Difference between Aggregate and Classified DoS Protection

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Difference between Aggregate and Classified DoS Protection

L4 Transporter

Hi Folks,

I tried a lot to get my head around Aggregate and Classified DoS Protection.  For some reason, i haven't been able to understand the difference.  Tried looking into the knowledge base, but nothing helped me.  Could someone please explain in short what the difference is.

Thanks in advance.

Regards,

1 accepted solution

Accepted Solutions

L6 Presenter

My understanding from the administrator guide for PANOS 4.1 is that Aggregate is how often (based on a total count) you want the PAN unit to take action against the presumed attacker while Classified is how to group presumed attacks (page 149).

This is also further explained later in the manual (page 162).

For example:

You wish to block all traffic as soon as you hit 10.000 requests within 1 min: use Aggregate.

You wish to block all traffic as soon as you have >10 concurrent requests: use Classified.

A real world example would be to use Aggregate to block a portscan (since you define the time for which the counters should collect for) where Classified wont work if the portscanner test one port at a time.

But I agree, I hope PA will improve the documentation regarding this.

View solution in original post

4 REPLIES 4

L6 Presenter

My understanding from the administrator guide for PANOS 4.1 is that Aggregate is how often (based on a total count) you want the PAN unit to take action against the presumed attacker while Classified is how to group presumed attacks (page 149).

This is also further explained later in the manual (page 162).

For example:

You wish to block all traffic as soon as you hit 10.000 requests within 1 min: use Aggregate.

You wish to block all traffic as soon as you have >10 concurrent requests: use Classified.

A real world example would be to use Aggregate to block a portscan (since you define the time for which the counters should collect for) where Classified wont work if the portscanner test one port at a time.

But I agree, I hope PA will improve the documentation regarding this.

Thanks mate for the answer.  It was helpful.

Regards,

I also agree that the Palo Alto would improve the DoS document with some real world examples on this. 

It's actually even more straightforward than that:

 

Classified = count of connections per second for a source IP.

Aggregate = count of connections per second for all source IPs combined.

 

There's a doc here that briefly covers it:

https://live.paloaltonetworks.com/t5/Learning-Articles/Differences-between-DoS-Protection-and-Zone-P...

 

Another one that goes into more detail specifically about DoS:

https://live.paloaltonetworks.com/t5/Featured-Articles/How-to-Set-Up-DoS-Protection/ta-p/71164

 

Hope that helps!

Greg

  • 1 accepted solution
  • 6920 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!