Zone Protection Profiles in Palo Alto Networks firewalls offer flood protection mechanisms to safeguard ingress zones against various types of flood attacks, such as SYN, UDP, ICMP, and other IP floods. This guide provides an in-depth explanation of flood protection, configuration thresholds, and mitigation actions like Random Early Drop (RED) and SYN Cookies.
Flood attacks aim to overwhelm network resources by sending a high volume of traffic, leading to degraded performance or service outages. Palo Alto Networks' flood protection measures monitor the rate of new connections per second (CPS) and apply thresholds to detect and mitigate such attacks.
For each flood type (SYN, UDP, ICMP, etc.), administrators can set three thresholds:
Properly configuring these thresholds ensures effective protection without impacting legitimate traffic.
For SYN flood protection, administrators can choose between two mitigation actions:
| Feature | Random Early Drop (RED) | SYN Cookies |
|---|---|---|
| Mechanism | Probabilistically drops incoming SYN packets based on thresholds. | Firewall acts as a proxy, completing the handshake on behalf of the server. |
| Impact on Legitimate Traffic | May drop legitimate connections under high load. | Preserves legitimate connections by only dropping incomplete handshakes. |
| Resource Consumption | Lower resource usage. | Higher CPU and memory usage due to proxying. |
| Use Case | Environments with limited resources or where occasional drops are acceptable. | Environments requiring high accuracy and minimal impact on legitimate traffic. |
Choosing between RED and SYN Cookies depends on the specific network environment and resource availability.