How to mitigate an abnormal increase in "flow_dos_ag_max_sess_limit" global counter

How to mitigate an abnormal increase in "flow_dos_ag_max_sess_limit" global counter

4325
Created On 11/29/23 00:29 AM - Last Modified 11/29/23 01:50 AM


Objective


The counter flow_dos_ag_max_sess_limit increments when the configured Maximum Concurrent Sessions limit for an Aggregate DoS Protection Profile was reached or exceeded.

Below is an example of the global counter flow_dos_ag_max_sess_limit incrementing in the firewall: 
> show counter global

name value rate severity category aspect description
--------------------------------------------------------------------------------
flow_dos_ag_max_sess_limit 1 0 drop flow dos Session limit reached for aggregate profile, drop session
Note: This excessive traffic may be an outside attacker attempting to perform a Denial-of-Service attack, or it may simply be a high rate of known traffic in the network coming through the firewall. The source and nature of the traffic must be narrowed down to determine which abnormal traffic flows caused this to occur.

Environment


  • Next Generation Firewall

Procedure


  1. Identify the Source IP and Destination IP addresses/ports involved and which DoS Protection Profile/Rule reached its Maximum Concurrent Session limit by navigating to Monitor > Threat Logs > search for logs with the Name of 'Session Limit Event'
  2. If the traffic is known/legitimate traffic, take one or more of the following actions:
    1. Go to the device generating this traffic and shutdown/stop the device from sending this traffic at its source
    2. Slow down or spread out the rate at which that device/application sends traffic
    3. Block/Deny this traffic at a device in the path of this traffic before it reaches the firewall
    4. Verify there is no routing issue/loop causing many packets to ingress the firewall repeatedly
Note: You may adjust the Maximum Concurrent Sessions to a higher value if the existing value is too low and is dropping known, legitimate traffic. See DoS Protection Profiles for suggested values.
  1. If the traffic is unknown/an attacker, take one or more of the following actions:
    1. Verify this traffic would hit a Security Policy Deny rule and create one if needed
    2. Block/Deny this traffic at a device before it reaches the firewall in the path of this traffic
    3. Ensure that Zone Protection Profiles are configured to protect against packet floods
    4. Consider using a specialized DDoS appliance or service

Additional Information


Perform the steps in Follow Post Deployment DoS and Zone Protection Best Practices frequently to ensure the firewall configuration for Zone Protection and DoS Protection is appropriate and effective for your network traffic patterns.

Additional information:
Defending from DoS and volumetric DDoS attacks
How to Set Up DoS Protection
Understanding DoS Logs and Counters
DoS and Zone Protection Best Practices​ ​​​​​​
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA14u000000XhFNCA0&lang=en_US&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language