About Shiling

For the following scenario, will DoS block destination IP or block service of the destination IP?    If a DoS protection policy include destination IP and Services to protect an internet facing server, for example source any destination 1.1.1.1 service UDP port 80, then action protection, address destination-ip-only and a DoS security profile which will only check UDP Flood CPS. When there is a DoS attack to UDP port 80, and DoS protection kicked in and max rate is exceeded, will only all UDP port 80 traffic to 1.1.1.1 be dropped or all traffic to destination 1.1.1.1 dropped by DoS protection? I am hoping the former will be true, since the later one basically completes the goal of bringing the target IP 1.1.1.1 offline.    Is DoS protection use block-table only to check the future drop or combination of session table and block-table?     https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/zone-protection-and-dos-protection/zone-defense/dos-protection-profiles-and-policy-rules/dos-protection-policy-rules   In addition to protecting service ports in use on critical servers, you can also protect against DoS attacks on the unused service ports of critical servers. For critical systems, you can do this by creating one DoS Protection policy rule and profile to protect ports with services running, and a different DoS Protection policy rule and profile to protect ports with no services running. For example, you can protect a web server’s normal service ports, such as 80 and 443, with one policy/profile, and protect all of the other service ports with the other policy/profile. Be aware of the firewall’s capacity so that servicing the DoS counters doesn’t impact performance.   Thanks,   Shiling     ... View more