Palo Alto Networks Knowledgebase: PAN-OS 8.0: DoS Firewall Protection

PAN-OS 8.0: DoS Firewall Protection

4217
Created On 07/18/19 19:26 PM - Last Updated 07/18/19 20:11 PM
8.0 PAN-OS
Resolution

This article highlights a new capability or feature introduced in PAN-OS 8.0. If you’d like to learn more about this topic or PAN-OS 8.0 in-general, you’ll also want to check out our world-class Technical Documentation.

 

DoS Firewall Protection will enhance the firewall with the ability to track the top firewall packet buffer abusers and allow the administrator to specify a global threshold at which mitigation will take place on the most abusive sessions.

 

The feature will also provide the ability to whitelist IP addresses to allow the administrator to further reduce chances of false positives that can impact critical services, while protecting the firewall.

 

The feature will provide SNMP MIB CPS tracking to help administrators understand how to better configure the existing Zone and DoS protection policies.

 

 

Platform Support

  • Supported on all platforms (both hardware and VM-Series)
  • Supported on both FPGA and non-FPGA platforms
    For non-FPGA platforms, mitigation will take place in software

 

Performance

  • Enabling this feature does not adversely affect throughput performance of traffic that has not reached the packet buffer activate threshold.
  • When mitigation is activated, sessions that are not being mitigated should not see performance penalties if the packet buffers are not maxed out.
  • If packet buffers are maxed out, it is understood that all sessions may be impacted.

 

Feature Interactions

 

High Availability

  • Device settings for Packet Buffer Protection and Zone configuration will synchronize between A/P and A/A HA members.
  • Session state for A/P (RED, discard) will synchronize between HA members.

Panorama

  • Feature configuration will be supported from Panorama templates.
  • When pushing out to devices that do not support this feature, the feature's configuration will be pruned.

 

Prior to PAN-OS 8.0, DoS and Zone Protection uses (packetss) for SYN, UDP, and Other IP flood protection which was less accurate.

7.1 dos profile.png

 

In PAN-OS 8.0, packet rate has been modified to correctly reflect (connections/sec) in the Zone and DoS profile configuration pages for SYN, UDP, Other IP flood attacks.

dos-profile-8.png

PAN-OS 7.1 and prior:

# set profiles dos-protection TEST flood tcp-syn enable yes red
+ activate-rate   Packet rate (pps) to start RED
+ alarm-rate      Packet rate (pps) to generate alarm
+ maximal-rate    Maximal packet rate (pps) allowed
> block           Parameters for blocking
  <Enter>         Finish input

PAN-OS 8.0:

# set profiles dos-protection TEST flood tcp-syn enable yes red
+ activate-rate   Connection rate (cps) to start RED
+ alarm-rate      Connection rate (cps) to generate alarm
+ maximal-rate    Maximal connection rate (cps) allowed
> block           Parameters for blocking
  <Enter>         Finish input

 note: in a multi-vsys environment the profiles are located in the shared path

# set shared profiles ...

 

Configuration

 

Packet Buffer Protection Thresholds have been added to 'Session Settings,' via  Device Tab > Setup > Session. This option is disabled by default, with the following thresholds defined:

packet buffer protection.png

 

Packet Buffer Protection - checkbox allows user to enable/disable the global setting. 

  • When enabled (checked), the firewall will keep track of the top sessions (per DP). Default is Disabled (Unchecked)

Alert (%) - threshold is expressed as a percentage of packet buffer utilization. When the alert threshold is reached, a log event will be created every 10 seconds.

  • Range: 0% - 99%. Default: 50%. 0% means to turn off alerting.

Activate (%) - threshold is expressed as a percentage of packet buffer utilization. When the activate threshold is reached, the firewall will begin mitigating the top abusive sessions on the firewall on the zone(s) the feature is enabled on. RED is used on abusive sessions identified.

  • Range: 0% - 99%. Default is 50%. 0% means to turn off mitigation.

Block Hold Time - expressed in seconds. The time the session continues to be abusive to packet buffers even after RED has been implemented. If the session continues to drive packet buffer use above the Activate threshold and past the hold time set, the session is discarded.

  • Range is 0-65535 seconds. Default is 60 seconds.

Block Duration - expressed in seconds. The time the discard/block is performed.

  • Range is 1-15999999 seconds. Default is 3600 seconds.

 

Zone UI now includes an option for 'Enable Packet Buffer Protection,' beneath the Zone Protection Profile selection drop-down:

zone packet buffer protection.png

 

Zone Protection Profile also includes a Source Address Exclusion Whitelist within Reconnaissance Protection.

  • Addresses/Subnets within the whitelist will be exempt from any actions defined within the Reconnaissance Protection options.
  • Any combination of IPv4 and IPv6 is supported.
  • IP Address Ranges are supported.
  • FQDN objects are currently not supported.
  • Up to 20 IP addresses/objects can be added.
  • Although exempt from any action, Traffic Logs will report Informational Alerts referencing whitelisted IPs.

reconnaissance whitelist.png



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClRmCAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language