Information
Enable the SYN Flood Action of SYN Cookies for all untrusted zones. The Alert, Activate, and Maximum settings for SYN Flood Protection depend highly on the environment and device used. Perform traffic analysis on the specific environment and firewall to determine accurate thresholds. Do not rely on default values to be appropriate for an environment.
As a rough ballpark for most environments, an Activate value of 50% of the firewall's maximum 'New sessions per second'/CPS is a conservative setting. The following is a list of new sessions per second maximum for each platform:
PA-200 = 1,000 CPS
PA-500 = 7,500 CPS
PA-2000 series = 15,000 CPS
PA-3000 series = 50,000 CPS
PA-5000 series = 120,000 CPS
PA-7050 = 720,000 CPS
Rationale:
Protecting resources and the firewall itself against DoS/DDoS attacks requires a layered approach. Firewalls alone cannot mitigate all DoS attacks, however, many attacks can be successfully mitigated. Utilizing SYN Cookies helps to mitigate SYN flood attacks, where the CPU and/or memory buffers of the victim device become overwhelmed by incomplete TCP sessions. SYN Cookies are preferred over Random Early Drop.
Solution
From GUI:
Navigate to Network > Network Profiles > Zone Protection > Zone Protection Profile > Flood Protection tab.
Check the SYN box Set the Action dropdown to SYN Cookies Set Alert to 20000(or appropriate for org) Set Activate to 25000(50% of maximum for firewall model) Set Maximum to 1000000(or appropriate for org)
Default Value:
Not Configured