07-01-2020 07:46 AM
At random times all TCP connections from the Internet are blocked (all ports and all IPs) for incoming traffic only. Websites, mail servers etc are not accessible from the Internet. UDP and ICMP are not affected. What could be causing this?
07-06-2020 12:35 PM
@fhewiufhwefhwe there are no entries under Objects -> Security Profiles -> Dos Protection, not even default.
07-06-2020 12:37 PM
Do you have source address exclusions under Reconnaissance Protection? You may want to include highly trusted items on your allow list there, such as internal DNS forwarders if you have them.
07-06-2020 12:46 PM
We don't have this problem with UDP which is what DNS uses.
07-06-2020 12:54 PM
DNS does use UDP, but can also use TCP over port 53 as well. Any way if you have site-to-site vpn or something similar, you may want some exclusions to Dos / Zone protections policies.
07-06-2020 01:18 PM
Thanks @fhewiufhwefhwe but the problem we are facing is that when the TCP outage occurs our thousands of user who are scattered across the Internet world are not able to reach our websites or mail servers. We don't want the firewall to block the whole Internet.
I should also point out if the subject is not clear that the problem is only with incoming TCP traffic. Outgoing traffic is not affected.
07-06-2020 01:28 PM
Have you tried increasing the thresholds under SYN Flood Protection then? How high is your firewall on resource utilization? I'm wondering if you might be able to use SYN Cookies instead of Random Early Drop action? Note that I have not tried this myself.
I'm also thinking that you might want to setup SNMP monitoring the DoS counters on the firewall. I recently tried to configure this, but have not had success yet.
07-06-2020 01:43 PM
This article might help. I've been meaning to read it myself and figure out how to setup snmp monitoring for DoS.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOKCA0
07-06-2020 01:53 PM
I have increased the threshold from 100 to 500 under Reconnaissance per your suggestion. Will see if that makes a difference.
07-06-2020 01:58 PM
I did not mean the threshold under Reconnaissance Protection. I mean the threshold under Flood Protection. The defaults are 10,000 fro Alarm Rate and Activate, and 40,000 for maximum connections/sec.
07-06-2020 02:13 PM
Those are already pretty high. Alarm and active reates are 59,000. Maximum connections at 100,000.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!