- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
04-12-2019 04:51 AM
We are currently using the default "allow" on port scan (including openvas) and udp flood, since that is the default. Is there any reason not to block those threats?
04-12-2019 09:58 AM
Are you referring to DoS/Zone protection? If so, I would assure you've made consideration for what your thresholds (alert, activate, maximum) are set as. As these triggering based on amount of traffic based on protocol. For zone protection, this would be for the ingress zone and for DoS protection it would apply to whatever matches your DoS policy.
Generally I like to set a relatively low alert and a relatively high activate/maximum thresholds, and then scale up the alert until your normal network traffic is no longer triggering an alert.
Keep in mind that whether you're using RED (random early drop) or SYN cookies, the percentage of traffic that is "actioned" scales linearly between activate and maximum. So if my activate is 10,000 and my maximum is 20,000, each increase in 100 connections per second (1% of the difference between 20,000 and 10,000) is going to cause the firewall to action 1% more traffic.
The document below is a personal favorite and goes pretty far into depth on our coverage as a whole. The section you'd be interested in for floods is near the beginning of the document.
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClOGCA0
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!