cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Flood protection

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Reply
jdprovine
L4 Transporter
‎11-21-2016 08:01 AM
‎11-21-2016 08:01 AM

Flood protection

What is the best way to set up flood protection, separate profile one for ICMP, one for SYN cookies etc or put it all in one policie? What is the best way to determine what set your alarm rates, block rate etc? How successful is it, does good traffice get blocked very much

1 person had this problem.
0 Likes
Reply
jdprovine
L4 Transporter
‎11-21-2016 11:05 AM
‎11-21-2016 11:05 AM

I also see that there is zone protection and it looks very similar to flood protection, so which one is better?

0 Likes
Reply
clyde.franklin
L4 Transporter
‎11-21-2016 04:09 PM
‎11-21-2016 04:09 PM

I would go with Dos Protection profile and setup Dos Security Policy. As far as denying traffic it will depend on what "action " you choose when creating Dos proection policy there are 3 options Allow,Deny, Protect.

Reply
reaper
L7 Applicator
‎11-22-2016 12:21 AM
‎11-22-2016 12:21 AM

zone protection is the broad-stroke protection of an interface, regardless of the source-destination pair. it allows you to set up 'expected' flows and take action when your , for example, external interface comes under attack by enforcing syn cookies or dropping packets once a certain volume is reached

 

dos protection policies are there to protect specific resources. you can limit or regulate the flow towards a specific ip address

this comes in handy when for example your internet pipe throughput is much larger than one certain asset you want to protect, you can then finetine your protection to cater to specific servers while not limiting your overall throughput

 

 

hope this helps

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
Reply
jdprovine
L4 Transporter
‎11-22-2016 06:08 AM
‎11-22-2016 06:08 AM

I think that I want something more granular so I believe I will go with the DoS protection profile. I am currently in the process of deciding the best alarm rate, activate rate, max rate and block duration. I have some specific security policies using ICMP that I want to start with and then go from there.  I did a calculation based on my highest session numbers the result is very close to the limitation of 2,000,000 in the profile. So are you using this and how is it working for you?

 

11/13/2016 – 101.64M \7 days = 14.52M/day \86400 seconds in a day = 1.68M per sec

0 Likes
Reply
jdprovine
L4 Transporter
‎11-22-2016 07:30 AM
‎11-22-2016 07:30 AM

So the profile cannot just be added to a security policy, you have to create a DoS policy to put on the security policies

0 Likes
Reply
jdprovine
L4 Transporter
‎11-22-2016 07:32 AM
‎11-22-2016 07:32 AM

So you can't just apply a DoS profile to an existing security policies you have to create a DoS security policy, add a DoS protection profile and then add it to a security policies

0 Likes
Reply
reaper
L7 Applicator
‎11-22-2016 07:41 AM
‎11-22-2016 07:41 AM

no, the DoS protection policies are independent from security policies, much like the QoS policies

 

You first create a profile and then a (DoS) policy to match an expected flow.

 

 

 

Tom Piens - PANgurus.com
Like my answer? check out my book! amazon.com/dp/1789956374
0 Likes
Reply
jdprovine
L4 Transporter
‎11-22-2016 07:51 AM
‎11-22-2016 07:51 AM

So it affects everything? You can't just apply it to specific security policies?

0 Likes
Reply
jdprovine
L4 Transporter
‎11-22-2016 09:18 AM
‎11-22-2016 09:18 AM

Along the same lines, so I am going to fashion my DoS policy based on the security rule that I want to affect, I assume that will work

0 Likes
Reply
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!

Latest Blogs
Latest Posts
Privacy Policy Terms of Use
Copyright 2007 - 2021 - Palo Alto Networks