https://live.paloaltonetworks.com/t5/next-generation-firewall/ddos-dos-protection/m-p/563020#M1999 <P>Good Day<BR /><BR />It is possible to put a FW in front of the Internet Router, but the appliance would need to be scoped bigger to handle massive potential payloads that are unwarranted (DoS).<BR /><BR /></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SCantwell_IM_0-1698185710098.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/54657i263E64FD378E2E2B/image-size/medium?v=v2&amp;px=400" role="button" title="SCantwell_IM_0-1698185710098.png" alt="SCantwell_IM_0-1698185710098.png" /></span></P> <P><BR />If given the choice, I would work with the ISP to help limit DoS attacks coming to the router, as more ISP hardware&nbsp; typically has better hardware buffer capacities to ward on a DDoS, built into their hardware.&nbsp;&nbsp;&nbsp; <BR /><BR />You may want to do some SNMP queries to determine that number of connection per sec (cps) that the router is handling at different times/peak times, to determine what PANW FW (if you choose to utilize it) for your customer.</P> <P>What other questions can we answer for you?</P> Tue, 24 Oct 2023 22:19:05 GMT S.Cantwell 2023-10-24T22:19:05Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ddos-dos-protection/m-p/561593#M1957 <P>Is there any benefit of placing an additional firewall on the OUTSIDE of the customer's internet/external router? There is already a perimeter firewall on the inside of this router.</P> <P>(Proposed additional firewall running virtual wire) &lt;---&gt; External Router (BGP and internet links) &lt;----&gt; Perimeter Firewall &lt;----&gt; Internal Router</P> <P>&nbsp;</P> <P>This external router is serving as the internet gateway for the FW as well as a BGP termination point for various of their external links. The firewall does not take part in the BGP. ALL traffic from that internet router then passes through a perimeter gateway firewall and then gets sent to wherever it needs to go to in the inside of the customer network (they have an internal router also).</P> <P>The network team wants us to put an additional PA firewall on the OUTSIDE of the internet router to provide protection for that router against DOS and other attacks. Note that inspection and security policies are already done on the firewall on the inside of the router to protect the internal resources.</P> <P>Will the PA be able to provide enough protection to make this worth while? I assume this will only for network layer attacks so only really what is available in a DOS protection profile or will vulnerability protection also help here? Or should they get a dedicated DDOS appliance for this?</P> <P>I've never had to firewall/protect the actual network infrastructure before so no idea what to&nbsp;tell&nbsp;them&nbsp;here.</P> Fri, 13 Oct 2023 07:12:32 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ddos-dos-protection/m-p/561593#M1957 ThamiDlaminiITN 2023-10-13T07:12:32Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ddos-dos-protection/m-p/563020#M1999 <P>Good Day<BR /><BR />It is possible to put a FW in front of the Internet Router, but the appliance would need to be scoped bigger to handle massive potential payloads that are unwarranted (DoS).<BR /><BR /></P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SCantwell_IM_0-1698185710098.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/54657i263E64FD378E2E2B/image-size/medium?v=v2&amp;px=400" role="button" title="SCantwell_IM_0-1698185710098.png" alt="SCantwell_IM_0-1698185710098.png" /></span></P> <P><BR />If given the choice, I would work with the ISP to help limit DoS attacks coming to the router, as more ISP hardware&nbsp; typically has better hardware buffer capacities to ward on a DDoS, built into their hardware.&nbsp;&nbsp;&nbsp; <BR /><BR />You may want to do some SNMP queries to determine that number of connection per sec (cps) that the router is handling at different times/peak times, to determine what PANW FW (if you choose to utilize it) for your customer.</P> <P>What other questions can we answer for you?</P> Tue, 24 Oct 2023 22:19:05 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ddos-dos-protection/m-p/563020#M1999 S.Cantwell 2023-10-24T22:19:05Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ddos-dos-protection/m-p/563032#M2001 <P>Hi <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/226406">@ThamiDlaminiITN</a> ,</P> <P>&nbsp;</P> <P>I have seen some sales people promote protecting the external routers, but I agree with <a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/113304">@S.Cantwell</a> .&nbsp; Most routers are built to be connected to the Internet and can be patched, hardened, and configured with some features to limit DoS.&nbsp; Most ISPs offer some DDoS protection, and some offer extra DDoS protection as an additional service.&nbsp; I would work with the ISP 1st.</P> <P>&nbsp;</P> <P>Thanks,</P> <P>&nbsp;</P> <P>Tom</P> Wed, 25 Oct 2023 01:24:53 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ddos-dos-protection/m-p/563032#M2001 TomYoung 2023-10-25T01:24:53Z https://live.paloaltonetworks.com/t5/next-generation-firewall/ddos-dos-protection/m-p/563680#M2029 <P>Thank you for the responses guys, really appreciate it. They helped.</P> Tue, 31 Oct 2023 08:59:03 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/ddos-dos-protection/m-p/563680#M2029 ThamiDlaminiITN 2023-10-31T08:59:03Z