From Palo Alto Networks IDPS Security Technical Implementation Guide
Part of SRG-NET-000362-IDPS-00196
Associated with: CCI-002385
If the network does not provide safeguards against DoS attack, network resources will be unavailable to users.
Go to Objects >> Security Profiles >> DoS Protection If there are no DoS Protection Profiles configured, this is a finding. Go to Policies >> DoS Protection If there are no DoS Protection Policies, this is a finding. There may be more than one configured DoS Protection Policy; ask the Administrator which DoS Protection Policy is intended to protect internal networks and DMZ networks from externally-originated DoS attacks. If there is no such DoS Protection Policy, this is a finding. If the DoS Protection Policy has no DoS Protection Profile, this is a finding.
Go to Objects >> Security Profiles >> DoS Protection Select "Add" to create a new profile. In the "DoS Protection Profile" window, complete the required fields. For the "Type", select "Classified". In the "Flood Protection" tab, "Syn Flood" tab, select the "Syn Flood" check box and select "SYN Cookie". In the "Flood Protection" tab, "UDP Flood" tab, select the "UDP Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. In the "Flood Protection" tab, "ICMP Flood" tab, select the "ICMP Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. In the "Flood Protection" tab, "ICMPv6 Flood" tab, select the "ICMPv6 Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. In the "Flood Protection" tab, "Other IP Flood" tab, select the "Other IP Flood" check box; complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. In the "Resources Protection" tab, select the "Maximum Concurrent Sessions" check box. In the "Resources Protection" tab, complete the "Max Concurrent Sessions" field. If the DoS profile type is aggregate, this limit applies to the entire traffic hitting the DoS rule on which the DoS profile is applied. If the DoS profile type is classified, this limit applies to the entire traffic on a classified basis (source IP, destination IP or source-and-destination IP) hitting the DoS rule on which the DoS profile is applied. Select "OK". Go to Policies >> DoS Protection Select "Add" to create a new policy. In the "DoS Rule" Window, complete the required fields. In the "General" tab, complete the "Name" and "Description" fields. In the "Source" tab, for "Zone", select the "Internal zone, for Source Address", select "Any". In the "Destination" tab, "Zone", select "External zone, for Destination Address", select "Any". In the "Option/Protection" tab, For "Service", select "Any". For "Action", select "Protect". Select the "Classified" check box. In the "Profile" field, select the configured DoS Protection profile for inbound traffic. In the "Address" field, select "destination-ip-only". Commit changes by selecting "Commit" in the upper-right corner of the screen. Select "OK" when the confirmation dialog appears.
Lavender hyperlinks in small type off to the right (of CSS
class id, if you view the page source) point to
globally unique URIs for each document and item. Copy the
link location and paste anywhere you need to talk
unambiguously about these things.
You can obtain data about documents and items in other
formats. Simply provide an HTTP header Accept:
text/turtle or
Accept: application/rdf+xml.
Powered by sagemincer