Configuring Zone Protection, Packet Buffer Protection, and DoS Protection

Overview

Palo Alto Networks firewalls offer multiple layers of protection to safeguard network resources against various types of attacks. This includes Zone Protection, Packet Buffer Protection, and Denial-of-Service (DoS) Protection. Understanding the default settings and how to customize them is crucial for optimal security and performance.

Zone Protection

Zone Protection profiles provide protection against floods, reconnaissance, and other packet-based attacks at the ingress zone level.

Default Settings

• Flood Protection thresholds are set conservatively to avoid false positives.
• Reconnaissance Protection is enabled with default thresholds for scans.
• Packet-based attack protections are enabled with standard settings.

Customized Values

• Adjust thresholds based on observed traffic patterns and network behavior.
• Enable or disable specific protections depending on the zone's exposure and requirements.
• Implement stricter settings on untrusted zones and more lenient settings on trusted zones.

Packet Buffer Protection

Packet Buffer Protection helps prevent the firewall's packet buffers from being overwhelmed, which could lead to dropped packets and degraded performance.

Default Settings

• Alert Threshold: 50%
• Activate Threshold: 80%
• Block Hold Time: 60 seconds
• Block Duration: 3600 seconds

Customized Values

• Adjust thresholds based on baseline measurements of buffer utilization.
• Lower thresholds for environments with latency-sensitive applications.
• Modify Block Hold Time and Block Duration to balance between responsiveness and avoiding false positives.

DoS Protection

DoS Protection profiles and policies provide granular control to protect specific hosts or services from DoS attacks.

Default Settings

• Flood Protection thresholds are set to general values suitable for typical environments.
• Resource Protection settings are configured with standard session limits.

Customized Values

• Define Classified or Aggregate profiles based on the nature of the traffic and assets.
• Set thresholds (Alarm Rate, Activate Rate, Max Rate) based on observed traffic patterns and capacity planning.
• Apply policies to specific zones, IP addresses, or services as needed.

Sequence Diagram: Packet Buffer Protection Workflow

sequenceDiagram
    participant Traffic
    participant Firewall
    participant Buffer

    Traffic->>Firewall: Incoming packets
    Firewall->>Buffer: Store packets
    alt Buffer utilization < Alert Threshold
        Buffer-->>Firewall: Normal operation
    else Buffer utilization >= Alert Threshold
        Buffer-->>Firewall: Log alert
        alt Buffer utilization >= Activate Threshold
            Buffer-->>Firewall: Apply mitigation (e.g., RED)
            alt Buffer utilization persists
                Buffer-->>Firewall: Block offending sessions/IPs
            end
        end
    end
    

References

• Configure Zone Protection to Increase Network Security
• Packet Buffer Protection
• DoS Protection Profiles and Policy Rules