- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-13-2012 08:14 AM
Hi Folks,
I tried a lot to get my head around Aggregate and Classified DoS Protection. For some reason, i haven't been able to understand the difference. Tried looking into the knowledge base, but nothing helped me. Could someone please explain in short what the difference is.
Thanks in advance.
Regards,
02-13-2012 11:35 PM
My understanding from the administrator guide for PANOS 4.1 is that Aggregate is how often (based on a total count) you want the PAN unit to take action against the presumed attacker while Classified is how to group presumed attacks (page 149).
This is also further explained later in the manual (page 162).
For example:
You wish to block all traffic as soon as you hit 10.000 requests within 1 min: use Aggregate.
You wish to block all traffic as soon as you have >10 concurrent requests: use Classified.
A real world example would be to use Aggregate to block a portscan (since you define the time for which the counters should collect for) where Classified wont work if the portscanner test one port at a time.
But I agree, I hope PA will improve the documentation regarding this.
02-13-2012 11:35 PM
My understanding from the administrator guide for PANOS 4.1 is that Aggregate is how often (based on a total count) you want the PAN unit to take action against the presumed attacker while Classified is how to group presumed attacks (page 149).
This is also further explained later in the manual (page 162).
For example:
You wish to block all traffic as soon as you hit 10.000 requests within 1 min: use Aggregate.
You wish to block all traffic as soon as you have >10 concurrent requests: use Classified.
A real world example would be to use Aggregate to block a portscan (since you define the time for which the counters should collect for) where Classified wont work if the portscanner test one port at a time.
But I agree, I hope PA will improve the documentation regarding this.
02-14-2012 01:22 AM
Thanks mate for the answer. It was helpful.
Regards,
03-03-2017 04:31 PM
I also agree that the Palo Alto would improve the DoS document with some real world examples on this.
03-03-2017 04:38 PM
It's actually even more straightforward than that:
Classified = count of connections per second for a source IP.
Aggregate = count of connections per second for all source IPs combined.
There's a doc here that briefly covers it:
Another one that goes into more detail specifically about DoS:
https://live.paloaltonetworks.com/t5/Featured-Articles/How-to-Set-Up-DoS-Protection/ta-p/71164
Hope that helps!
Greg
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!