DoS Protection Option/Protection Tab
Table of Contents
Expand all | Collapse all
-
- Objects > Addresses
- Objects > Address Groups
- Objects > Regions
- Objects > Dynamic User Groups
- Objects > Application Groups
- Objects > Application Filters
- Objects > Services
- Objects > Service Groups
- Objects > Devices
- Objects > External Dynamic Lists
- Objects > Custom Objects > Spyware/Vulnerability
- Objects > Custom Objects > URL Category
- Objects > Security Profiles > Antivirus
- Objects > Security Profiles > Anti-Spyware Profile
- Objects > Security Profiles > Vulnerability Protection
- Objects > Security Profiles > File Blocking
- Objects > Security Profiles > WildFire Analysis
- Objects > Security Profiles > Data Filtering
- Objects > Security Profiles > DoS Protection
- Objects > Security Profiles > Mobile Network Protection
- Objects > Security Profiles > SCTP Protection
- Objects > Security Profile Groups
- Objects > Log Forwarding
- Objects > Authentication
- Objects > Decryption > Forwarding Profile
- Objects > Schedules
-
-
- Firewall Interfaces Overview
- Common Building Blocks for Firewall Interfaces
- Common Building Blocks for PA-7000 Series Firewall Interfaces
- Tap Interface
- HA Interface
- Virtual Wire Interface
- Virtual Wire Subinterface
- PA-7000 Series Layer 2 Interface
- PA-7000 Series Layer 2 Subinterface
- PA-7000 Series Layer 3 Interface
- Layer 3 Interface
- Layer 3 Subinterface
- Log Card Interface
- Log Card Subinterface
- Decrypt Mirror Interface
- Aggregate Ethernet (AE) Interface Group
- Aggregate Ethernet (AE) Interface
- Network > Interfaces > VLAN
- Network > Interfaces > Loopback
- Network > Interfaces > Tunnel
- Network > Interfaces > SD-WAN
- Network > VLANs
- Network > Virtual Wires
-
- Network > Network Profiles > GlobalProtect IPSec Crypto
- Network > Network Profiles > IPSec Crypto
- Network > Network Profiles > IKE Crypto
- Network > Network Profiles > Monitor
- Network > Network Profiles > Interface Mgmt
- Network > Network Profiles > QoS
- Network > Network Profiles > LLDP Profile
- Network > Network Profiles > SD-WAN Interface Profile
-
-
- Device > Setup
- Device > Setup > Management
- Device > Setup > Interfaces
- Device > Setup > Telemetry
- Device > Setup > Content-ID
- Device > Setup > WildFire
- Device > Setup > DLP
- Device > Log Forwarding Card
- Device > Config Audit
- Device > Administrators
- Device > Admin Roles
- Device > Access Domain
- Device > Authentication Sequence
- Device > Device Quarantine
-
- Security Policy Match
- QoS Policy Match
- Authentication Policy Match
- Decryption/SSL Policy Match
- NAT Policy Match
- Policy Based Forwarding Policy Match
- DoS Policy Match
- Routing
- Test Wildfire
- Threat Vault
- Ping
- Trace Route
- Log Collector Connectivity
- External Dynamic List
- Update Server
- Test Cloud Logging Service Status
- Test Cloud GP Service Status
- Device > Virtual Systems
- Device > Shared Gateways
- Device > Certificate Management
- Device > Certificate Management > Certificate Profile
- Device > Certificate Management > OCSP Responder
- Device > Certificate Management > SSL/TLS Service Profile
- Device > Certificate Management > SCEP
- Device > Certificate Management > SSL Decryption Exclusion
- Device > Certificate Management > SSH Service Profile
- Device > Response Pages
- Device > Server Profiles
- Device > Server Profiles > SNMP Trap
- Device > Server Profiles > Syslog
- Device > Server Profiles > Email
- Device > Server Profiles > HTTP
- Device > Server Profiles > NetFlow
- Device > Server Profiles > RADIUS
- Device > Server Profiles > TACACS+
- Device > Server Profiles > LDAP
- Device > Server Profiles > Kerberos
- Device > Server Profiles > SAML Identity Provider
- Device > Server Profiles > DNS
- Device > Server Profiles > Multi Factor Authentication
- Device > Local User Database > Users
- Device > Local User Database > User Groups
- Device > Scheduled Log Export
- Device > Software
- Device > Dynamic Updates
- Device > Licenses
- Device > Support
- Device > Policy Recommendation
-
- Network > GlobalProtect > MDM
- Network > GlobalProtect > Clientless Apps
- Network > GlobalProtect > Clientless App Groups
- Objects > GlobalProtect > HIP Profiles
-
- Use the Panorama Web Interface
- Context Switch
- Panorama Commit Operations
- Defining Policies on Panorama
- Log Storage Partitions for a Panorama Virtual Appliance in Legacy Mode
- Panorama > Setup > Interfaces
- Panorama > High Availability
- Panorama > Administrators
- Panorama > Admin Roles
- Panorama > Access Domains
- Panorama > Device Groups
- Panorama > Plugins
- Panorama > Log Ingestion Profile
- Panorama > Log Settings
- Panorama > Server Profiles > SCP
- Panorama > Scheduled Config Export
End-of-Life (EoL)
DoS Protection Option/Protection Tab
Select the Option/Protection tab
to configure options for the DoS Protection policy rule, such as
the type of service to which the rule applies, the action to take
against packets that match the rule, and whether to trigger log
forwarding for matched traffic. You can define a schedule for when
the rule is active.
You can also select an aggregate DoS Protection profile and/or
a classified DoS Protection profile, which determine the threshold
rates that, when exceeded, cause the firewall to take protective
actions, such as trigger an alarm, activate an action such as Random
Early Drop, and drop packets that exceed the maximum threshold rate.
Field | Description |
---|---|
Service | Click Add and select
one or more services to which the DoS Protection policy applies.
The default is Any service. For example,
if the DoS policy protects web servers, specify HTTP, HTTPS, and
any other appropriate service ports for the web applications. For critical servers, create separate DoS
Protection rules to protect the unused service ports to help prevent
targeted attacks. |
Action | Select the action the firewall performs
on packets that match the DoS Protection policy rule:
The object
of applying DoS Protection is to protect against DoS attacks, so
you should use usually Protect. Deny drops
legitimate traffic along with DoS traffic and Allow doesn’t
stop DoS attacks. Use Deny and Allow only
to make exceptions within a group. For example, you can deny the
traffic from most of a group but allow a subset of that traffic,
or allow the traffic from most of a group but deny a subset of that
traffic. |
Schedule | Specify the schedule when the DoS Protection
policy rule is in effect. The default setting of None indicates
no schedule; the policy is always in effect. Alternatively,
select a schedule or create a new schedule to control when the DoS
Protection policy rule is in effect. Enter a Name for
the schedule. Select Shared to share this
schedule with every virtual system on a multiple virtual system
firewall. Select a Recurrence of Daily, Weekly,
or Non-recurring. Add a Start
Time and End Time in hours:minutes,
based on a 24-hour clock. |
Log Forwarding | If you want to trigger forwarding of threat
log entries for matched traffic to an external service, such as
to a syslog server or Panorama, select a Log Forwarding profile
or click Profile to create a new one. The
firewall logs and forwards only traffic that matches an action in
the rule. For easier management,
forward DoS logs separately from other Threat logs, both directly
to administrators via email and
to a log server. |
Aggregate | Aggregate DoS Protection profiles set thresholds
that apply to combined group of devices specified in the DoS Protection
rule to protect those server groups. For example, an Alarm Rate
threshold of 10,000 CPS means that when the total new CPS to the
entire group exceeds 10,000 CPS, the firewall triggers an alarm
message. Select an Aggregate DoS Protection profile that specifies
the threshold rates at which the incoming connections per second
trigger an alarm, activate an action, and exceed a maximum rate.
All incoming connections (the aggregate) count toward the thresholds
specified in an Aggregate DoS Protection profile. An Aggregate
profile setting of None means there are no
threshold settings in place for the aggregate traffic. See Objects
> Security Profiles > DoS Protection. |
Classified | Classified DoS Protection profiles set thresholds
that apply to each individual device specified in the DoS Protection
rule to protect individual or small groups of critical servers.
For example, an Alarm Rate threshold of 10,000 CPS means that when
the total new CPS to any individual server specified in the rule
exceeds 10,000 CPS, the firewall triggers an alarm message. Select
this option and specify the following:
If
you specify a Classified DoS Protection profile, only the incoming connections
that match a source IP address, destination IP address, or source and
destination IP address pair count toward the thresholds specified
in the profile. For example, you can specify a Classified DoS Protection
profile with a Max Rate of 100 cps, and specify
an Address setting of source-ip-only in
the rule. The result would be a limit of 100 connections per second
for that particular source IP address. Don’t
use source-ip-only or src-dest-ip-both for
internet-facing zones because the firewall can’t store counters
for all possible internet IP addresses. Use destination-ip-only in
perimeter zones. Use destination-ip-only to
protect individual critical devices. Use source-ip-only and
the Alarm threshold to monitor suspect hosts
in non-internet-facing zones. |