>
    Configure Flood Protection
    Focus
    Download PDF
    Focus
    1. Home
    2. Next-Generation Firewall
    3. Set Up Firewalls
    4. Zone Protection and DoS Protection
    5. Configure a Zone Protection Profile to Increase Network Security
    6. Configure Flood Protection
    Download PDF
    Next-Generation Firewall

    Configure Flood Protection

    Table of Contents

    Configure Flood Protection

    Defend an entire ingress zone against flood attacks.
    Contact your account team to enable Cloud Management for NGFWs using Strata Cloud Manager.
    Where Can I Use This?What Do I Need?
    • NGFW (Managed by Strata Cloud Manager)
    • VM-Series, funded with Software NGFW Credits
    • AIOps for NGFW Premium license (use the Strata Cloud Manager app)
    A Zone Protection profile with flood protection configured defends against SYN, UDP, ICMP, ICMPv6, and other IP flood attacks. The firewall measures the aggregate amount of each flood type entering the zone in new connections-per-second (CPS) and compares the totals to the thresholds you configure in the Zone Protection profile.
    For each flood type, you set three thresholds for new CPS enter the zone and can set a drop action for SYN floods. If you know the baseline CPS rates for the zone, use these guidelines to set the initial thresholds, and then monitor and adjust the thresholds as necessary.
    If you don’t know the baseline CPS rates for the zone, start by setting the Maximum CPS rate to approximately 80-90% of firewall capacity and use it to derive reasonable flood mitigation alarm and activation rates. Set the Alarm Rate and Activate Rate based on the Maximum rate. For example, you could set the Alarm Rate to half the Maximum rate and adjust it depending on how many alarms you receive and the firewall resources being consumed. Be careful setting the Activate Rate since it begins to drop connections. Because normal traffic loads experience some fluctuation, it’s best not to drop connections too aggressively. Err on the high side and adjust the rate if firewall resources are impacted.
    The default threshold values are high so that activating a Zone Protection profile doesn’t unexpectedly drop legitimate traffic. Adjust the thresholds to values appropriate for your network traffic. The best method for understanding how to set reasonable flood thresholds is to take baseline measurements of average and peak CPS for each flood type to determine the normal traffic conditions for each zone and to understand the capacity of the firewall, including the impact of other resource-consuming features such as decryption. Monitor and adjust the flood thresholds as needed and as your network evolves.
    1. Log in to Strata Cloud Manager.
    2. Select ManageConfigurationNGFW and Prisma AccessSecurity ServicesDoS Protection and select the Configuration Scope where you want to create the Zone Protection profile.
      You can select a folder or firewall from your Folders or select Snippets to configure the Zone Protection profile in a snippet.
    3. Navigate to the Zone Protection Profiles and Add Profile.
    4. Enter a descriptive Name.
    5. (Optional) Enter a Description.
    6. Select Flood.
    7. Select the type of flood attack that you want to defend against and Enable.
      A single Zone Protection profile supports defense against multiple types of flood attacks.
      1. (SYN flood only) Select the Action the firewall takes.
        SYN Flood Protection is the only type for which you set the drop Action. Start by setting the Action to SYN Cookies. SYN Cookies treats legitimate traffic fairly and only drops traffic that fails the SYN handshake, while using Random Early Detection (RED) drops traffic randomly, so RED might affect legitimate traffic. However, SYN Cookies are more resource-intensive because the firewall acts as a proxy for the target server and handles the three-way handshake for the server. The tradeoff isn’t dropping legitimate traffic (SYN Cookies) versus preserving firewall resources (RED). Monitor the firewall, and if SYN Cookies consume too many resources, switch to RED. If you don’t have a dedicated DDoS prevention device in front of the firewall, always use RED as the drop mechanism.
        When SYN Cookies is activated, the firewall doesn’t honor the TCP options that the server sends because it doesn’t know these values at the time that it proxies the SYN-ACK. Therefore, values such as the TCP server’s window size and MSS values can’t be negotiated during the TCP handshake and the firewall will use its own default values. In the scenario where the MSS of the path to the server is smaller than the firewall’s default MSS value, the packet will need to be fragmented.
      2. Set the Alarm Rate.
        This is the CPS threshold to trigger an alarm. Target setting the Alarm Rate to 15-20% above the average CPS rate for the zone so that normal fluctuations don't cause alerts.
      3. Set the Activation Rate.
        This is the CPS threshold to activate the flood protection mechanism and begin dropping new connections. For ICMP, ICMPv6, UDP, and other IP floods, the protection mechanism is RED.
        (SYN flood only) You can set the drop Action to SYN Cookies or RED. Target setting the Activate Rate to just above the peak CPS rate for the zone to begin mitigating potential floods.
      4. Set the Maximum Rate.
        This is the CPS to drop incoming packets when RED is the protection mechanism. Target setting the Maximum Rate to approximately 80-90% of firewall capacity, taking into account other features that consume firewall resources.
    8. Save.
    9. Create a Zone.

    © 2024 Palo Alto Networks, Inc. All rights reserved.