Flood Protection
Protect the entire zone against SYN, UDP, ICMP, ICMPv6,
and Other IP flood attacks.
A Zone Protection profile with flood protection configured
defends an entire ingress zone against SYN, ICMP, ICMPv6, UDP, and
other IP flood attacks. The firewall measures the aggregate amount
of each flood type entering the zone in new connections-per-second
(CPS) and compares the totals to the thresholds you configure in
the Zone Protection profile. (You protect critical individual devices
within a zone with
DoS Protection profiles and policy
rules.)
Measure and monitor firewall dataplane CPU consumption
to ensure that each firewall is properly sized to support DoS and
Zone Protection and any other features that consume CPU cycles,
such as decryption. If you use Panorama to manage your firewalls,
Device Monitoring ()
shows you the CPU and memory consumption of each managed firewall.
It can also show you a 90-day trend line of CPU average and peak
use to help you understand the typical available capacity of each
firewall.
For each flood type, you set three thresholds for new CPS entering
the zone, and you can set a drop Action for
SYN floods. If you know the baseline CPS rates for the zone, use
these guidelines to set the initial thresholds, and then monitor
and adjust the thresholds as necessary.
Alarm Rate—The new CPS threshold to trigger an
alarm. Target setting the Alarm Rate to 15-20% above
the average CPS rate for the zone so that normal fluctuations don’t
cause alerts.
Activate—The new CPS threshold to activate the flood
protection mechanism and begin dropping new connections. For ICMP, ICMPv6,
UDP, and other IP floods, the protection mechanism is Random Early
Drop (RED, also known as Random Early Detection). For SYN floods only,
you can set the drop Action to SYN Cookies
or RED. Target setting the Activate rate
to just above the peak CPS rate for the zone to begin mitigating
potential floods.
Maximum—The number of connections-per-second to drop
incoming packets when RED is the protection mechanism. Target setting
the Maximum rate to approximately 80-90%
of firewall capacity, taking into account other features that consume
firewall resources.
If you don’t know the baseline CPS rates for the zone, start
by setting the Maximum CPS rate to approximately
80-90% of firewall capacity and use it to derive reasonable flood
mitigation alarm and activation rates. Set the Alarm
Rate and Activate rate based
on the Maximum rate. For example, you could set the Alarm
Rate to half the Maximum rate
and adjust it depending on how many alarms you receive and the firewall
resources being consumed. Be careful setting the Activate
Rate since it begins to drop connections. Because normal
traffic loads experience some fluctuation, it’s best not to drop
connections too aggressively. Err on the high side and adjust the
rate if firewall resources are impacted.
SYN Flood Protection is the only type for which you set
the drop Action. Start by setting the Action to SYN
Cookies. SYN Cookies treats legitimate traffic fairly
and only drops traffic that fails the SYN handshake, while using
Random Early Drop drops traffic randomly, so RED may affect legitimate
traffic. However, SYN Cookies is more resource-intensive because
the firewall acts as a proxy for the target server and handles the
three-way handshake for the server. The tradeoff is not dropping
legitimate traffic (SYN Cookies) versus preserving firewall resources
(RED). Monitor the firewall, and if SYN Cookies consumes too many
resources, switch to RED. If you don’t have a dedicated DDoS prevention
device in front of the firewall, always use RED as the drop mechanism.
When SYN
Cookies is activated, the firewall does not honor the
TCP options that the server sends because it does not know these
values at the time that it proxies the SYN/ACK. Therefore, values
such as the TCP server’s window size and MSS values cannot be negotiated
during the TCP handshake and the firewall will use its own default
values. In the scenario where the MSS of the path to the server
is smaller than the firewall’s default MSS value, the packet will
need to be fragmented.
The default threshold values are high so that activating a Zone
Protection profile doesn’t unexpectedly drop legitimate traffic.
Adjust the thresholds to values appropriate for your network’s traffic.
The best method for understanding how to set reasonable flood thresholds
is to take baseline measurements of average and peak CPS for each
flood type to determine the normal traffic conditions for each zone
and to understand the capacity of the firewall, including the impact
of other resource-consuming features such as decryption. Monitor
and adjust the flood thresholds as needed and as your network evolves.
Firewalls with multiple dataplane processors (DPs) distribute
connections across DPs. In general, the firewall divides the CPS
threshold settings equally across its DPs. For example, if a firewall
has five DPs and you set the Alarm Rate to
20,000 CPS, each DP has an Alarm Rate of
4,000 CPS (20,000 / 5 = 4,000), so if the new sessions on a DP exceeds
4,000, it triggers the Alarm Rate threshold
for that DP.
