05-01-2023 09:08 AM - edited 05-01-2023 09:11 AM
Hi everyone,
I was looking for PA best practices for VM series' zone protection but only found documents that talked about physical PA.
1. Are physical and VM series zone protection the same? could you point me where the docs for these are?
2. Under zone protection profile, flood protection, and SYN, there are 2 options 'Random Early Drop' and Syn Cookies'. I chose to configure 'Random early drop' only (attachment), will 'Syn Cookies' still be in use if I don't touch it? or the SYN only works with 1 action which is either 'Random Early Drop' or 'Sync Cookies' if selected but not both?
Thanks
05-01-2023 09:35 AM
Either Palo will start dropping random incoming new sessions if treshold is met or will start sending back specially crafted SYN-ACK packets (SYN Cookies).
Choosing random early drop will not send back cookie.
No difference in setting up VM or physical zone protection.
You need to identify tresholds based on requirements and real needs.
Can your web server handle 40k new sessions per second that your current settings allow?
05-01-2023 09:53 AM
Is it recommended to choose 'Random Early Drop' over 'Syn Cookies'?
Is the web server behind the firewall that you mentioned above? if yes, yes it can.
Thanks.
05-01-2023 10:00 AM - edited 05-01-2023 10:01 AM
If you are under SYN flood attack then random early drop is less resource intensive but can also drop benign traffic.
SYN cookies put some load on the firewall but does not affect traffic from real users.
I would choose SYN cookie setup.
05-01-2023 11:03 AM
Last question, Does Syn Cookies drop packet when seeing Syn flood attacks? if not what does it do exactly in terms of protecting the fw when seeing syn flood attacks?
05-01-2023 11:08 AM - edited 05-01-2023 11:09 AM
When SYN cookies are enabled and activated then:
SYN comes into firewall.
Firewall don't pass this SYN to web server but sends back SYN-ACK itself.
After client sends final ACK firewall initiates session to web server and allows client and web server to communicate.
As SYN-ACK is returned with sequence number from range that Palo is aware then even firewall don't need to create any session inside firewall session table before last packet from 3way handshake (ACK) arrives from client.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
