topic Re: Zone protection - alert only in General Topics

Zone protection - alert only

jdprovine — Tue, 06 Feb 2018 21:36:53 GMT

I have been investigating zone protection and DoS protection for awhile now and I think I would have already implemented it if you could configure all the settings to alert when you begin testing.

Re: Zone protection - alert only

reaper — Wed, 07 Feb 2018 10:04:28 GMT

Hi @jdprovine

you can!

if you look at zone protection there's always 3 values: alert, activate and maximum

the alert setting is what does what you would like

the maximum is the murder switch, so you'll want to stay away from that until you are confortable, and the activate is an interesting toggle, depending on your choice of action (RED or cookies)

the maximum will effectively cut off new sessions

RED (random early drop) is a legacy method of randomly discarding incoming syn packets in an attempt to stifle/slow down connectio nrates and save resources

SYN cookies are a cool method where each syn reqyest is answered with a cookie, which is a sort of mathematical little puzzle the client needs to answer. the session is not allocated in the session table until the client replies with the correct answer to the cookies

so, random early drop needs to be set at a rate as close to your maximum as possible, syn cookies can be activated at 0 as this is a friendly deterrent that should not interfere with your normal sessions and will only trip bad guys

that said:

if you set maximum and activate to the maximum value (2.000.000) they will never get triggered, you can then use your alert rate to 'gauge' where your treshold lies (use it in stead of where your 80% watermark would be for max for example).

you should set the alert rate to where you think it needs to be and then monitor it for a while. if it gets tripped a lot, increase, if it doesn't get tripped, decrease. once you have youyr 'sweet spot' you can decide to move on and set your activate and max (you'll probably want to leave your alert at that level, so you know something is up if it gets tripped, then add max at about 10-25% more connections/sec and your activate depending on your choice of RED or cookies (RED at the same rate as alert, cookies at 0 preferably or 60-70% of alert if you don'tlike cookies)

I hope this makes sense 🙂

Re: Zone protection - alert only

jdprovine — Wed, 07 Feb 2018 13:26:48 GMT

@reaper

good info as always reaper. But if I do set the maximum and activate rates to 2,000,000 where do I look to see the "alert" rates sinces they will not be listed as an alert

Re: Zone protection - alert only

jdprovine — Wed, 07 Feb 2018 13:50:04 GMT

@reaper

There is one location on zone protetion that done not have an alert setting and that is what caused my VPN to break, I am including a pick of those setting

Re: Zone protection - alert only

jdprovine — Wed, 07 Feb 2018 13:51:28 GMT

@reaper

Another section of zone protection with no alert setting

Re: Zone protection - alert only

jdprovine — Wed, 07 Feb 2018 13:54:24 GMT

@reaper

I need to retract that last one it does have an alert setting 😞 my bad LOL

Re: Zone protection - alert only

BPry — Wed, 07 Feb 2018 14:26:57 GMT

@jdprovine,

The alerts will be included within your 'Threat' logs on the firewall, specifically (subtype eq flood). These will be seen with the action as 'allow' and the severity as 'critical' if it's hitting the 'alert' value.

As far as the IP Option Drop settings there wouldn't really be an 'alert' option for this, it's either something you want to allow or not. You can find more detailed information about what all the options are actually looking for HERE.

Re: Zone protection - alert only

jdprovine — Wed, 07 Feb 2018 14:30:09 GMT

@BPry

I guess I do have the option to turn the IP option drop settings. My goal is to utillize as many features of the PA as I can to get the mose bang for my buck so to speak LOL