6.16 Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zones

Information

Enable the SYN Flood Action of SYN Cookies for all untrusted zones. The Alert, Activate, and Maximum settings for SYN Flood Protection depend highly on the environment and device used. Perform traffic analysis on the specific environment and firewall to determine accurate thresholds. Do not rely on default values to be appropriate for an environment.
Setting these values for all interfaces is an approach that should be considered by many organizations, as traffic floods can result from internal testing or malware as well.
As a rough ballpark for most environments, an Activate value of 50% of the firewalls maximum New sessions per second/CPS is a conservative setting. The following is a list of new sessions per second maximum for each platform:
PA-200 = 1,000 CPS
PA-500 = 7,500 CPS
PA-2000 series = 15,000 CPS
PA-3000 series = 50,000 CPS
PA-5000 series = 120,000 CPS
PA-7050 = 720,000 CPS
Rationale:
Protecting resources and the firewall itself against DoS/DDoS attacks requires a layered approach. Firewalls alone cannot mitigate all DoS attacks, however, many attacks can be successfully mitigated. Utilizing SYN Cookies helps to mitigate SYN flood attacks, where the CPU and/or memory buffers of the victim device become overwhelmed by incomplete TCP sessions. SYN Cookies are preferred over Random Early Drop.

Solution

From GUI:
Navigate to Network > Network Profiles > Zone Protection > Zone Protection Profile > Flood Protection tab.
Check the SYN box Set the Action dropdown to SYN Cookies Set Alert to 20000(or appropriate for org) Set Activate to 25000(50% of maximum for firewall model) Set Maximum to 1000000(or appropriate for org)
Impact:
Not configuring a Network Zone Protection Profile on untrusted interfaces leaves an organization exposed to common attacks and reconnaissance from those untrusted networks. Not configuring a Zone Protection Profile for internal networks leaves an organization vulnerable to malware, software or hardware causes of traffic flooding from internal sources.
Default Value:
Not Configured

See Also

https://workbench.cisecurity.org/files/2104

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-7, CSCv7|12

Plugin: Palo_Alto

Control ID: 15c9739d89f9d9fd9e762b355a6a5b6b9c1dc216e570d47e281e1fe83be0577b