When to use ZoneProfile and DoS Profile

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

When to use ZoneProfile and DoS Profile

L2 Linker

Hello All - Can i understand that Zone Protection Profile is to Protect Firewall itself and DoS Protection Profile is to protect the servers and hosts behind the firewall from Internet?

Can i achieve a DoS protection (For example SYN Flood attack) only by configuring DoS Protection Profile that will be tailored with Policy Rule with source and destination IP address?

 

Thanks in advance

regards/RB

 

My readings are below. But my question is not answered in the below, IMHO

Zone Protection Profiles —Apply only to new sessions in ingress zones and provide broad protection against flood attacks by limiting the connections-per-second (CPS) to the firewall, plus protection against reconnaissance (port scans and host sweeps), packet-based attacks, and layer 2 protocol-based attacks.
Zone protection defends network zones against flood attacks, reconnaissance attempts, packet-based attacks, and attacks that use non-IP protocols. Tailor a Zone Protection profile to protect each zone (you can apply the same profile to similar zones).


Dos Protection Profiles and Policy Rules —Provide granular protection of specific, critical devices for new sessions. Classified policies protect individual devices by limiting the CPS for a specific device or specific devices. Aggregate policies limit the total CPS for a group of devices but don’t limit the CPS for a particular device in the group to less than the total allowed for the group, so one device may still receive the majority of the connection requests.
Denial-of-service (DoS) protection defends specific critical systems against flood attacks, especially devices that user access from the internet such as web servers and database servers, and protects resources from session floods. Tailor DoS Protection profiles and policy rules to protect each set of critical devices

A DoS protection policy can be used to accomplish some of the same things a Zone protection policy does but there are a few key differences:

A major difference is a DoS policy can be classified or aggregate. Zone protection policies can be aggregate.
A classified profile allows the creation of a threshold that applies to a single source IP.
For example, a max session rate per IP can be created for all traffic matching the policy, then block that single IP address once the threshold is triggered

An aggregate profile allows the creation of a max session rate for all packets matching the policy. The threshold applies to new session rate for all IPs combined. Once the threshold is triggered it would affect ALL traffic matching the policy.
Zone protection policies allow the use of flood protection and have the ability to protect against port scanning\sweeps and packet based attacks. A few examples are IP spoofing, fragments, overlapping segments, reject tcp-non-syn
Zone protection profiles may have less performance impact since they are applied pre-session and don’t engage the policy engine

 

2 accepted solutions

Accepted Solutions

Sorry for the late response, I wouldnt say better, only it can be more specific. I try and use Zone protection since its broader in scope.

 

Regards,

View solution in original post

@KumarRamalinga,

Depends on what you're trying to accomplish. Zone profiles are extremely broad and act sort of like an aggregate profile at all times. A DoS profile on the other hand limits connections to a particular host; so I could say for instance that my webserver should never have more then 50,000 sessions or a connection rate of more then 250/s. In that same policy however I could say that no one source-address would be able to have more then 15/s for the connection rate or 20 sessions. 

Really depends on how far you want to go and what you need to actually protect on your network. Some may want to only have a ZoneProfile because they don't host anything major, others would want to use DoS Policies to limit connections to any one particular service/host. If you have anything publically accessable past a simple exchange server, I highly recommend spending the time to setup DoS profiles. 

View solution in original post

7 REPLIES 7

Cyber Elite
Cyber Elite

Hello,

So to answer your first question, kinda but not exactly. To answer your second question, yes.

 

Think of it this way.

Zone protection is for everything going into/out of the zone, all endpoints in that zone, and is has broad coverage. That is everything in that zone.

 

DoS protection has finer granularity where you can specifiy a specific endpoint in that zone. 

 

https://www.paloaltonetworks.com/documentation/80/pan-os/pan-os/zone-protection-and-dos-protection

 

Hope that helps.

Thank you for the response. Shall i understand DoS protection profile is superior than Zone protection profile. With that said, in an environment can i go without configuring Zone Protection Profile, But configure only DoS Protection Profile with the settings Source Zone as Any and Destination Zone as Any?

 

What i am trying to ask is, whether DoS Protection profile with source and destination zone as ANY is equivalent to Zone Protection Profile?

 

Thanks RB

 

 

Sorry for the late response, I wouldnt say better, only it can be more specific. I try and use Zone protection since its broader in scope.

 

Regards,

Thanks for response. I appreciate that. In the course of discussion, i have a question,  how PaloAlto categorize a SYN FLOOD. Does it just count the number of SYN packet from the same source IP address and decide it is a SYN FLOOD ATTACK. For example, i have a situation. I have 1000 customer  behind a single firewall NATing one Public IP address and hitting my server that is behind PaloAlto Firewall. 

In a situation when 1000 of the users start hitting my server (legitimately) does this tarffic is considered as SYN FLOOD by PaloAlto?

 

Thanks in advance

RB

@KumarRamalinga,

Depends on what you're trying to accomplish. Zone profiles are extremely broad and act sort of like an aggregate profile at all times. A DoS profile on the other hand limits connections to a particular host; so I could say for instance that my webserver should never have more then 50,000 sessions or a connection rate of more then 250/s. In that same policy however I could say that no one source-address would be able to have more then 15/s for the connection rate or 20 sessions. 

Really depends on how far you want to go and what you need to actually protect on your network. Some may want to only have a ZoneProfile because they don't host anything major, others would want to use DoS Policies to limit connections to any one particular service/host. If you have anything publically accessable past a simple exchange server, I highly recommend spending the time to setup DoS profiles. 

Thank you

@BPry Can you show an example policy for setting this up.

 

"50,000 sessions or a connection rate of more then 250/s. In that same policy however I could say that no one source-address would be able to have more then 15/s for the connection rate or 20 sessions. "

  • 2 accepted solutions
  • 5112 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!