DDoS Profiles

S_Williams901 — Fri, 19 Apr 2024 19:48:48 GMT

How does one go about getting the realistic values for your environment to plug into the DDoS profile or even the zone protection profile? How do you see how many SYNs you are getting per second/min etc?

Re: DDoS Profiles

Claw4609 — Tue, 23 Apr 2024 18:17:44 GMT

Hello,

Are you referring to the DoS protection profiles or the Zone Protection settings? For the zone protection piece you could use AI-OPs and it will provide recommendations based on traffic. If you dont have AI-OPs, for both options would recommend setting the alarm value to a somewhat low value and see what triggers the alert and move it up from there.

Here is a snippet from the Palo doc:

If you know the baseline CPS rates for the zone, use these guidelines to set the initial thresholds, and then monitor and adjust the thresholds as necessary.

Alarm Rate
—The new CPS threshold to trigger an alarm. Target setting the Alarm Rate to 15-20% above the average CPS rate for the zone so that normal fluctuations don’t cause alerts.
Activate
—The new CPS threshold to activate the flood protection mechanism and begin dropping new connections. For ICMP, ICMPv6, UDP, and other IP floods, the protection mechanism is Random Early Drop (RED, also known as Random Early Detection). For SYN floods only, you can set the drop Action to SYN Cookies or RED. Target setting the
Activate rate to just above the peak CPS rate for the zone to begin mitigating potential floods.
Maximum
—The number of connections-per-second to drop incoming packets when RED is the protection mechanism. Target setting the Maximum rate to approximately 80-90% of firewall capacity, taking into account other features that consume firewall resources.

If you don’t know the baseline CPS rates for the zone, start by setting the Maximum CPS rate to approximately 80-90% of firewall capacity and use it to derive reasonable flood mitigation alarm and activation rates. Set the Alarm Rate and Activate rate based on the Maximum rate. For example, you could set the Alarm Rate to half the Maximum rate and adjust it depending on how many alarms you receive and the firewall resources being consumed. Be careful setting the Activate Rate since it begins to drop connections. Because normal traffic loads experience some fluctuation, it’s best not to drop connections too aggressively. Err on the high side and adjust the rate if firewall resources are impacted.

Flood Protection (paloaltonetworks.com)

Re: DDoS Profiles

S_Williams901 — Wed, 01 May 2024 15:17:42 GMT

Do you need the full version of AI-OPs to achieve this?

topic Re: DDoS Profiles in Next-Generation Firewall Discussions

DDoS Profiles

Re: DDoS Profiles

Re: DDoS Profiles