03-16-2016 08:38 PM
Hi,
This is just to understand how palo alto understand classify the traffic and take action .
as I pasted below from multiple sources sending packets to an inside host . Palo alto log shows around 10
times (in a second ) from the same souce traffic hitting to the inside host .
Question?
In the above scenario , traffic is normal or abnormal?
How palo alto classify a dos attack
source Dest pkts Bytes
x.x.x.x h.h.h.h 471 600000
y.y.y.y h.h.h.h 143 100000
Thanks
03-16-2016 11:03 PM
Please read this document for understanding how Dos protection works: https://live.paloaltonetworks.com/t5/Documentation-Articles/Understanding-DoS-Protection/ta-p/54562
You need to look at aggregate profiles and classified profiles for understanding how will firewall classify dos attack in case of DDOS.
03-17-2016 01:53 AM
Also look towards zone protection.
This will not flood the log.
And use dos protection for specific servers that need lower threshold than your whole zone has set in zone protection.
03-17-2016 03:35 AM
Hi,
" use dos protection for specific servers that need lower threshold than your whole zone has set in zone protection."
How can i do this
lets say zone is trust and the profile is applied there and in the same zone if there are systems which required lower threshold ,How can i apply that
Thanks
03-17-2016 05:07 AM
please ake a look at this video:
Video Tutorial: DoS protection
and these articles:
Differences between DoS Protection and Zone Protection
03-18-2016 05:23 AM
Thanks everyone ,
If dos attack happens the victim may go down depends on the attack .
But how can we relate the internet link down and a dos attack ?
for example an attacker doing a dos attack and the victim still not down but the internet link down
Thanks
03-18-2016 08:00 AM
You could dig into firewall logs or install Chrome plugin that will show you current physical/virtual interface bandwidth (and a lot more).
Search for Pan(w)achrome
04-18-2016 10:50 PM
Hi
if i have Zone-Based Protection profile in untrust zone , for more granularity
04-19-2016 12:47 AM
For Zone protection and DoS protection, you would first need to find your network's baseline to determine best practice
if you're receiving on average 1.000 packets per second and peaks up to 4.000, you should tone zone protection down to fall within that spectrum. If you're seeing peaks of 1.500.000, you should scale up
DoS protection works at a smaller scale where you can limit resources to a single host (or farm), so you'd need to set a baseline there as well: what is a desirable amount of resources available for a single source or what is the maximum amount we can allow towards the server (farm) before it runs out of resources or service degrades
overall I would recommend using SYN cookies whenever possible, as that puts part of the responability with the client and is less agressive than random early drop and especially for the untrust zone, enable as many of the protections as possible (after determining the baseline of what is to be expected and what falls outside of your desirable inbound traffic)
04-19-2016 05:00 AM
Thank you reaper
How Dos rule action 'protect' protects the network and what is the differnence between protect and deny
Thanks
04-19-2016 05:55 AM
Protect is going to enforce the profile you have created and should be the action set to most of your policies
Allow will allow all traffic, this is a sort of bypass functionality to temporarily open up the floodgates and not enforce DoS protection (this could be useful when doing a quick scan/PEN test)
Deny will block all traqffic, this could be used to temporarily turn off connectivity to a service when there is a DoS attack ongoing and you want to completely prevent all connections
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
