Information
Enable the SYN Flood Action of SYN Cookies for all untrusted zones. The Alert, Activate, and Maximum settings for SYN Flood Protection depend highly on the environment and device used. Perform traffic analysis on the specific environment and firewall to determine accurate thresholds. Do not rely on default values to be appropriate for an environment.
Setting these values for all interfaces is an approach that should be considered by many organizations, as traffic floods can result from internal testing or malware as well.
As a rough ballpark for most environments, an Activate value of 50% of the firewall's maximum 'New sessions per second'/CPS is a conservative setting. The following is a list of maximum new sessions per second for each platform:
PA-4xx series = 73,000 CPS
PA-8xx series = 13,100 CPS
PA-14xx series = 140,000 CPS
PA-32xx series = 84,000 CPS
PA-34xx series = 268,000 CPS
PA-52xx series = 500,000 CPS
PA-54xx series = 3,600,000 CPS
PA-70xx series = 6,000,000 CPS
Rationale:
Protecting resources and the firewall itself against DoS/DDoS attacks requires a layered approach. Firewalls alone cannot mitigate all DoS attacks, however, many attacks can be successfully mitigated. Utilizing SYN Cookies helps to mitigate SYN flood attacks, where the CPU and/or memory buffers of the victim device become overwhelmed by incomplete TCP sessions. SYN Cookies are preferred over Random Early Drop.
Impact:
Not configuring a Network Zone Protection Profile on untrusted interfaces leaves an organization exposed to common attacks and reconnaissance from those untrusted networks. Not configuring a Zone Protection Profile for internal networks leaves an organization vulnerable to malware, software or hardware causes of traffic flooding from internal sources.
Solution
From GUI:
Navigate to Network > Network Profiles > Zone Protection > Zone Protection Profile > Flood Protection tab.
Check the SYN box. Set the Action dropdown to SYN Cookies Set Alert to 20000 (or appropriate for org). Set Activate to 25000 (50% of maximum for firewall model). Set Maximum to 1000000 (or appropriate for org)
Navigate to Network > Zones. Open the zone facing any untrusted network, if one does not exist create it. Set Zone Protection to the Zone Protection Profile created.
Default Value:
Not Configured