https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/127840#M46621 <P>What is the best way to set up flood protection, separate profile one for ICMP, one for SYN cookies etc or put it all in one policie? What is the best way to determine what set your alarm rates, block rate etc? How successful is it, does good traffice get blocked very much</P> Mon, 21 Nov 2016 16:01:52 GMT jdprovine 2016-11-21T16:01:52Z https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/127840#M46621 <P>What is the best way to set up flood protection, separate profile one for ICMP, one for SYN cookies etc or put it all in one policie? What is the best way to determine what set your alarm rates, block rate etc? How successful is it, does good traffice get blocked very much</P> Mon, 21 Nov 2016 16:01:52 GMT https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/127840#M46621 jdprovine 2016-11-21T16:01:52Z https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/127900#M46625 <P>I also see that there is zone protection and it looks very similar to flood protection, so which one is better?</P> Mon, 21 Nov 2016 19:05:21 GMT https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/127900#M46625 jdprovine 2016-11-21T19:05:21Z https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/127977#M46627 <P>I would go with Dos Protection profile and setup Dos Security Policy. As far as denying traffic it will depend on what "action " you choose when creating Dos proection policy there are 3 options Allow,Deny, Protect.</P> Tue, 22 Nov 2016 00:09:33 GMT https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/127977#M46627 clyde.franklin 2016-11-22T00:09:33Z https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/128041#M46631 <P>zone protection is the broad-stroke protection of an interface, regardless of the source-destination pair. it allows you to set up 'expected' flows and take action when your , for example, external interface comes under attack by enforcing syn cookies or dropping packets once a certain volume is reached</P> <P>&nbsp;</P> <P>dos protection policies are there to protect specific resources. you can limit or regulate the flow towards a specific ip address</P> <P>this comes in handy when for example your internet pipe throughput is much larger than one certain asset you want to protect, you can then finetine your protection to cater to specific servers while not limiting your overall throughput</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>hope this helps</P> Tue, 22 Nov 2016 08:21:40 GMT https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/128041#M46631 reaper 2016-11-22T08:21:40Z https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/128134#M46643 <P>I think that I want something more granular so I believe I will go with the DoS protection profile. I am currently in the process of deciding the best alarm rate, activate rate, max rate and block duration. I have some specific security policies using ICMP that I want to start with and then go from there.&nbsp; I did a calculation based on my highest session numbers the result is very close to the limitation of 2,000,000 in the profile. So are you using this and how is it working for you?</P><P>&nbsp;</P><P>11/13/2016 – 101.64M \7 days = 14.52M/day \86400 seconds in a day = 1.68M per sec</P> Tue, 22 Nov 2016 14:08:44 GMT https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/128134#M46643 jdprovine 2016-11-22T14:08:44Z https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/128163#M46653 <P>So the profile cannot just be added to a security policy, you have to create a DoS policy to put on the security policies</P> Tue, 22 Nov 2016 15:30:37 GMT https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/128163#M46653 jdprovine 2016-11-22T15:30:37Z https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/128170#M46654 <P>So you can't just apply a DoS profile to an existing security policies you have to create a DoS security policy, add a DoS protection profile and then add it to a security policies</P> Tue, 22 Nov 2016 15:32:45 GMT https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/128170#M46654 jdprovine 2016-11-22T15:32:45Z https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/128178#M46656 <P>no, the DoS protection policies are independent from security policies, much like the QoS policies</P> <P>&nbsp;</P> <P>You first create a profile and then a (DoS) policy to match an expected flow.</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 22 Nov 2016 15:41:47 GMT https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/128178#M46656 reaper 2016-11-22T15:41:47Z https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/128194#M46658 <P>So it affects everything? You can't just apply it to specific security policies?</P> Tue, 22 Nov 2016 15:51:00 GMT https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/128194#M46658 jdprovine 2016-11-22T15:51:00Z https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/128215#M46669 <P>Along the same lines, so I am going to fashion my DoS policy based on the security rule that I want to affect, I assume that will work</P> Tue, 22 Nov 2016 17:18:40 GMT https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/128215#M46669 jdprovine 2016-11-22T17:18:40Z https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/128229#M46670 <P>What log do the alarms go too? This is what profile I am going to start out with for icmp and icmpv6, I tried to base this on my current network highest session count</P><P>&nbsp;</P><P>ICMP Flood and ICMVPv6 Flood<BR />Alarm rate = 164 pps<BR />Activate rate = 185.83 pps<BR />Max rate = default (40000)<BR />Block duration = default (300)</P> Tue, 22 Nov 2016 17:34:55 GMT https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/128229#M46670 jdprovine 2016-11-22T17:34:55Z https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/128283#M46677 <P>Can you set activate to 0 so it acts like an alert for testing the rule</P> Tue, 22 Nov 2016 19:29:00 GMT https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/128283#M46677 jdprovine 2016-11-22T19:29:00Z https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/128390#M46688 <P>the logs should appear in 'threat' log</P> <P>&nbsp;</P> <P>if you set activate at 0, you will start blocking (or 'taking action' to put it better, for syn-cookies this is actually a preferred setting where random early drop would &nbsp;be better suited with a much higher activate) immediately, setting the 'alert' to&nbsp;0 will immediately start producing logs but not taking actions just yet.</P> Wed, 23 Nov 2016 08:24:18 GMT https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/128390#M46688 reaper 2016-11-23T08:24:18Z https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/128467#M46705 <P>So setting alert to 0 would be a good way to test if its working?</P> Wed, 23 Nov 2016 14:29:50 GMT https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/128467#M46705 jdprovine 2016-11-23T14:29:50Z https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/128470#M46706 <P>yes <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> <P>&nbsp;</P> <P>&nbsp;</P> Wed, 23 Nov 2016 14:33:49 GMT https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/128470#M46706 reaper 2016-11-23T14:33:49Z https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/129135#M46744 <P>this is a great thread. &nbsp;Loved reading it learning more about both of these features and their practicle implementation.&nbsp;</P> Mon, 28 Nov 2016 00:55:30 GMT https://live.paloaltonetworks.com/t5/general-topics/flood-protection/m-p/129135#M46744 Brandon_Wertz 2016-11-28T00:55:30Z