protection policy rule. One device could receive the majority of the allowed connection traffic. For example, a Max Rate of 20,000 CPS means the total CPS for the group is 20,000. Aggregate policies provide another layer of broad protection (after dedicated DDoS devices and Zone Protection profiles) for a group of critical devices, applying extra constraints on specific subnets, users, or services.
Classified: Sets flood thresholds that apply to each individual device specified in a DoS Protection policy rule. For example, if you set a Max Rate of 5,000 CPS, each device specified can accept up to 5,000 CPS. Devices governed by the same classified rule should be similar in capacity. Classified profiles protect individual critical resources.

When you configure a DoS Protection policy rule with a classified DoS Protection profile ( Option/Protection -> Classified -> Address ), use the Address field to specify whether incoming connections count toward the profile thresholds based on matching the:

source-ip-only
destination-ip-only
scr-dest-ip-both (counts the source-destination pair match)

Counters consume resources, so the counting method affects firewall resource consumption. Use classified DoS protection to:

Protect critical individual devices (web servers, database servers, DNS servers). Create a DoS Protection policy rule applying the profile to each server’s IP address (destination criteria), and set the Address to destination-ip-only .
Monitor the CPS rate for a suspect host or group of hosts ( zone cannot be internet-facing ). Set an appropriate alarm threshold in a classified profile. Create a DoS rule applying the profile to the source IP/group and set Address to source-ip-only .

Do not use source-IP-only or src-dest-ip-both classification for internet-facing zones in classified DoS Protection policy rules. The firewall lacks the capacity to store counters for every possible IP address on the internet. Increment the threshold counter for source IPs only for internal zone or same-zone rules. In perimeter zones, use destination-ip-only .

The firewall uses more resources to track src-dest-ip-both than source-IP-only or destination-ip-only because it tracks unique pairs.

If you apply both an aggregate and a classified DoS Protection profile to the same DoS Protection policy rule, the firewall applies the aggregate profile first . If the aggregate threshold is hit, its action is taken. If the aggregate threshold is not hit, the classified profile is checked. If its threshold is hit, its action is taken against the specific matching IP(s). Both might trigger blocking if aggregate is hit first and classified later for a specific IP within the (now reduced) group traffic.

If you want both an aggregate and a classified DoS Protection profile to apply to the same traffic, you must apply both profiles to the same DoS Protection policy rule . Applying them to different rules (even with identical criteria) means only the first matching rule's profile will be applied, similar to Security policy rule processing.

DoS Protection Profiles

DoS Protection profiles set thresholds that protect against new session IP flood attacks (SYN, UDP, ICMP, ICMPv6, Other IP) and provide resource protection (maximum concurrent session limits). They protect specific devices (classified) or groups (aggregate). Configuring flood protection is similar to Zone Protection profiles, but DoS protection is more granular.

Measure and monitor firewall dataplane CPU consumption to ensure proper sizing for DoS/Zone Protection and other features like decryption. Use Panorama's Device Monitoring ( Panorama > Managed Devices > Health > All Devices ) to check CPU/memory usage and trends.

For each flood type, you set three thresholds and a block duration:

Alarm Rate: Generates a DoS alarm when CPS exceeds this. Set ~15-20% above average CPS.
Activate Rate: Firewall starts dropping new connections (using RED or SYN Cookies for SYN floods) when CPS exceeds this, until the rate drops below. Can be set equal to Max Rate to only block when the absolute max is hit, or lower to start mitigation earlier.
Max Rate: Firewall blocks (drops) all new connections from the offending IP for the Block Duration when CPS exceeds this. Base this on the capacity of the protected resource(s). For aggregate, maybe 80-90% of group capacity.
Block Duration: Time (default 300 seconds) the firewall blocks new connections from an IP after exceeding the Max Rate. During the block, incoming connections from that source are not counted towards thresholds.

For SYN Flood Protection, you set the drop Action :

SYN Cookies: Firewall acts as a proxy, handling the 3-way handshake. Treats legitimate traffic fairly, only dropping failed handshakes. More resource-intensive. Recommended unless resources are constrained or you lack a dedicated upstream DDoS device.
Random Early Drop (RED): Drops traffic randomly when the Activate rate is hit. Less resource-intensive but may impact legitimate traffic. Use if SYN Cookies consume too many resources or if the firewall is the primary DDoS mitigator.

Default threshold values are high. Monitor traffic and adjust thresholds based on baseline measurements of average and peak CPS for critical devices. Avoid overly aggressive settings.

Firewalls with multiple dataplane processors (DPs) distribute connections and generally divide CPS thresholds equally across DPs. A 20,000 CPS threshold on a 5-DP firewall means each DP triggers at 4,000 CPS.

Resource Protection

DoS Protection profiles also prevent session exhaustion attacks via the Resources Protection tab. Set the maximum number of concurrent sessions allowed for the endpoints defined in the applied DoS policy rule. When the limit is reached, new sessions are dropped.

Set this threshold based on the capacity of the protected resources (e.g., ~80% capacity), then monitor and adjust.

For aggregate profiles, the limit applies to all traffic matching the rule (source and destination combined).
For classified profiles, the limit applies based on the classification method ( source-ip-only , destination-ip-only , or src-dest-ip-both ).

DoS Protection Policy Rules

DoS Protection policy rules control which systems receive DoS protection, the action taken, and logging. Use DoS protection only for specific critical resources due to its resource consumption. Use Zone Protection for broader zone defense.

DoS Policy rules offer granular matching criteria:

Source zone, interface, IP address (including regions), user.
Destination zone, interface, IP address (including regions).
Services (by port and protocol). Protection applies only to specified services, but does *not* implicitly block other services matching source/destination.

Consider protecting unused service ports on critical servers too. Create separate DoS rules/profiles for used vs. unused ports, applying much stricter thresholds to unused ports. Be mindful of firewall capacity.

When traffic matches a DoS Protection policy rule, the firewall takes one of three Actions :

Deny: Blocks matching traffic. No DoS profile is applied.
Allow: Permits matching traffic. No DoS profile is applied.
Protect: Applies the specified DoS Protection profile(s) (one aggregate and/or one classified) to matching traffic. This is the most common action for applying DoS thresholds.

The firewall only applies DoS profiles if the Action is Protect . Allow/Deny actions create exceptions without applying DoS protection.

You can Schedule when a DoS rule is active, allowing different thresholds for different times (e.g., day vs. night) or special events.

Configure Log Forwarding to separate DoS logs. Forward threshold violations directly to admins via email and also to log servers (SNMP/syslog). Threshold breaches should be infrequent on properly sized firewalls and indicate potential attacks.

Diagrams

Aggregate vs. Classified Profile Application Flow

graph TD A[Traffic Arrives] --> B{Matches DoS Rule?} B -- No --> Z[Process via Other Policies] B -- Yes --> C{Action = Protect?} C -- No --> E{Action = Deny?} E -- Yes --> F[Block Traffic] E -- No --> G[Allow Traffic] C -- Yes --> D{Aggregate Profile Configured?} D -- Yes --> H[Apply Aggregate Thresholds] H --> I{Aggregate Threshold Exceeded?} I -- Yes --> J[Block Based on Aggregate Profile] I -- No --> K{Classified Profile Configured?} D -- No --> K K -- Yes --> L[Apply Classified Thresholds] L --> M{Classified Threshold Exceeded?} M -- Yes --> N[Block Based on Classified Profile] M -- No --> O[Allow Traffic Within Thresholds] K -- No --> O F --> Z G --> Z J --> Z N --> Z O --> Z

Illustrates the decision logic when a DoS Policy Rule with Protect action has Aggregate and/or Classified profiles applied.

SYN Flood Protection with SYN Cookies

sequenceDiagram participant C as Client participant F as Firewall (DoS Protect) participant S as Server Note over C,F: SYN Flood Activate Rate Exceeded C->>+F: SYN (Attempt 1) F->>F: Generate SYN Cookie F-->>-C: SYN-ACK (with Cookie) Note right of F: Firewall does NOT forward SYN to Server yet C->>+F: ACK (with valid Cookie) F->>F: Validate Cookie alt Cookie is Valid F->>+S: SYN (Proxying connection) S-->>-F: SYN-ACK F->>C: SYN-ACK C->>+F: ACK F-->>-S: ACK Note over C,S: Legitimate Connection Established else Cookie Invalid/No ACK received Note right of F: Firewall drops connection silently F--x C: (No response or RST potentially) end C->>+F: SYN (Attempt 2 - Malicious/Flood) F->>F: Generate SYN Cookie F-->>-C: SYN-ACK (with Cookie) Note right of C: Attacker often ignores SYN-ACK or sends invalid ACK C--x F: (No ACK or Invalid ACK) Note right of F: Firewall drops connection attempt

Sequence diagram showing how the firewall uses SYN Cookies to validate clients during a SYN flood before establishing a connection to the actual server.

DoS Protection Quiz

Test your understanding of DoS Protection Profiles and Policy Rules. Select the best answer for each question.

1. What is the primary difference in scope between Zone Protection profiles and DoS Protection policies/profiles?

Zone Protection applies to specific IP addresses, while DoS Protection applies to entire zones. Zone Protection applies broadly to ingress zones, while DoS Protection targets specific critical resources or groups. Both protect entire zones, but DoS Protection uses more advanced techniques. Zone Protection only handles SYN floods, while DoS Protection handles all IP floods.

Correct Answer: B. Zone Protection provides broad defense for all traffic entering a zone, whereas DoS Protection offers granular control over specific, often critical, destination IPs or groups, potentially spanning zones. Relevance: PCNSE/PCNSA

2. Which type of DoS Protection profile applies thresholds to each individual IP address matched by the policy rule?

Aggregate Classified Zonal Granular

Correct Answer: B. Classified profiles apply the configured CPS thresholds independently to each IP address (source, destination, or pair) that matches the rule's criteria. Aggregate profiles apply one threshold to the combined traffic of all matching IPs. Relevance: PCNSE/PCNSA

3. When configuring a Classified DoS Protection profile for web servers accessed from the internet, which 'Address' classification setting is generally recommended?

source-ip-only destination-ip-only scr-dest-ip-both Any of the above, depending on preference.

Correct Answer: B. For internet-facing resources, `destination-ip-only` is recommended because tracking individual source IPs from the entire internet (`source-ip-only` or `scr-dest-ip-both`) can overwhelm the firewall's counter capacity. Relevance: Gotcha, PCNSE/PCNSA

4. What happens if a DoS Protection policy rule includes both an Aggregate and a Classified profile, and traffic exceeds the Aggregate Max Rate but not the Classified Max Rate?

Only the Classified profile is checked and applied. Both profiles are checked, and the Classified action is taken. The Aggregate profile is checked first and its action (blocking the group) is taken. An error occurs because only one profile type can be applied.

Correct Answer: C. The Aggregate profile is evaluated first. If its threshold is exceeded, its action (e.g., blocking new connections for the group) is applied, potentially before the classified profile is checked or becomes relevant. Relevance: Gotcha, PCNSE/PCNSA

5. Which DoS Protection profile threshold triggers the generation of a log/alert but does not necessarily start dropping traffic?

Activate Rate Max Rate Block Duration Alarm Rate

Correct Answer: D. The Alarm Rate is designed specifically to generate alerts when CPS reaches a certain level, serving as an early warning before mitigation actions (Activate Rate) or hard blocking (Max Rate) occur. Relevance: Important

6. What is the primary trade-off when choosing between SYN Cookies and Random Early Drop (RED) as the SYN Flood action?

RED is faster but only works on UDP traffic. SYN Cookies protect legitimate traffic better but consume more firewall resources. RED consumes more resources but offers more granular control. SYN Cookies are less secure as they reveal server information.

Correct Answer: B. SYN Cookies validate clients before involving the server, thus protecting legitimate users, but this proxying action requires more firewall CPU/memory. RED is lighter but may randomly drop legitimate connections during a flood. Relevance: Gotcha, PCNSE/PCNSA

7. What does the 'Resource Protection' setting in a DoS Protection profile primarily defend against?

High bandwidth consumption attacks. IP fragmentation attacks. Session exhaustion attacks (limiting concurrent sessions). Malformed packet attacks.

Correct Answer: C. Resource Protection limits the total number of concurrent sessions allowed to the protected resource(s), specifically combating attacks aiming to deplete session tables. Relevance: PCNSE/PCNSA

8. Which DoS Protection policy rule 'Action' must be selected to apply the configured DoS Protection profiles to matching traffic?

Allow Deny Protect Monitor

Correct Answer: C. Only the 'Protect' action enables the application of associated Aggregate and/or Classified DoS Protection profiles. 'Allow' and 'Deny' simply permit or block traffic without applying flood thresholds. Relevance: PCNSE/PCNSA

9. Why is it generally advised to use DoS Protection policies only for critical systems?

They require a separate license per protected IP. They can conflict with Zone Protection profiles. They are resource-intensive for the firewall to process. They only work for internal traffic, not internet traffic.

Correct Answer: C. Tracking connection rates and applying thresholds, especially classified ones, consumes firewall CPU and memory. Applying it unnecessarily broadly can impact performance. Relevance: Critical, Important

10. On a multi-DP firewall, how are DoS Protection CPS thresholds typically applied?

The full threshold applies only to the primary DP. The threshold is dynamically allocated based on DP load. The threshold is generally divided equally among the DPs. Thresholds are ignored on multi-DP platforms.

Correct Answer: C. The configured threshold is usually distributed evenly across the available dataplane processors. This means a single DP can trigger its portion of the threshold even if the overall rate across all DPs hasn't hit the configured total. Relevance: Gotcha

11. What is the purpose of the 'Block Duration' setting in a DoS Protection profile?

The time allowed for a session to be established. The duration for which an alarm is active after the Alarm Rate is hit. The time period for which new connections from an offending IP are blocked after exceeding the Max Rate. The maximum lifetime of any session matched by the policy.

Correct Answer: C. When the Max Rate threshold is breached by a source IP (in applicable scenarios), the firewall blocks further new connections from that IP for the specified Block Duration (default 300s). Relevance: Important

12. Can you apply a DoS Protection profile based on the User-ID information?

Yes, User-ID is a matching criteria in DoS Protection policy rules. No, DoS Protection only works at Layer 3/4 (IP and Port). Only if the user is accessing resources via GlobalProtect. Only for Aggregate profiles, not Classified profiles.

Correct Answer: A. DoS Protection Policy Rules allow matching based on Source User, enabling user-specific DoS protection policies when User-ID is configured and available. Relevance: PCNSE/PCNSA

13. If you configure a DoS Protection policy rule to 'Protect' specific 'Services' (e.g., TCP/80, TCP/443), what happens to other traffic (e.g., UDP/53) matching the source/destination criteria?

It is automatically denied by the DoS rule. It bypasses this DoS rule and is evaluated by subsequent DoS rules or other policies. It is allowed but not subjected to the DoS profile thresholds applied by this rule. It inherits the DoS protection settings from the zone.

Correct Answer: B. Traffic must match *all* criteria of the rule, including the service. If the service doesn't match, the rule doesn't match, and the traffic moves on to the next rule or policy evaluation. Specifying services limits the rule's match; it doesn't implicitly allow or deny other services matching source/destination. Relevance: Important

14. What is a recommended first step before setting specific Activate/Max Rate thresholds in a DoS Protection profile?

Configure the highest possible values to avoid blocking legitimate traffic. Baseline the normal average and peak CPS for the protected resources. Enable SYN Cookies as it's always the safest option. Set the Alarm Rate equal to the Max Rate.

Correct Answer: B. Understanding the normal traffic patterns (average and peak connections per second) for the specific resources being protected is crucial for setting realistic and effective thresholds that mitigate attacks without impacting normal operations. Relevance: Important, Best Practice

15. Using Panorama's Device Health monitoring is useful for DoS/Zone protection configuration primarily because it helps:

Identify which users are causing DoS events. Automatically generate optimal threshold values. Ensure the firewall has sufficient CPU/memory resources for the overhead. Track the number of classified vs aggregate profiles in use.

Correct Answer: C. DoS and Zone Protection features add processing overhead. Monitoring CPU and memory utilization via Panorama helps verify that the firewall is adequately sized to handle these features without performance degradation. Relevance: Important

16. Why might you create two separate DoS Protection rules for the same critical web server, one for ports 80/443 and another for all other ports?

To apply stricter thresholds to the unused ports which should see no traffic. Because Aggregate profiles cannot cover all ports simultaneously. To force the use of SYN Cookies on ports 80/443 and RED on others. This configuration is not recommended or possible.

Correct Answer: A. Ports that are not expected to receive legitimate traffic can have much lower (stricter) DoS thresholds applied. Separating rules allows for different profiles/thresholds for expected service ports vs. unused ports on the same critical server. Relevance: Important, Use Case

17. Which protection mechanism provides the broadest level of flood defense?

Classified DoS Protection Profile Aggregate DoS Protection Profile Zone Protection Profile Vulnerability Protection Profile

Correct Answer: C. Zone Protection Profiles apply to all traffic entering a specific zone, offering the widest scope compared to DoS profiles which target specific resources defined in policies. Vulnerability Protection targets specific exploits, not general floods. Relevance: PCNSE/PCNSA

18. If you apply a Classified DoS profile using `src-dest-ip-both`, how are counters incremented?

One counter tracks the unique source-destination pair. Separate counters are maintained for the source IP and the destination IP independently. The destination IP counter is incremented, and the source IP is logged. Counters are incremented based on the source IP only, destination is ignored.

Correct Answer: A. `scr-dest-ip-both` tracks the connection rate for the specific combination (pair) of source and destination IP address against the threshold. This is why it's resource-intensive, as it creates potentially many unique counters. Relevance: PCNSE/PCNSA, Gotcha

19. Scheduling a DoS Protection policy rule allows you to:

Automatically update the profile thresholds based on traffic patterns. Apply different DoS rules/profiles during different times (e.g., business hours vs. off-hours). Temporarily disable DoS protection during maintenance windows. Both B and C.

Correct Answer: D. Scheduling allows rules (and thus their associated profiles or actions like Allow/Deny) to be active only during specific timeframes. This supports applying different protection levels at different times (B) and can also be used to effectively disable specific 'Protect' rules during maintenance (C) by scheduling an 'Allow' rule above it for that period, or scheduling the 'Protect' rule to be inactive. Relevance: Feature Capability

20. What is the recommended action regarding log forwarding for DoS protection events?

Disable logging to save resources. Log only denied events, not protected or allowed. Forward DoS threshold violation logs separately and potentially alert admins directly. Send logs only to Panorama, not external syslog/SNMP servers.

Correct Answer: C. Separating DoS logs aids analysis. Since threshold violations should be rare on a well-configured system, directly alerting administrators (e.g., via email) in addition to central logging is recommended as these events strongly indicate an attack. Relevance: Best Practice, Important

Please answer all questions before submitting.