- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-22-2022 03:14 PM
03-23-2022 02:25 PM - edited 03-23-2022 02:29 PM
In theory this is still possible. Most DDoS attacks Palo sees now are reflection-based amplification attacks... UDP, not ICMP. (Which sounds like these are allowed in your network).
Mirai botnet... reflected and amplified NTP on IoT devices with outbound rules. Is it harder with only outbound rules and hiding behind NAT? Yes. Impossible? No. Unless you know for certain all current inside devices are clean, and you know where they are 365 days a year, it's still possible. Slim, hence defense in depth, but possible.
Consider also DDoS lives on loads of NAS, routers, home security kits so in some cases reflection/amplification will still come down that IPSec tunnel depending on what terminates it.
+1 on the above for DoS/Zone protection profiles on zones.
03-23-2022 03:13 PM
Hi @Kandarp_Desai ,
Traffic from the Internet to the public IP (same zone) is allowed by the default intrazone-default rule. You could create an intrazone drop rule to block the traffic, and no DoS should be possible. Remember to create an allow rule for your IPsec tunnel first.
Thanks,
Tom
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!