PAN-OS 8.0: DoS Firewall Protection
Resolution
This article highlights a new capability or feature introduced in PAN-OS 8.0. If you’d like to learn more about this topic or PAN-OS 8.0 in-general, you’ll also want to check out our world-class Technical Documentation.
DoS Firewall Protection will enhance the firewall with the ability to track the top firewall packet buffer abusers and allow the administrator to specify a global threshold at which mitigation will take place on the most abusive sessions.
The feature will also provide the ability to whitelist IP addresses to allow the administrator to further reduce chances of false positives that can impact critical services, while protecting the firewall.
The feature will provide SNMP MIB CPS tracking to help administrators understand how to better configure the existing Zone and DoS protection policies.
Platform Support
- Supported on all platforms (both hardware and VM-Series)
- Supported on both FPGA and non-FPGA platforms
For non-FPGA platforms, mitigation will take place in software
Performance
- Enabling this feature does not adversely affect throughput performance of traffic that has not reached the packet buffer activate threshold.
- When mitigation is activated, sessions that are not being mitigated should not see performance penalties if the packet buffers are not maxed out.
- If packet buffers are maxed out, it is understood that all sessions may be impacted.
Feature Interactions
High Availability
- Device settings for Packet Buffer Protection and Zone configuration will synchronize between A/P and A/A HA members.
- Session state for A/P (RED, discard) will synchronize between HA members.
Panorama
- Feature configuration will be supported from Panorama templates.
- When pushing out to devices that do not support this feature, the feature's configuration will be pruned.
Prior to PAN-OS 8.0, DoS and Zone Protection uses (packetss) for SYN, UDP, and Other IP flood protection which was less accurate.
In PAN-OS 8.0, packet rate has been modified to correctly reflect (connections/sec) in the Zone and DoS profile configuration pages for SYN, UDP, Other IP flood attacks.
PAN-OS 7.1 and prior:
# set profiles dos-protection TEST flood tcp-syn enable yes red
+ activate-rate Packet rate (pps) to start RED
+ alarm-rate Packet rate (pps) to generate alarm
+ maximal-rate Maximal packet rate (pps) allowed
> block Parameters for blocking
<Enter> Finish input
PAN-OS 8.0:
# set profiles dos-protection TEST flood tcp-syn enable yes red
+ activate-rate Connection rate (cps) to start RED
+ alarm-rate Connection rate (cps) to generate alarm
+ maximal-rate Maximal connection rate (cps) allowed
> block Parameters for blocking
<Enter> Finish input
note: in a multi-vsys environment the profiles are located in the shared path
# set shared profiles ...
Configuration
Packet Buffer Protection Thresholds have been added to 'Session Settings,' via Device Tab > Setup > Session. This option is disabled by default, with the following thresholds defined:
Packet Buffer Protection - checkbox allows user to enable/disable the global setting.
- When enabled (checked), the firewall will keep track of the top sessions (per DP). Default is Disabled (Unchecked)
Alert (%) - threshold is expressed as a percentage of packet buffer utilization. When the alert threshold is reached, a log event will be created every 10 seconds.
- Range: 0% - 99%. Default: 50%. 0% means to turn off alerting.
Activate (%) - threshold is expressed as a percentage of packet buffer utilization. When the activate threshold is reached, the firewall will begin mitigating the top abusive sessions on the firewall on the zone(s) the feature is enabled on. RED is used on abusive sessions identified.
- Range: 0% - 99%. Default is 50%. 0% means to turn off mitigation.
Block Hold Time - expressed in seconds. The time the session continues to be abusive to packet buffers even after RED has been implemented. If the session continues to drive packet buffer use above the Activate threshold and past the hold time set, the session is discarded.
- Range is 0-65535 seconds. Default is 60 seconds.
Block Duration - expressed in seconds. The time the discard/block is performed.
- Range is 1-15999999 seconds. Default is 3600 seconds.
Zone UI now includes an option for 'Enable Packet Buffer Protection,' beneath the Zone Protection Profile selection drop-down:
Zone Protection Profile also includes a Source Address Exclusion Whitelist within Reconnaissance Protection.
- Addresses/Subnets within the whitelist will be exempt from any actions defined within the Reconnaissance Protection options.
- Any combination of IPv4 and IPv6 is supported.
- IP Address Ranges are supported.
- FQDN objects are currently not supported.
- Up to 20 IP addresses/objects can be added.
- Although exempt from any action, Traffic Logs will report Informational Alerts referencing whitelisted IPs.