Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Zone protection - alert only

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Zone protection - alert only

L4 Transporter

I have been investigating zone  protection and DoS protection for awhile now and I think I would have already implemented it if you could configure all the settings to alert when you begin testing.  

7 REPLIES 7

Cyber Elite
Cyber Elite

Hi @jdprovine

 

you can!

 

if you look at zone protection there's always 3 values: alert, activate and maximum

 

the alert setting is what does what you would like

the maximum is the murder switch, so you'll want to stay away from that until you are confortable, and the activate is an interesting toggle, depending on your choice of action (RED or cookies)

 

the maximum will effectively cut off new sessions

RED (random early drop) is a legacy method of randomly discarding incoming syn packets in an attempt to stifle/slow down connectio nrates and save resources

SYN cookies are a cool method where each syn reqyest is answered with a cookie, which is a sort of mathematical little puzzle the client needs to answer. the session is not allocated in the session table until the client replies with the correct answer to the cookies

so, random early drop needs to be set at a rate as close to your maximum as possible, syn cookies can be activated at 0 as this is a friendly deterrent that should not interfere with your normal sessions and will only trip bad guys

 

that said:

 

if you set maximum and activate to the maximum value (2.000.000) they will never get triggered, you can then use your alert rate to 'gauge' where your treshold lies (use it in stead of where your 80% watermark would be for max for example).

you should set the alert rate to where you think it needs to be and then monitor it for a while. if it gets tripped a lot, increase, if it doesn't get tripped, decrease. once you have youyr 'sweet spot' you can decide to move on and set your activate and max (you'll probably want to leave your alert at that level, so you know something is up if it gets tripped, then add max at about 10-25% more connections/sec and your activate depending on your choice of RED or cookies (RED at the same rate as alert, cookies at 0 preferably or 60-70% of alert if you don'tlike cookies)

 

 

I hope this makes sense 🙂

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

@reaper

 

good info as always reaper. But if I do set the maximum and activate rates to 2,000,000 where do I look to see the "alert" rates sinces they will not be listed as an alert

@reaper

 

There is one location on zone protetion that done not have an alert setting and that is what caused my VPN to break, I am including a pick of those settingnoalert.PNG

@reaper

 

Another section of zone protection with no alert settingnoalert.PNG

@reaper

I need to retract that last one it does have an alert setting 😞 my bad LOL

@jdprovine,

The alerts will be included within your 'Threat' logs on the firewall, specifically (subtype eq flood). These will be seen with the action as 'allow' and the severity as 'critical' if it's hitting the 'alert' value. 

As far as the IP Option Drop settings there wouldn't really be an 'alert' option for this, it's either something you want to allow or not. You can find more detailed information about what all the options are actually looking for HERE

@BPry

I guess  I do have the option to turn the IP option drop settings. My goal is to utillize as many features of the PA as I can to get the mose bang for my buck so to speak LOL

  • 3121 Views
  • 7 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!