Objects > Security Profiles > DoS Protection
DoS Protection profiles are designed for high precision targeting and they augment Zone Protection profiles. A DoS Protection profile specifies the threshold rates of incoming packets and the action the firewall takes to protect against a DoS attack. The profile is attached to DoS Protection policy rule, where you establish the matching criteria for packets that are subject to the Deny, Allow, or Protect action. To attach at DoS Protection profile to a DoS Protection policy rule, see Policies > DoS Protection.
If you have a multi virtual system environment, and have enabled the following: External zones to enable inter virtual system communication Shared gateways to allow virtual systems to share a common interface and a single IP address for external communications The following Zone and DoS protection mechanisms will be disabled on the external zone: SYN cookies IP fragmentation ICMPv6 To enable IP fragmentation and ICMPv6 protection, you must create a separate zone protection profile for the shared gateway. To protect against SYN floods on a shared gateway, you can apply a SYN Flood protection profile with either Random Early Drop or SYN cookies; on an external zone, only Random Early Drop is available for SYN Flood protection
The following table describes DoS Protection profile settings.
DoS Protection Profile Setting Description
Name Enter a profile name (up to 31 characters). This name appears in the list of log forwarding profiles when defining security policies. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Shared Select this option if you want the profile to be available to: Every virtual system (vsys) on a multi-vsys firewall. If you clear this selection, the profile will be available only to the Virtual System selected in the Objects tab. Every device group on Panorama. If you clear this selection, the profile will be available only to the Device Group selected in the Objects tab.
Disable override ( Panorama only ) Select this option if you want to prevent administrators from creating local copies of the profile in descendant device groups by overriding its inherited values. This selection is cleared by default, which means overriding is enabled.
Description Enter a description of the profile (up to 255 characters).
Type Select one of the profile types: Aggregate —Apply the DoS thresholds configured in the profile to all packets that match the rule criteria on which this profile is applied. For example, an aggregate profile with a SYN flood threshold of 10,000 packets per second (pps) counts all packets that hit that particular DoS rule. Classified —Apply the DoS thresholds configured in the profile to all packets that match the classification criterion (source IP, destination IP or source-and-destination IP).
Flood Protection Tab
Syn Flood tab UDP Flood tab ICMP Flood tab ICMPv6 tab Other IP tab Select this option to enable the type of flood protection indicated on the tab, and specify the following settings: Action —( SYN Flood only) Action that the firewall performs if the DoS Protection policy action is Protect and if the Activate Rate threshold is reached. Choose one of the following: Random Early Drop —Drop packets randomly when the Activate Rate threshold is reached. SYN cookies —Use SYN cookies to generate acknowledgments so that it is not necessary to drop connections during a SYN flood attack. Alarm Rate —Specify the threshold rate (pps) at which a DoS alarm is generated (range is 0-2,000,000 pps; default is 10,000 pps). Activate Rate —Specify the threshold rate (pps) at which a DoS response is activated. The DoS response is configured in the Action field of the DoS Protection profile ( Random Early Drop or SYN cookies). The Activate Rate range is 0-2,000,000 pps; default is 10,000 pps). If the profile Action is Random Early Drop (RED), when the Activate Rate threshold is reached, RED occurs. If the incoming packet rate increases, the RED rate increases according to an algorithm. The firewall continues to do Random Early Drop until the packet rate reaches the Max Rate threshold. At the Max Rate threshold, the firewall drops 100% of incoming packets. Max Rate —Specify the threshold rate of incoming packets per second the firewall allows. When the threshold is exceeded, new packets that arrive are dropped. (Range is 2-2,000,000 pps; default is 40,000 pps.) Block Duration —Specify the length of time (seconds) during which the offending packets will be denied. Packets arriving during the block duration do not count toward triggered alerts (range is 1-21,600; default is 300.) When defining packets per second (pps) thresholds limits for zone and DoS protection profiles, the threshold is based on the packets per second that do not match a previously established session.
Resources Protection Tab
Sessions Select this option to enable Resources Protection.
Max Concurrent Limit Specify the maximum number of concurrent sessions. If the DoS Protection profile type is Aggregate, this limit applies to all traffic hitting the DoS Protection rule on which the DoS Protection profile is applied. If the DoS Protection profile type is Classified, this limit applies to the traffic on a classified basis (source IP, destination IP or source-and-destination IP) hitting the DoS Protection rule on which the DoS Protection profile is applied.

Related Documentation