PANW-IP-000041 - The Palo Alto Networks security platform must protect against or limit the effects of known and unknown types of denial-of-service (DoS) attacks by employing rate-based attack prevention behavior analysis (traffic thresholds) - DoS Protection Policy

Information

If the network does not provide safeguards against DoS attack, network resources will be unavailable to users.

Installation of IDPS detection and prevention components (i.e., sensors) at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume/type.

Detection components that use rate-based behavior analysis can detect attacks when signatures for the attack do not exist or are not installed. These attacks include zero-day attacks which are new attacks for which vendors have not yet developed signatures. Rate-based behavior analysis can detect sophisticated, Distributed DoS (DDoS) attacks by correlating traffic information from multiple network segments or components.

This requirement applies to the communications traffic functionality of the IDPS as it pertains to handling communications traffic, rather than to the IDPS device itself.

Solution

Go to Objects >> Security Profiles >> DoS Protection.
Select 'Add' to create a new profile.
In the 'DoS Protection Profile' window, complete the required fields.
For the 'Type', select 'Classified'.
In the 'Flood Protection' tab, 'Syn Flood' tab, select the 'Syn Flood' check box and select 'SYN Cookie'.
In the 'Flood Protection' tab, 'UDP Flood' tab, select the 'UDP Flood' check box; complete the 'Alarm Rate', 'Activate Rate', 'Max Rate', and 'Block Duration' fields.
In the 'Flood Protection' tab, 'ICMP Flood' tab, select the 'ICMP Flood' check box; complete the 'Alarm Rate', 'Activate Rate', 'Max Rate', and 'Block Duration' fields.
In the 'Flood Protection' tab, 'ICMPv6 Flood' tab, select the 'ICMPv6 Flood' check box; complete the 'Alarm Rate', 'Activate Rate', 'Max Rate', and 'Block Duration' fields.
In the 'Flood Protection' tab, 'Other IP Flood' tab, select the 'Other IP Flood' check box; complete the 'Alarm Rate', 'Activate Rate', 'Max Rate', and 'Block Duration' fields.
In the 'Resources Protection' tab, select the 'Maximum Concurrent Sessions' check box.
In the 'Resources Protection' tab, complete the 'Max Concurrent Sessions' field. If the DoS profile type is aggregate, this limit applies to the entire traffic hitting the DoS rule on which the DoS profile is applied. If the DoS profile type is classified, this limit applies to the entire traffic on a classified basis (source IP, destination IP or source-and-destination IP) hitting the DoS rule on which the DoS profile is applied.
Select 'OK'.

Go to Policies >> DoS Protection.
Select 'Add' to create a new policy.
In the 'DoS Rule' Window, complete the required fields.
In the 'General' tab, complete the 'Name' and 'Description' fields.
In the 'Source' tab, for 'Zone', select the 'External zone, for Source Address', select 'Any'.
In the 'Destination' tab, 'Zone', select 'Internal zone, for Destination Address', select 'Any'.
In the 'Option/Protection' tab,
For 'Service', select 'Any'.
For 'Action', select 'Protect'.
Select the 'Classified' check box.
In the 'Profile' field, select the configured DoS Protection profile for inbound traffic.
In the 'Address' field, select 'destination-ip-only'.
Commit changes by selecting 'Commit' in the upper-right corner of the screen. Select 'OK' when the confirmation dialog appears.

See Also

https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_PAN_Y24M07_STIG.zip

Item Details

Category: SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|SC-5, CAT|II, CCI|CCI-002385, CCI|CCI-004866, Rule-ID|SV-207703r997613_rule, STIG-ID|PANW-IP-000041, STIG-Legacy|SV-77167, STIG-Legacy|V-62677, Vuln-ID|V-207703

Plugin: Palo_Alto

Control ID: 5d236e86c9834278f86c88b30ac91cf6c58ce8dceb2572dc94ed6d9c1e31410c