topic Re: Zone protection for VM series in General Topics

Zone protection for VM series

tinhnho — Mon, 01 May 2023 16:11:18 GMT

Hi everyone,

I was looking for PA best practices for VM series' zone protection but only found documents that talked about physical PA.

1. Are physical and VM series zone protection the same? could you point me where the docs for these are?

2. Under zone protection profile, flood protection, and SYN, there are 2 options 'Random Early Drop' and Syn Cookies'. I chose to configure 'Random early drop' only (attachment), will 'Syn Cookies' still be in use if I don't touch it? or the SYN only works with 1 action which is either 'Random Early Drop' or 'Sync Cookies' if selected but not both?

Thanks

Re: Zone protection for VM series

Raido_Rattameister — Mon, 01 May 2023 16:35:38 GMT

Either Palo will start dropping random incoming new sessions if treshold is met or will start sending back specially crafted SYN-ACK packets (SYN Cookies).

Choosing random early drop will not send back cookie.

No difference in setting up VM or physical zone protection.

You need to identify tresholds based on requirements and real needs.

Can your web server handle 40k new sessions per second that your current settings allow?

Re: Zone protection for VM series

tinhnho — Mon, 01 May 2023 16:53:32 GMT

Is it recommended to choose 'Random Early Drop' over 'Syn Cookies'?

Is the web server behind the firewall that you mentioned above? if yes, yes it can.

Thanks.

Re: Zone protection for VM series

Raido_Rattameister — Mon, 01 May 2023 17:01:11 GMT

If you are under SYN flood attack then random early drop is less resource intensive but can also drop benign traffic.

SYN cookies put some load on the firewall but does not affect traffic from real users.

I would choose SYN cookie setup.

Re: Zone protection for VM series

tinhnho — Mon, 01 May 2023 18:03:50 GMT

Last question, Does Syn Cookies drop packet when seeing Syn flood attacks? if not what does it do exactly in terms of protecting the fw when seeing syn flood attacks?

Re: Zone protection for VM series

Raido_Rattameister — Mon, 01 May 2023 18:09:14 GMT

When SYN cookies are enabled and activated then:
SYN comes into firewall.

Firewall don't pass this SYN to web server but sends back SYN-ACK itself.

After client sends final ACK firewall initiates session to web server and allows client and web server to communicate.

As SYN-ACK is returned with sequence number from range that Palo is aware then even firewall don't need to create any session inside firewall session table before last packet from 3way handshake (ACK) arrives from client.

Re: Zone protection for VM series

tinhnho — Mon, 01 May 2023 18:53:53 GMT

Thank you!