: Preventing DoS Attacks from Internet with Enhanced DoS and PBP Configurations
Focus
Focus

Preventing DoS Attacks from Internet with Enhanced DoS and PBP Configurations

Table of Contents

Preventing DoS Attacks from Internet with Enhanced DoS and PBP Configurations

Prevent your Palo Alto Networks firewalls from DoS attacks originating from the internet by using enhanced DoS and PBP configurations.
For the internet-facing zones, the current recommendation to configure a DoS Protection policy rule is to classify the IP address based on the destination IP address only method. We recommended this method because it's difficult to track all the source IP addresses on the internet reaching the firewall.
Compared to the destination-ip-only method, both the source-ip-only and src-dest-ip-both method uses the software and hardware block table to block the attacks efficiently and more effectively. As the destination-ip-only method does not use the software and hardware block table, it may result in the firewall getting exposed to the attacks.
These sudden attacks lead to over consumption of the firewalls resources causing unstable connectivity and network outages.
We have now introduced the following improvements to prevent the Palo Alto Networks firewalls from the DoS attacks:
New EnhancementsBenefits
The firewall can now block the offending source IP address using the software and hardware ACL blocking settings by classifying the IP address based on the destination IP address only method.
With DoS enhancement, you can now configure the DoS policy with destination IP address only classification for the internet facing zones; this method strengthens the firewall’s blocking efficacy from the DoS attacks that originate from the internet and therefore protects the firewall resources.
Enhanced the packet buffer protection that monitors session latency and buffer utilization concurrently and activates mitigation when either latency or buffer thresholds are exceeded.
With PBP enhancement, you can now configure both the buffer-based and latency-based activation at the same time while configuring the packet buffer protection. This configuration protects the firewall resources by activating mitigation when either latency or buffer thresholds are exceeded.
Increase or decrease the software block duration for the software block table entries.
Configuring software block duration in the software block table is more effective for the software-based platforms and for the hardware platforms the software block table acts as an additional protection along with the hardware block table.
Extended the SNMP support for buffer and on-chip packet descriptor utilization.
With SNMP enhancement, you can now monitor software tags/on-chip descriptors, buffer utilization (in percentage), and firewall resources from the SNMP server.