https://live.paloaltonetworks.com/t5/general-topics/understanding-palo-alto-classifying-traffic/m-p/74924#M41835 <P>Thanks everyone ,&nbsp;</P> <P>&nbsp;</P> <P>If dos attack happens &nbsp;the victim may go down depends on the attack .</P> <P>&nbsp;</P> <P>But how can we relate &nbsp;the internet link down &nbsp;and a dos attack ?</P> <P>for example an attacker doing a dos attack and the victim still &nbsp;not down but the internet link down&nbsp;</P> <P>Thanks</P> Fri, 18 Mar 2016 12:23:21 GMT sib2017 2016-03-18T12:23:21Z https://live.paloaltonetworks.com/t5/general-topics/understanding-palo-alto-classifying-traffic/m-p/74846#M41796 <P>&nbsp;</P> <P>Hi,</P> <P>This is just to understand how palo alto understand classify the traffic and take action .</P> <P>&nbsp;</P> <P>as I pasted below from multiple &nbsp;sources &nbsp;sending packets to an inside host . &nbsp;Palo alto log shows &nbsp;around &nbsp;10&nbsp;</P> <P>&nbsp;</P> <P>times &nbsp;(in a second ) &nbsp;from the &nbsp;same souce traffic hitting to the inside host .</P> <P>&nbsp;</P> <P>Question?&nbsp;</P> <P>In the above scenario , traffic is normal &nbsp;or abnormal?&nbsp;</P> <P>How palo alto classify a dos attack&nbsp;</P> <P>&nbsp;</P> <P>source Dest &nbsp; &nbsp; pkts &nbsp; &nbsp; Bytes<BR />x.x.x.x h.h.h.h &nbsp; 471 &nbsp; 600000<BR />y.y.y.y h.h.h.h &nbsp; &nbsp;143 &nbsp; &nbsp;100000</P> <P>&nbsp;</P> <P>Thanks</P> <P>&nbsp;</P> Thu, 17 Mar 2016 03:38:52 GMT https://live.paloaltonetworks.com/t5/general-topics/understanding-palo-alto-classifying-traffic/m-p/74846#M41796 sib2017 2016-03-17T03:38:52Z https://live.paloaltonetworks.com/t5/general-topics/understanding-palo-alto-classifying-traffic/m-p/74857#M41801 <P>Please read this document for understanding how Dos protection works:&nbsp;<A href="https://live.paloaltonetworks.com/t5/Documentation-Articles/Understanding-DoS-Protection/ta-p/54562" target="_blank">https://live.paloaltonetworks.com/t5/Documentation-Articles/Understanding-DoS-Protection/ta-p/54562</A></P> <P>&nbsp;</P> <P>You need to look at aggregate profiles and classified profiles for understanding how will firewall classify dos attack in case of DDOS.</P> Thu, 17 Mar 2016 06:03:22 GMT https://live.paloaltonetworks.com/t5/general-topics/understanding-palo-alto-classifying-traffic/m-p/74857#M41801 abjain 2016-03-17T06:03:22Z https://live.paloaltonetworks.com/t5/general-topics/understanding-palo-alto-classifying-traffic/m-p/74864#M41802 <P>Also look towards zone protection.</P> <P>This will not flood the log.</P> <P>And use dos protection for specific servers that need lower threshold than your whole zone has set in zone protection.</P> Thu, 17 Mar 2016 08:53:44 GMT https://live.paloaltonetworks.com/t5/general-topics/understanding-palo-alto-classifying-traffic/m-p/74864#M41802 Raido_Rattameister 2016-03-17T08:53:44Z https://live.paloaltonetworks.com/t5/general-topics/understanding-palo-alto-classifying-traffic/m-p/74869#M41806 <P>Hi,</P> <P><SPAN>" use dos protection for specific servers that need lower threshold than your whole zone has set in zone protection."</SPAN></P> <P><SPAN>How can i do this&nbsp;</SPAN></P> <P><SPAN>lets say zone is trust &nbsp;and the profile is applied there and in the same zone if &nbsp;there are systems which required lower threshold &nbsp;,How can i apply that&nbsp;</SPAN></P> <P><SPAN>Thanks</SPAN></P> <P>&nbsp;</P> Thu, 17 Mar 2016 10:35:23 GMT https://live.paloaltonetworks.com/t5/general-topics/understanding-palo-alto-classifying-traffic/m-p/74869#M41806 sib2017 2016-03-17T10:35:23Z https://live.paloaltonetworks.com/t5/general-topics/understanding-palo-alto-classifying-traffic/m-p/74872#M41808 <P>please ake a look at this video:</P> <P><A href="https://live.paloaltonetworks.com/t5/Featured-Articles/Video-Tutorial-DoS-protection/ta-p/71164" target="_blank">Video Tutorial: DoS protection </A></P> <P>&nbsp;</P> <P>and these articles:</P> <P><A href="https://live.paloaltonetworks.com/t5/Learning-Articles/Differences-between-DoS-Protection-and-Zone-Protection/ta-p/57761" target="_blank">Differences between DoS Protection and Zone Protection </A></P> <P><A href="https://live.paloaltonetworks.com/t5/Documentation-Articles/Understanding-DoS-Protection/ta-p/54562" target="_blank">Understanding DoS Protection </A></P> <P><A href="https://live.paloaltonetworks.com/t5/Management-Articles/How-to-Configure-a-Policy-with-DoS-Protection-to-Protect-Hosted/ta-p/56507" target="_blank">How to Configure a Policy with DoS Protection to Protect Hosted Services This article contains posts that haven't been read by a moderator</A></P> Thu, 17 Mar 2016 12:07:17 GMT https://live.paloaltonetworks.com/t5/general-topics/understanding-palo-alto-classifying-traffic/m-p/74872#M41808 reaper 2016-03-17T12:07:17Z https://live.paloaltonetworks.com/t5/general-topics/understanding-palo-alto-classifying-traffic/m-p/74924#M41835 <P>Thanks everyone ,&nbsp;</P> <P>&nbsp;</P> <P>If dos attack happens &nbsp;the victim may go down depends on the attack .</P> <P>&nbsp;</P> <P>But how can we relate &nbsp;the internet link down &nbsp;and a dos attack ?</P> <P>for example an attacker doing a dos attack and the victim still &nbsp;not down but the internet link down&nbsp;</P> <P>Thanks</P> Fri, 18 Mar 2016 12:23:21 GMT https://live.paloaltonetworks.com/t5/general-topics/understanding-palo-alto-classifying-traffic/m-p/74924#M41835 sib2017 2016-03-18T12:23:21Z https://live.paloaltonetworks.com/t5/general-topics/understanding-palo-alto-classifying-traffic/m-p/74927#M41837 <P>You could dig into firewall logs or install Chrome plugin that will show you current physical/virtual interface bandwidth (and a lot more).</P> <P>Search for&nbsp;<SPAN>Pan(w)achrome</SPAN></P> Fri, 18 Mar 2016 15:00:21 GMT https://live.paloaltonetworks.com/t5/general-topics/understanding-palo-alto-classifying-traffic/m-p/74927#M41837 Raido_Rattameister 2016-03-18T15:00:21Z https://live.paloaltonetworks.com/t5/general-topics/understanding-palo-alto-classifying-traffic/m-p/76641#M42387 <P>Hi</P> <P>&nbsp;</P> <P>if i have&nbsp;Zone-Based Protection&nbsp;&nbsp;profile in &nbsp;untrust &nbsp;zone &nbsp;, for more granularity</P> <DIV>i can add &nbsp;protection DoS Rule base and Profiles . If yes what is the best practice</DIV> <DIV>&nbsp;</DIV> <DIV>Thanks</DIV> Tue, 19 Apr 2016 05:50:29 GMT https://live.paloaltonetworks.com/t5/general-topics/understanding-palo-alto-classifying-traffic/m-p/76641#M42387 sib2017 2016-04-19T05:50:29Z https://live.paloaltonetworks.com/t5/general-topics/understanding-palo-alto-classifying-traffic/m-p/76646#M42390 <P>For Zone protection and DoS protection, you would first need to find your network's baseline to determine best practice</P> <P>&nbsp;</P> <P>if you're receiving on average 1.000 packets&nbsp;per second and peaks up to 4.000, you should tone zone protection down to fall within that spectrum. If you're seeing peaks of 1.500.000, you should scale up</P> <P>&nbsp;</P> <P>DoS protection works at a smaller scale where you can limit resources to a single host (or farm), so you'd need to set a baseline there as well: what is a desirable amount of resources available for a single source or what is the maximum amount we can allow towards the server (farm) before it runs out of resources or service degrades&nbsp;</P> <P>&nbsp;</P> <P>overall I would recommend using SYN cookies whenever possible, as that puts part of the responability with the client and is less agressive than random early drop and especially for the untrust zone, enable as many of the protections as possible (after determining the baseline of what is to be expected and what falls outside of your desirable inbound traffic)</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 19 Apr 2016 07:47:13 GMT https://live.paloaltonetworks.com/t5/general-topics/understanding-palo-alto-classifying-traffic/m-p/76646#M42390 reaper 2016-04-19T07:47:13Z https://live.paloaltonetworks.com/t5/general-topics/understanding-palo-alto-classifying-traffic/m-p/76673#M42394 <P>Thank you reaper&nbsp;</P> <P>&nbsp;</P> <P><SPAN>How Dos rule action 'protect' protects the network and what is the differnence between protect and &nbsp;deny</SPAN></P> <P><SPAN>Thanks</SPAN></P> Tue, 19 Apr 2016 12:00:57 GMT https://live.paloaltonetworks.com/t5/general-topics/understanding-palo-alto-classifying-traffic/m-p/76673#M42394 sib2017 2016-04-19T12:00:57Z https://live.paloaltonetworks.com/t5/general-topics/understanding-palo-alto-classifying-traffic/m-p/76676#M42395 <P>Protect is going to enforce the profile you have created and should be the action set to most of your policies</P> <P>&nbsp;</P> <P>Allow will allow all traffic, this is a sort of bypass functionality to temporarily open up the floodgates and not enforce DoS protection (this could be useful when doing a quick scan/PEN test)</P> <P>&nbsp;</P> <P>Deny will block all traqffic, this could be used to temporarily turn off connectivity to a service when there is a DoS attack ongoing and you want to completely prevent all connections</P> Tue, 19 Apr 2016 12:55:32 GMT https://live.paloaltonetworks.com/t5/general-topics/understanding-palo-alto-classifying-traffic/m-p/76676#M42395 reaper 2016-04-19T12:55:32Z