Error:
An unexpected error occurred. Please click Reload to try again.
Error:
An unexpected error occurred. Please click Reload to try again.
How to Configure a Policy with DoS Protection to Protect Hosted... - Knowledge Base - Palo Alto Networks

How to Configure a Policy with DoS Protection to Protect Hosted Services

62547
Created On 09/26/18 13:47 PM - Last Modified 07/18/24 12:11 PM


Resolution


Overview

The Palo Alto Networks firewall is configured to host a service. For this example, the firewall is configured to perform destination NAT towards a web server in the Trust network. A policy is now needed for protection against DoS attacks.

DOS_Protection_Topology.jpg

 

Steps

    1. Create a custom DoS Protection Profile
      1. Navigate to Objects > DoS Protection
      2. Click Add
      3. Configure the DoS Protection Profile (see example below)

        image.png

        image.png

         

    2. Create a DoS Protection Policy using the profile created in step 1.

      1. Navigate to Policies > DoS Protection

      2. Click Add to bring up a new DoS Rule dialog

      3. Associate the Dos Protection profile created earlier

      4. Set the action to Protect. Default action is Deny, which will deny all traffic matching this flow.

        image.png

        image.png

         

        Note: The example from above reflects lab environment values for the thresholds. When configuring DoS or Zone Protection, it is important to measure average and peak connections-per-second (CPS) for critical servers and zones before beginning deployment. When deploying the setup in production, the values need to be in accordance to the traffic that is expected to be handled by the network. How to Measure CPS

 

owner: sberti

 


Additional Information


How to Measure CPS

Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000CloxCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language