The Palo Alto Networks security platform must protect against denial-of-service (DoS) attacks from external sources.

Severity	Group ID	Group Title	Version	Rule ID	Date	STIG Version
high	V-228860	SRG-NET-000362-ALG-000112	PANW-AG-000102	SV-228860r1084264_rule	2025-03-12	3

Description
If the network does not provide safeguards against DoS attacks, network resources may be unavailable to users. Installation of content filtering gateways and application-layer firewalls at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume/type. Detection components that use rate-based behavior analysis can detect attacks when signatures for the attack do not exist or are not installed. These attacks include zero-day attacks that are new attacks for which vendors have not yet developed signatures. Rate-based behavior analysis can detect sophisticated, Distributed DoS (DDoS) attacks by correlating traffic information from multiple network segments or components. PAN-OS can use either Zone-Based Protection or End Host Protection to mitigate DoS attacks. Zone-Based Protection protects against most common floods, reconnaissance attacks, and other packet-based attacks and is applied to any zone. End Host Protection is specific to defined end hosts. Zone Protections are always applied on the ingress interface, so to protect against floods or scans from the internet, apply the profile on the zone containing the untrusted internet interface. Security administrators wishing to harden their networks even further can apply Zone Protections to both internal and external interfaces to ensure that protective measures are being applied across the entire environment. It is important to set the Flood Protection parameters that are suitable for the enclave or system. The administrator should perform a traffic baseline to tune these parameters. Refer to https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVkCAK.

Description

If the network does not provide safeguards against DoS attacks, network resources may be unavailable to users. Installation of content filtering gateways and application-layer firewalls at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume/type. Detection components that use rate-based behavior analysis can detect attacks when signatures for the attack do not exist or are not installed. These attacks include zero-day attacks that are new attacks for which vendors have not yet developed signatures. Rate-based behavior analysis can detect sophisticated, Distributed DoS (DDoS) attacks by correlating traffic information from multiple network segments or components. PAN-OS can use either Zone-Based Protection or End Host Protection to mitigate DoS attacks. Zone-Based Protection protects against most common floods, reconnaissance attacks, and other packet-based attacks and is applied to any zone. End Host Protection is specific to defined end hosts. Zone Protections are always applied on the ingress interface, so to protect against floods or scans from the internet, apply the profile on the zone containing the untrusted internet interface. Security administrators wishing to harden their networks even further can apply Zone Protections to both internal and external interfaces to ensure that protective measures are being applied across the entire environment. It is important to set the Flood Protection parameters that are suitable for the enclave or system. The administrator should perform a traffic baseline to tune these parameters. Refer to https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVkCAK.

ℹ️ Check
View the site's Security Protection Plan (SSP). Verify if Zone-based protection, DoS protection, or both are required by the SSP. There may be more than one configured inbound policy. If the SSP requires one or more Zone protection policies: 1. Navigate to Network >> Network Profiles >> Zone Protection. 2. Navigate to Network >> Zones and view the "Zone Protection Profile", which should not be blank. 3. If a Zone Protection Profile is not configured, has a blank "Zone Protection Profile" column, or is incorrectly identified, this is a finding. If the SSP requires one or more DoS protection policies: 1. Navigate to Objects >> Security Profiles >> DoS Protection. 2. Navigate to Policies >> DoS Protection. If neither a Zone Protection Profile nor a DoS Protection policy is configured to protect each ingress interface, this is a finding.

ℹ️ Check

View the site's Security Protection Plan (SSP). Verify if Zone-based protection, DoS protection, or both are required by the SSP. There may be more than one configured inbound policy. If the SSP requires one or more Zone protection policies: 1. Navigate to Network >> Network Profiles >> Zone Protection. 2. Navigate to Network >> Zones and view the "Zone Protection Profile", which should not be blank. 3. If a Zone Protection Profile is not configured, has a blank "Zone Protection Profile" column, or is incorrectly identified, this is a finding. If the SSP requires one or more DoS protection policies: 1. Navigate to Objects >> Security Profiles >> DoS Protection. 2. Navigate to Policies >> DoS Protection. If neither a Zone Protection Profile nor a DoS Protection policy is configured to protect each ingress interface, this is a finding.

✔️ Fix
Configure either a Zone-Based protection policy or a DoS protection policy. Zone protections are, at a minimum, applied on each ingress interface. To configure a Zone-Based protection policy, perform the following: 1. Navigate to Network >> Network Profiles >> Zone Protection and select "Add". 2. In the "Zone Protection Profile" window, complete the required fields. 3. In the "General" tab, complete the "Name" and "Description" fields. 4. Configure Flood Protection: a. In the "Flood Protection" tab, select the "Syn" check box, in the "Action" field, select either "Random Early Drop" (preferred in this case) or "SYN Cookie"; complete the "Alert", "Activate", and "Maximum" fields. b. In the "Flood Protection" tab, select the "ICMP" check box; complete the "Alert", "Activate", and "Maximum" fields. c. In the "Flood Protection" tab, select the "ICMPv6" check box; complete the "Alert", "Activate", and "Maximum" fields. d. In the "Flood Protection" tab, select the "Other IP" check box; complete the "Alert", "Activate", and "Maximum" fields. e. In the "Flood Protection" tab, select the "UDP" check box; complete the "Alert", "Activate", and "Maximum" fields. f. For each of the "Alert", "Activate", and "Maximum" fields, the appropriate values depends on the expected traffic of the system. 5. Configure Reconnaissance Protection: a. In the "Reconnaissance Protection" tab, select the "TCP Port Scan", "Host Sweep", and "UDP Port Scan" rows. b. Select the action of Block IP. c. The Interval and Threshold values can either remain as the default values or they can be changed based on the specific traffic conditions of the network. 6. Configure Packet Based Attack Protection settings: a. Select the "Packet Based Attack Protection" tab and select the following at a minimum. b. IP Drop tab: Select the "Spoofed IP address", "Strict Source Routing", "Loose Source Routing", "Unknown", and "Malformed". c. TCP Drop tab: Select "Mismatched overlapping TCP segment" and "TCP Timestamp", and for the "Reject Non-SYN TCP" field, select "yes". For the "Asymmetric Path" field, select "bypass". d. ICMP Drop tab: Select the "ICMP Ping ID 0, ICMP Fragment", and "ICMP Large Packet(>1024)" check-boxes. The "Suppress ICMP TTL Expired Error" and "Suppress ICMP Frag Needed" check-boxes can remain unchecked unless this profile will be applied to an internal or DMZ. e. IPv6 Drop tab: Select the "Type 0 Routing Header", "IPv4 compatible address", "Anycast source address", "Needless fragment header", "MTU in ICMPv6 'Packet Too Big' less than 1280 bytes", "Hop-by-Hop extension", "Routing extension", "Destination extension", "Invalid IPv6 options in extension header", and "Non-zero reserved field" check-boxes. f. In the "ICMPv6" tab, select the "ICMPv6 destination unreachable", "ICMPv6 packet too big", "ICMPv6 time exceeded", "ICMPv6 parameter problem", and "ICMPv6 redirect" check-boxes. g. Click "OK". 7. Apply the Zone Protection Profile to any zone that includes ingress interfaces to external networks: a. Select Network >> Zones and select the ingress zone. b. In the "Zone" window, in the "Zone Protection Profile" window, select the configured Zone Protection Profile. c. Click "OK". d. Select Network >> Zones and select the DMZ zone. e. In the "Zone" window, in the "Zone Protection Profile" window, select the configured Zone Protection Profile. f. Click "OK". 8. Commit the changes. To configure a DoS Protection policy: 1. Navigate to Objects >> Security Profiles >> DoS Protection. 2. Select "Add" to create a new profile. 3. In the "DoS Protection Profile" window, complete the required fields. For the "Type", select "Classified". 4. Configure Flood Protection by enabling each type of flood protection and configuring the following at a minimum: a. SYN Flood tab: Select "SYN Cookie" as the action. b. UDP Flood tab: Select "UDP Flood and complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. c. ICMP Flood tab: Select "ICMP Flood" and complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. d. ICMPv6 Flood tab: Select "ICMPv6 Flood" and complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. e. Other IP Flood tab: Select "Other IP Flood" check box and complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. 5. Configure Resources Protection in the Resources Protection tab with the following settings: a. Select "Maximum Concurrent Sessions". b. Complete the "Max Concurrent Sessions" field. If the DoS profile type is aggregate, this limit applies to the entire traffic hitting the DoS rule on which the DoS profile is applied. c. Click "OK", and then click "Commit". 6. Create a DoS protection policy. a. Navigate to Policies >> DoS Protection and select "Add" to create a new policy. b. In the "DoS Rule" Window, complete the required fields. c. In the "General" tab, complete the "Name" and "Description" fields. d. In the "Source" tab, for "Zone", select the "External zone", and for "Source Address", select "Any". e. In the "Destination" tab, "Zone", select "Internal zone", and for "Destination Address", select "Any". f. In the "Option/Protection" tab, for "Service", select "Any", and for "Action", select "Protect". g. Select the "Classified" check-box. h. In the "Profile" field, select the configured DoS Protection profile for the inbound traffic. i. In the "Address" field, select destination-ip-only. j. Click "OK", and then click "Commit".

✔️ Fix

Configure either a Zone-Based protection policy or a DoS protection policy. Zone protections are, at a minimum, applied on each ingress interface. To configure a Zone-Based protection policy, perform the following: 1. Navigate to Network >> Network Profiles >> Zone Protection and select "Add". 2. In the "Zone Protection Profile" window, complete the required fields. 3. In the "General" tab, complete the "Name" and "Description" fields. 4. Configure Flood Protection: a. In the "Flood Protection" tab, select the "Syn" check box, in the "Action" field, select either "Random Early Drop" (preferred in this case) or "SYN Cookie"; complete the "Alert", "Activate", and "Maximum" fields. b. In the "Flood Protection" tab, select the "ICMP" check box; complete the "Alert", "Activate", and "Maximum" fields. c. In the "Flood Protection" tab, select the "ICMPv6" check box; complete the "Alert", "Activate", and "Maximum" fields. d. In the "Flood Protection" tab, select the "Other IP" check box; complete the "Alert", "Activate", and "Maximum" fields. e. In the "Flood Protection" tab, select the "UDP" check box; complete the "Alert", "Activate", and "Maximum" fields. f. For each of the "Alert", "Activate", and "Maximum" fields, the appropriate values depends on the expected traffic of the system. 5. Configure Reconnaissance Protection: a. In the "Reconnaissance Protection" tab, select the "TCP Port Scan", "Host Sweep", and "UDP Port Scan" rows. b. Select the action of Block IP. c. The Interval and Threshold values can either remain as the default values or they can be changed based on the specific traffic conditions of the network. 6. Configure Packet Based Attack Protection settings: a. Select the "Packet Based Attack Protection" tab and select the following at a minimum. b. IP Drop tab: Select the "Spoofed IP address", "Strict Source Routing", "Loose Source Routing", "Unknown", and "Malformed". c. TCP Drop tab: Select "Mismatched overlapping TCP segment" and "TCP Timestamp", and for the "Reject Non-SYN TCP" field, select "yes". For the "Asymmetric Path" field, select "bypass". d. ICMP Drop tab: Select the "ICMP Ping ID 0, ICMP Fragment", and "ICMP Large Packet(>1024)" check-boxes. The "Suppress ICMP TTL Expired Error" and "Suppress ICMP Frag Needed" check-boxes can remain unchecked unless this profile will be applied to an internal or DMZ. e. IPv6 Drop tab: Select the "Type 0 Routing Header", "IPv4 compatible address", "Anycast source address", "Needless fragment header", "MTU in ICMPv6 'Packet Too Big' less than 1280 bytes", "Hop-by-Hop extension", "Routing extension", "Destination extension", "Invalid IPv6 options in extension header", and "Non-zero reserved field" check-boxes. f. In the "ICMPv6" tab, select the "ICMPv6 destination unreachable", "ICMPv6 packet too big", "ICMPv6 time exceeded", "ICMPv6 parameter problem", and "ICMPv6 redirect" check-boxes. g. Click "OK". 7. Apply the Zone Protection Profile to any zone that includes ingress interfaces to external networks: a. Select Network >> Zones and select the ingress zone. b. In the "Zone" window, in the "Zone Protection Profile" window, select the configured Zone Protection Profile. c. Click "OK". d. Select Network >> Zones and select the DMZ zone. e. In the "Zone" window, in the "Zone Protection Profile" window, select the configured Zone Protection Profile. f. Click "OK". 8. Commit the changes. To configure a DoS Protection policy: 1. Navigate to Objects >> Security Profiles >> DoS Protection. 2. Select "Add" to create a new profile. 3. In the "DoS Protection Profile" window, complete the required fields. For the "Type", select "Classified". 4. Configure Flood Protection by enabling each type of flood protection and configuring the following at a minimum: a. SYN Flood tab: Select "SYN Cookie" as the action. b. UDP Flood tab: Select "UDP Flood and complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. c. ICMP Flood tab: Select "ICMP Flood" and complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. d. ICMPv6 Flood tab: Select "ICMPv6 Flood" and complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. e. Other IP Flood tab: Select "Other IP Flood" check box and complete the "Alarm Rate", "Activate Rate", "Max Rate", and "Block Duration" fields. 5. Configure Resources Protection in the Resources Protection tab with the following settings: a. Select "Maximum Concurrent Sessions". b. Complete the "Max Concurrent Sessions" field. If the DoS profile type is aggregate, this limit applies to the entire traffic hitting the DoS rule on which the DoS profile is applied. c. Click "OK", and then click "Commit". 6. Create a DoS protection policy. a. Navigate to Policies >> DoS Protection and select "Add" to create a new policy. b. In the "DoS Rule" Window, complete the required fields. c. In the "General" tab, complete the "Name" and "Description" fields. d. In the "Source" tab, for "Zone", select the "External zone", and for "Source Address", select "Any". e. In the "Destination" tab, "Zone", select "Internal zone", and for "Destination Address", select "Any". f. In the "Option/Protection" tab, for "Service", select "Any", and for "Action", select "Protect". g. Select the "Classified" check-box. h. In the "Profile" field, select the configured DoS Protection profile for the inbound traffic. i. In the "Address" field, select destination-ip-only. j. Click "OK", and then click "Commit".