I have been investigating zone protection and DoS protection for awhile now and I think I would have already implemented it if you could configure all the settings to alert when you begin testing.
if you look at zone protection there's always 3 values: alert, activate and maximum
the alert setting is what does what you would like
the maximum is the murder switch, so you'll want to stay away from that until you are confortable, and the activate is an interesting toggle, depending on your choice of action (RED or cookies)
the maximum will effectively cut off new sessions
RED (random early drop) is a legacy method of randomly discarding incoming syn packets in an attempt to stifle/slow down connectio nrates and save resources
SYN cookies are a cool method where each syn reqyest is answered with a cookie, which is a sort of mathematical little puzzle the client needs to answer. the session is not allocated in the session table until the client replies with the correct answer to the cookies
so, random early drop needs to be set at a rate as close to your maximum as possible, syn cookies can be activated at 0 as this is a friendly deterrent that should not interfere with your normal sessions and will only trip bad guys
if you set maximum and activate to the maximum value (2.000.000) they will never get triggered, you can then use your alert rate to 'gauge' where your treshold lies (use it in stead of where your 80% watermark would be for max for example).
you should set the alert rate to where you think it needs to be and then monitor it for a while. if it gets tripped a lot, increase, if it doesn't get tripped, decrease. once you have youyr 'sweet spot' you can decide to move on and set your activate and max (you'll probably want to leave your alert at that level, so you know something is up if it gets tripped, then add max at about 10-25% more connections/sec and your activate depending on your choice of RED or cookies (RED at the same rate as alert, cookies at 0 preferably or 60-70% of alert if you don'tlike cookies)
I hope this makes sense :)
good info as always reaper. But if I do set the maximum and activate rates to 2,000,000 where do I look to see the "alert" rates sinces they will not be listed as an alert
There is one location on zone protetion that done not have an alert setting and that is what caused my VPN to break, I am including a pick of those setting
The alerts will be included within your 'Threat' logs on the firewall, specifically (subtype eq flood). These will be seen with the action as 'allow' and the severity as 'critical' if it's hitting the 'alert' value.
As far as the IP Option Drop settings there wouldn't really be an 'alert' option for this, it's either something you want to allow or not. You can find more detailed information about what all the options are actually looking for HERE.
I guess I do have the option to turn the IP option drop settings. My goal is to utillize as many features of the PA as I can to get the mose bang for my buck so to speak LOL
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!