6.15 Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zones

Information

Enable the SYN Flood Action of SYN Cookies for all untrusted zones. The Alert, Activate, and Maximum settings for SYN Flood Protection depend highly on the environment and device used. Perform traffic analysis on the specific environment and firewall to determine accurate thresholds. Do not rely on default values to be appropriate for an environment.

Setting these values for all interfaces is an approach that should be considered by many organizations, as traffic floods can result from internal testing or malware as well.

As a rough ballpark for most environments, an Activate value of 50% of the firewall's maximum 'New sessions per second'/CPS is a conservative setting. The following is a list of maximum new sessions per second for each platform:

PA-4xx series = 73,000 CPS

PA-8xx series = 13,100 CPS

PA-14xx series = 140,000 CPS

PA-32xx series = 84,000 CPS

PA-34xx series = 268,000 CPS

PA-52xx series = 500,000 CPS

PA-54xx series = 3,600,000 CPS

PA-70xx series = 6,000,000 CPS

Rationale:

Protecting resources and the firewall itself against DoS/DDoS attacks requires a layered approach. Firewalls alone cannot mitigate all DoS attacks, however, many attacks can be successfully mitigated. Utilizing SYN Cookies helps to mitigate SYN flood attacks, where the CPU and/or memory buffers of the victim device become overwhelmed by incomplete TCP sessions. SYN Cookies are preferred over Random Early Drop.

Impact:

Not configuring a Network Zone Protection Profile on untrusted interfaces leaves an organization exposed to common attacks and reconnaissance from those untrusted networks. Not configuring a Zone Protection Profile for internal networks leaves an organization vulnerable to malware, software or hardware causes of traffic flooding from internal sources.

Solution

From GUI:
Navigate to Network > Network Profiles > Zone Protection > Zone Protection Profile > Flood Protection tab.
Check the SYN box. Set the Action dropdown to SYN Cookies Set Alert to 20000 (or appropriate for org). Set Activate to 25000 (50% of maximum for firewall model). Set Maximum to 1000000 (or appropriate for org)
Navigate to Network > Zones. Open the zone facing any untrusted network, if one does not exist create it. Set Zone Protection to the Zone Protection Profile created.

Default Value:

Not Configured

See Also

https://workbench.cisecurity.org/benchmarks/13792

Item Details

Category: ACCESS CONTROL, AUDIT AND ACCOUNTABILITY

References: 800-53|AC-2, 800-53|AC-3, 800-53|AC-6, 800-53|AC-6(1), 800-53|AC-6(7), 800-53|AU-9(4), CSCv7|13.3

Plugin: Palo_Alto

Control ID: df93452b86c53cf0d1c16752d04b81119743cbad4cbdf66212cc4e5983053293