11-14-2023 11:58 PM
Hi Support,
We recently notice have latency in our network , when we investigate found a lot threat logs from TCP SYN with data has been block by firewall as we have DDOS protection.
My question is below:
1. does this attack affect the performance of the firewall resources?
2. Do we have a setting that can drop the threat without consume the resource of firewall?
3. In addition, is there a best case recommendation for securing untrust zones?
Thank you
11-15-2023 03:06 AM
1. It should not in and by itself, unless you are receiving so many of these packets it could constitute a DoS attack. in your case there doesn't seem to be an enormous amount
2. Only if you are somehow able to isolate the source IP (or country, subnet, network,....) and block these sources directly. in your case, it all seems to originate from one source, so go ahead and block that if you don't know who or what this source is
3. yes, take a look here: https://docs.paloaltonetworks.com/best-practices/dos-and-zone-protection-best-practices
in the ICMP screenshot, what does the start and end arrow indicate? just the start/end of latency or some other event?
what does your '> show running resource-monitor' and '> show session info' look like during that period?
do you have packet buffer protection enabled on your zones?
11-15-2023 03:16 AM
Hi @Fariq_Zaidi ,
Just to clarify - the "TCP Syn with data" thread logs you see are not caused by the flood protection.
Those logs indicate dropped TCP SYN packets that contain data, meaning source is trying to send some data before TCP-3way-handshake is completed. This setting is again controlled by Zone Protection profile, but not as flood protection, but TCP drop - https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-web-interface-help/network/network-network-profi...
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClT5CAK
Having in mind that this is inbound traffic (from public source) it could be expected to see alot of such attempts.
You can check the count of dropped packets per zone with following command:
> show zone-protection zone untrust
11-15-2023 08:13 PM
Hi Reaper,
In the ICMP , showing the latency during the event happen and consist with the logs tcp sync with data has been drop. That why we concern if this the cause the latency happen.
i attach the show running resource monitor and session info (Doc log) and Yes we have enable the packet buffer.
Thank you
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
