Aggregate vs. Classified DoS Protection Profiles

Overview

Palo Alto Networks firewalls provide robust Denial-of-Service (DoS) protection capabilities configured via DoS Protection Profiles applied to DoS Protection Policy rules ( Policies > DoS Protection ). A fundamental choice when creating a DoS Protection Profile ( Objects > Security Profiles > DoS Protection ) is selecting the profile type: Aggregate or Classified .

Choosing the correct profile type is crucial because it determines the scope and granularity of protection, impacting both security effectiveness and firewall resource consumption.

Aggregate Profiles: Monitor the total traffic volume or connection rate for *all* traffic matching the DoS policy rule criteria combined.
Classified Profiles: Monitor traffic volume or connection rates on a more granular basis, tracking statistics *per source IP*, *per destination IP*, or *per source-destination IP pair* within the traffic matching the DoS policy rule.

     The primary goal of both profile types is to protect specific destination resources (servers, services) from being overwhelmed by excessive connection rates or SYN floods, but they achieve this with different levels of precision and resource overhead.
    

     Understanding the fundamental difference in scope (total traffic vs. per-IP/pair) between Aggregate and Classified DoS profiles is a critical concept for the PCNSE exam.
    

Aggregate DoS Protection Profiles

An Aggregate DoS Protection profile applies its configured thresholds (Alarm, Activate, Maximum Rates for metrics like CPS - Connections Per Second) to the total combined traffic that matches the associated DoS Protection Policy rule.

How it Works:

The firewall maintains a single set of counters for the chosen metric (e.g., SYN CPS, UDP CPS, Total Concurrent Sessions) for all sessions matching the policy rule.
When the total rate or count exceeds the configured Activate Rate threshold, the firewall initiates the configured mitigation action (e.g., SYN Cookies, rate limiting via Random Early Drop - RED) against all new incoming sessions that match the policy rule.
It does not differentiate between individual source or destination IPs contributing to the threshold breach; the action is applied collectively.

Use Cases:

Protecting a group of servers (e.g., a web farm behind a load balancer) where the primary concern is the total load hitting the service or the firewall resources handling that load, rather than identifying individual malicious sources.
Simpler scenarios where granular per-IP tracking is not required or desired.
Environments where firewall resource consumption for state tracking needs to be minimized.

Configuration:

Create a DoS Protection Profile ( Objects > Security Profiles > DoS Protection ).
Select Type: Aggregate .
Configure thresholds (Alarm, Activate, Max) for relevant Flood Protection types (e.g., TCP SYN, UDP, ICMP). These thresholds represent the total rate for all matching traffic.
Apply this profile to a DoS Protection Policy rule ( Policies > DoS Protection ) targeting the destination resource(s).

     Key takeaway for Aggregate: One set of thresholds applied to the sum of all matching traffic. Action impacts all new matching sessions once the total threshold is breached. Lower resource consumption than Classified.
    

Classified DoS Protection Profiles

A Classified DoS Protection profile provides more granular protection by monitoring traffic and applying thresholds independently for specific entities within the overall traffic flow matching the DoS policy rule.

How it Works:

The firewall maintains separate counters and state information based on the chosen classification criteria.
When configuring the profile ( Objects > Security Profiles > DoS Protection ), you select the Classified Address type:
- destination-ip-only : Tracks connection rates/counts per unique destination IP address matching the policy.
- source-ip-only : Tracks connection rates/counts per unique source IP address matching the policy.
- source-and-destination-ip (or src-dest-ip-both ): Tracks connection rates/counts per unique source-destination IP address pair matching the policy.
Each classified entity (e.g., each source IP if classified by source) has its own set of thresholds (Alarm, Activate, Max).
When a *specific* classified entity (e.g., a single attacking source IP) exceeds its individual threshold, the mitigation action (e.g., SYN Cookies, RED) is applied only to new sessions involving that specific offending entity . Legitimate traffic from other sources/to other destinations (within the same policy rule) remains unaffected unless they also exceed their thresholds independently.

Use Cases:

Protecting multiple critical servers individually when they reside within the same subnet targeted by a single DoS policy rule (using destination-ip-only ).
Identifying and mitigating attacks originating from specific abusive source IPs while allowing legitimate traffic from other sources (using source-ip-only or source-and-destination-ip ).
Scenarios requiring fine-grained control over DoS mitigation actions.

Configuration:

Create a DoS Protection Profile ( Objects > Security Profiles > DoS Protection ).
Select Type: Classified .
Choose the Classified Address criteria ( destination-ip-only , source-ip-only , source-and-destination-ip ).
Configure thresholds (Alarm, Activate, Max). These thresholds apply *per classified entity*.
Apply this profile to a DoS Protection Policy rule ( Policies > DoS Protection ).

     Using
     
      source-ip-only
     
     or
     
      source-and-destination-ip
     
     classification in DoS policies applied to internet-facing zones (like Untrust) is generally
     
      not recommended
     
     . The potentially vast number of unique external source IPs can overwhelm the firewall's resources dedicated to tracking these classified states. Use
     
      destination-ip-only
     
     for protecting specific internal servers from external attacks.

     Key takeaway for Classified: Separate thresholds per source, destination, or source-destination pair. Action impacts only the specific entity breaching its threshold. More granular but higher resource consumption. Be wary of using source-based classification on internet-facing rules.
    

Comparison Table: Aggregate vs. Classified

Feature	Classified Profile	Aggregate Profile
Scope of Protection	Applies thresholds individually based on classification (Source IP, Destination IP, or Source-Destination Pair).	Applies thresholds to the total combined traffic matching the policy rule.
Threshold Application	Each classified entity has its own independent set of counters and thresholds.	All matching traffic contributes to a single, shared set of counters and thresholds.
Mitigation Action Scope	Action (e.g., RED, SYN Cookies) applies only to new sessions involving the specific entity that exceeded its threshold.	Action applies to all new sessions matching the policy rule once the aggregate threshold is exceeded.
Primary Use Case	Protecting specific critical hosts individually; identifying/mitigating specific abusive sources.	Protecting groups of resources collectively; situations where overall load is the main concern.
Firewall Resource Consumption	Higher (due to tracking state per classified entity). Can be very high if using source-based classification on internet traffic.	Lower (only tracks aggregate state).
Configuration Complexity	Slightly more complex due to classification choice.	Simpler.
Recommended Internet-Facing Classification	`destination-ip-only` (to protect specific internal servers).	N/A (applies to aggregate).
Configuration Location	Objects > Security Profiles > DoS Protection (Profile definition) Policies > DoS Protection (Policy Rule application)

     This table summarizes the key differences frequently tested on the PCNSE exam. Focus on Scope, Threshold Application, Action Scope, and Resource Consumption differences.
    

Best Practices for DoS Protection

Understand Your Goal: Determine if you need to protect specific critical servers individually (favor Classified - destination-ip-only) or protect a group of resources from collective overload (favor Aggregate).
Baseline Traffic: Before enabling blocking actions, monitor normal connection rates (CPS) and concurrent session counts for the resources you intend to protect. Set thresholds based on these baselines plus a reasonable buffer.
Start with Alert/Monitor: Initially configure DoS profiles with high thresholds or set the DoS Policy rule action to 'Allow' but ensure logging is enabled (or use 'Protect' with high thresholds) to monitor logs for legitimate peaks versus actual attacks.
Tune Thresholds Gradually: Lower thresholds cautiously based on observed traffic and log analysis. Avoid setting thresholds too low, which could block legitimate users during normal peak times.
Use destination-ip-only for Internet-Facing Classified: As highlighted before, avoid source-ip-only or source-and-destination-ip classification in Classified profiles applied to rules matching internet traffic to prevent excessive resource consumption on the firewall.
Combine Profiles (Advanced): A single DoS Protection Policy rule can reference *both* an Aggregate profile and a Classified profile. This allows for layered protection: the Aggregate profile protects against massive overall floods, while the Classified profile can target specific abusive sources or protect individual destinations within the group once the overall traffic level is acceptable.
Leverage SYN Cookies: For protecting TCP-based services (like web servers) against SYN floods, ensure SYN Flood protection is enabled in the DoS Profile and use the 'SYN Cookies' action in the DoS Policy rule.
Regularly Review Logs: Monitor the Threat logs for DoS protection events to understand attack patterns and refine thresholds.
Consider Zone Protection First: Implement Zone Protection Profiles on ingress zones as a first line of defense against broad floods and reconnaissance before relying solely on DoS policies for specific resource protection.

     Effective DoS protection requires understanding traffic patterns, choosing the right profile type (Aggregate vs. Classified), careful threshold tuning, and ongoing monitoring.
    

Diagrams: DoS Protection Concepts

Sequence Diagram: DoS Policy Processing

Sequence diagram illustrating how Aggregate and Classified DoS profiles are checked within a DoS Policy rule.

Flowchart: Aggregate vs. Classified Logic

Flowchart comparing the logic flow for Aggregate vs. Classified DoS protection.

Graph: Relationship between Components

Graph showing the relationships between DoS Policy Rules, DoS Profiles, thresholds, traffic, and logging.

State Diagram: DoS Protection State (Simplified CPS Threshold)

Simplified state diagram based on Connections Per Second (CPS) thresholds in a DoS profile (applies conceptually to Aggregate total or individual Classified entity).

PCNSE Exam Focus Points

Key concepts regarding Aggregate vs. Classified DoS Protection for the PCNSE exam:

Primary Distinction: Understand that Aggregate applies one set of thresholds to the total matching traffic, while Classified applies thresholds independently per source IP, destination IP, or source-destination pair.
Use Cases:
- Use Aggregate to protect a group of servers collectively or when overall load is the concern.
- Use Classified (destination-ip-only) to protect specific critical servers individually within a broader policy match.
- Use Classified (source-ip-only / src-dest-ip-both) cautiously, primarily for internal zones, to mitigate specific abusive sources.
Configuration Locations:
- Profiles created under: Objects > Security Profiles > DoS Protection .
- Profiles applied via policy rules under: Policies > DoS Protection .
Classified Types: Know the three classification types: destination-ip-only , source-ip-only , source-and-destination-ip .
Resource Consumption Warning: Be aware of the high resource usage potential of source-based Classified profiles, especially on internet-facing interfaces, and why destination-ip-only is generally preferred there.
Policy Actions: Understand the main DoS Policy rule actions: Protect (enforces profile settings), SYN Cookies (enforces SYN flood settings from profile), Allow , Deny .
Thresholds: Recognize that thresholds (Alarm, Activate, Max) are typically based on Connections Per Second (CPS) or concurrent sessions.
Logging: DoS Protection events are logged in the Threat Log .
Relationship to Zone Protection: Understand that DoS Protection complements Zone Protection by providing targeted defense for specific destination resources, while Zone Protection defends the zone ingress.

     Expect scenario questions asking you to choose between Aggregate and Classified based on a protection goal. Know the resource implications and recommended use cases for each classification type, especially regarding source-based classification.
    

Aggregate vs. Classified DoS Quiz (PCNSE Style)

Test your understanding of DoS Protection profile types.

1. Which DoS Protection profile type applies thresholds and actions based on the total combined traffic matching a DoS policy rule?

Aggregate Classified Zone Protection Packet Buffer Protection

2. Which DoS Protection profile type maintains separate counters and applies thresholds independently for each unique source IP, destination IP, or source-destination pair?

Aggregate Classified Flood Protection Reconnaissance Protection

3. You need to protect a farm of critical web servers (10.1.1.10 - 10.1.1.20) individually, applying SYN flood protection thresholds separately to each server. Which DoS profile configuration is most appropriate?

Aggregate profile applied to a DoS rule matching destination 10.1.1.0/28. Classified profile with 'source-ip-only' classification applied to a DoS rule matching destination 10.1.1.0/28. Classified profile with 'destination-ip-only' classification applied to a DoS rule matching destination 10.1.1.0/28. Zone Protection profile applied to the servers' zone with SYN Cookies enabled.

4. Which Classified Address type is generally NOT recommended for use in DoS policy rules applied to internet-facing zones due to high resource consumption?

source-ip-only destination-ip-only Aggregate (not a Classified type) SYN Flood Protection (not a Classified type)

5. An Aggregate DoS profile is configured with an Activate Rate of 1000 CPS for SYN floods. If the total SYN rate matching the associated DoS policy rule reaches 1200 CPS, what happens?

Only SYN packets from the top contributing source IPs are dropped. All traffic matching the rule is blocked immediately. An alert is logged, but no mitigation action is taken yet. The configured mitigation action (e.g., SYN Cookies or RED) is applied to all new matching SYN packets.

6. A Classified DoS profile (destination-ip-only) protects two servers, A and B. Server A's traffic exceeds its Activate Rate threshold, but Server B's traffic is below its thresholds. What action does the firewall take?

Applies mitigation actions to new sessions for both Server A and Server B. Applies mitigation actions only to new sessions destined for Server A. Applies mitigation actions only to new sessions destined for Server B. Takes no mitigation action until the Aggregate threshold for the policy is also exceeded.

7. Where are DoS Protection Profiles created?

Policies > DoS Protection Network > Zones Objects > Security Profiles > DoS Protection Device > Setup > Session

8. Where are DoS Protection Profiles applied to control traffic?

In DoS Protection Policy rules (Policies > DoS Protection) Directly to Network Zones (Network > Zones) In Security Policy rules (Policies > Security) In Zone Protection Profiles (Network > Network Profiles)

9. Which factor generally leads to higher resource consumption on the firewall?

Using an Aggregate DoS Profile. Using a Zone Protection Profile with RED action. Using Packet Buffer Protection. Using a Classified DoS Profile (especially source-based).

10. What is the primary metric typically used for setting thresholds in DoS Protection profiles (both Aggregate and Classified)?

Packets Per Second (pps) Connections Per Second (CPS) / Concurrent Sessions Megabits Per Second (Mbps) Threat Log Severity Count

11. Can a single DoS Protection Policy rule reference both an Aggregate and a Classified DoS profile simultaneously?

No, only one profile type can be used per rule. Yes, but only if the action is 'Allow'. Yes, allowing for layered protection (overall aggregate check plus granular classified checks). Yes, but only if the Classified profile is 'destination-ip-only'.

12. When using a Classified DoS profile with 'destination-ip-only' classification, the thresholds apply to:

Each unique destination IP address individually. Each unique source IP address individually. The total traffic going to all matching destinations combined. Each unique source-destination IP pair.

13. Which DoS Protection profile type is generally simpler to configure and manage?

Classified (source-ip-only) Aggregate Classified (destination-ip-only) Classified (source-and-destination-ip)

14. If a DoS Policy rule has the action 'SYN Cookies' and an attached DoS Profile with SYN Flood thresholds, when are SYN Cookies employed?

For all TCP traffic matching the rule, regardless of rate. Only when the Aggregate CPS threshold is exceeded. Only when the Classified CPS threshold is exceeded. When the SYN Flood Activate Rate threshold defined *within the attached DoS profile* is exceeded.

15. A company wants to protect its single, critical public web server (1.1.1.1) from being overwhelmed by too many connections per second from any single source IP. Which approach is most suitable?

DoS Policy rule targeting Dest IP 1.1.1.1 with a Classified profile (source-ip-only). DoS Policy rule targeting Dest IP 1.1.1.1 with an Aggregate profile. Zone Protection profile on the external zone with SYN flood protection. DoS Policy rule targeting Dest IP 1.1.1.1 with a Classified profile (destination-ip-only).

16. DoS Protection Profiles and Policies primarily aim to protect against:

Malware and Viruses in file transfers. Reconnaissance scans like port sweeps. Resource exhaustion attacks based on connection rates or floods targeting specific destinations. Data exfiltration attempts via covert channels.

17. Where are events triggered by DoS Protection policies logged?

System Log Threat Log Traffic Log Configuration Log

18. What is a key first step in tuning DoS Protection thresholds effectively?

Establishing a baseline of normal traffic rates (CPS/sessions) for the protected resource. Setting all thresholds to the lowest possible value. Creating a Classified profile for every internal host. Disabling Zone Protection to prevent conflicts.

19. Which DoS profile type would be more suitable for protecting a DNS server where you want to limit the connection rate from any single client querying it, but allow a high total connection rate from many clients?

Aggregate Zone Protection (UDP Flood) Classified (source-ip-only) Classified (destination-ip-only)

20. In the context of DoS Protection profiles, what does CPS typically stand for?

Classified Profile Settings Content Packet Scan Critical Protection Service Connections Per Second