topic Re: Question on getting started with Reconnaissance Protection thresholds in General Topics

Question on getting started with Reconnaissance Protection thresholds

BSwientoniowski — Fri, 29 May 2020 13:52:38 GMT

I know the question about how to set Reconnaissance Protection thresholds has been asked dozens of times. The answer is always "it depends on your environment and situation". I understand that there can't be a one-size fits all best practice. It seems as though a trial-and-error approach is how you should dial in the thresholds and intervals.

But are there any unique factors that should be taken into consideration that could give you a general idea rather than taking shots in the dark? Like how many different hosts and services are accessible from that zone? Average connections per second? Frequency of any types of events in the threat logs?

Re: Question on getting started with Reconnaissance Protection thresholds

shawnhafen — Fri, 29 May 2020 16:48:15 GMT

A while back I went down this same path, it is a very loose control and does require a lot of attention because something like a shopping season, COVID stimulus checks, or other events may cause spikes in traffic that you dont want to drop.

Here are some places to look for evaluating your CPS over time:

https://github.com/zepryspet/GoPAN

https://docs.paloaltonetworks.com/pan-os/8-1/pan-os-admin/zone-protection-and-dos-protection/zone-defense/take-baseline-cps-measurements-for-setting-flood-thresholds/how-to-measure-cps.html#id2f43d329-3860-4689-a2e4-b7d19ded7966

Good luck!

Re: Question on getting started with Reconnaissance Protection thresholds

BPry — Fri, 29 May 2020 17:57:32 GMT

@BSwientoniowski,

As @shawnhafen mentioned and you've pointed out in your question, the problem with giving any sort of general criteria on how to calculate these thresholds is that they will always be different.

Outside of continually monitoring these values and reviewing logs over a period of time to generate a rough idea of what you should start at, it's always going to be little bit of trial and error involved here to make them effective.