6.16 Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zones

Information

Enable the SYN Flood Action of SYN Cookies for all untrusted zones. The Alert, Activate, and Maximum settings for SYN Flood Protection depend highly on the environment and device used. Perform traffic analysis on the specific environment and firewall to determine accurate thresholds. Do not rely on default values to be appropriate for an environment.

Setting these values for all interfaces is an approach that should be considered by many organizations, as traffic floods can result from internal testing or malware as well.

As a rough ballpark for most environments, an Activate value of 50% of the firewall's maximum 'New sessions per second'/CPS is a conservative setting. The following is a list of new sessions per second maximum for each platform:

PA-200 = 1,000 CPS

PA-500 = 7,500 CPS

PA-2000 series = 15,000 CPS

PA-3000 series = 50,000 CPS

PA-5000 series = 120,000 CPS

PA-7050 = 720,000 CPS

Rationale:

Protecting resources and the firewall itself against DoS/DDoS attacks requires a layered approach. Firewalls alone cannot mitigate all DoS attacks, however, many attacks can be successfully mitigated. Utilizing SYN Cookies helps to mitigate SYN flood attacks, where the CPU and/or memory buffers of the victim device become overwhelmed by incomplete TCP sessions. SYN Cookies are preferred over Random Early Drop.

Solution

From GUI:
Navigate to Network > Network Profiles > Zone Protection > Zone Protection Profile > Flood Protection tab.
Check the SYN box. Set the Action dropdown to SYN Cookies Set Alert to 20000(or appropriate for org). Set Activate to 25000(50% of maximum for firewall model). Set Maximum to 1000000(or appropriate for org)
Navigate to Network > Zones >. Open the zone facing any untrusted network, if one does not exist create it. Set Zone Protection to the Zone Protection Profile created.

Impact:

Not configuring a Network Zone Protection Profile on untrusted interfaces leaves an organization exposed to common attacks and reconnaissance from those untrusted networks. Not configuring a Zone Protection Profile for internal networks leaves an organization vulnerable to malware, software or hardware causes of traffic flooding from internal sources.

Default Value:

Not Configured

References:

'Understanding DoS Protection' - https://live.paloaltonetworks.com/docs/DOC-5078

'Syn Cookie Operation' - https://live.paloaltonetworks.com/docs/DOC-1542

'How to Determine if Configured DoS Classify TCP SYN Cookie Alarm, Activate and Maximal Rate is Triggered' - https://live.paloaltonetworks.com/docs/DOC-6801

'Threat Prevention Deployment Tech Note' - https://live.paloaltonetworks.com/docs/DOC-3094

'What are the Differences between DoS Protection and Zone Protection?' - https://live.paloaltonetworks.com/docs/DOC-4501

'Application DDoS Mitigation' - https://live.paloaltonetworks.com/docs/DOC-7158

PANOS 9.0 Admin Guide - Zone Protection . Flood Protection: https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-web-interface-help/network/network-network-profiles/network-network-profiles-zone-protection/flood-protection.html#

Item Details

Audit Name: CIS Palo Alto Firewall 9 Benchmark v1.0.0 L1

References: CSCv7|12, CSCv7|13.3

Plugin: Palo_Alto

Control ID: bb85b225e1618b23560f140babdf9e6960f270fef1bbab08d1bf2bbd04de675d

Detections

Analytics

6.16 Ensure that a Zone Protection Profile with an enabled SYN Flood Action of SYN Cookies is attached to all untrusted zones

Information

Solution

See Also

Item Details