Firewall Protection Profiles
Configuration > Overlays & Security > Security > Firewall Protection Profiles
Use the Firewall Protection Profiles tab to add or modify a protection profile on any appliance with a firewall, and to manage DoS thresholds and corresponding response actions on designated appliances, segments, and zones.
Create a Firewall Protection Profile
-
Select an appliance or group of appliances from the list on the right-side menu.
-
Navigate to Configuration > Overlays & Security > Security > Firewall Protection Profiles.
-
Click the edit icon next to the appliance you want to configure a profile for.
The Firewall Protection Profiles - <Appliance Name> dialog box opens.
-
Under the Firewall Protection Profiles header, click Add.
The Firewall Protection Profile dialog box opens.
-
Enter a name for the profile.
-
Select or clear any of the Security Settings check boxes.
NOTE: When asymmetric routing is configured, strict three-way TCP enforcement and deep packet inspection (DPI) validation cannot be performed. To enable these settings, turn off asymmetric routing.
-
In the DoS Thresholds field, select a preset threshold (Lenient, Moderate, or Strict). To further edit a preset threshold, click the edit icon next to the classification you want to edit.
Alternatively, click Add custom threshold to define specific threshold values. For more information, see Set Firewall Protection Profile Thresholds.
-
(Optional) Add exceptions to the following fields:
Field Description Allowlist Enter an existing Address Group. Any IP address contained within the Address Group will be exempt from DoS threshold analysis. The Allowlist does not exempt flows from the options shown in the Security Settings section. Blocklist Enter an existing Address Group to explicitly block any IP address contained within the configured Address Group. -
(Optional) Click Show advanced settings and set the following fields:
Field Description Rapid aging Set a threshold value (in seconds) to enforce the tearing down of TCP connections when the period of inactivity matches the configured value (for example, 30s). Block duration Enforce dynamic blocking of flows originating from a source for a specified duration (for example, 300s). Embryonic timeout Set this value so that the firewall can tear down half-open TCP connections when the timeout value is reached (for example, 30s). While TCP connection goes through the three-way handshake (SYN, ACK, SYN-ACK), an embryonic connection is a half-open connection that produces (for example) a SYN without the other two parts of the handshake. This is a popular form of denial of service (DoS) attack. -
Click OK.
Set Firewall Protection Profile Thresholds
To view the threshold settings on an existing firewall protection profile, click the link in the Thresholds Count column of the Firewall Protection Profiles table.
To change the threshold settings:
-
Click the edit icon next to the appliance you want to configure.
The Firewall Protection Profiles - <Appliance Name> dialog box opens.
-
Click the edit icon next to the profile name whose threshold you want to edit.
The Firewall Protection Profile dialog box opens.
-
Either select a preset threshold from the DoS Thresholds drop-down list, or click Add custom threshold.
The DoS Threshold dialog box opens.
-
Set the following parameters:
Field Description Classification Classify flows in two ways:
Zone level: Flows originating from multiple endpoints that are part of a single firewall zone.
Source level: All flows originating from a single endpoint or source device.Metric DoS thresholds can be configured with any or all of the three metrics available in a firewall protection profile:
Flows per second: Rate of flow (fps). A single flow is a unidirectional set of packets containing common attributes (source and destination IP, ports, protocols).
Concurrent Flows: Number of flows that are active at a given point in time.
Embryonic Flows: A half-open connection. While TCP connection goes through the three-way handshake (SYN, ACK, SYN-ACK), an embryonic connection is a half-open connection that produces (for example) a SYN without the other two parts of the handshake.IP Protocol Select an IP protocol (TCP, UDP, ICMP, Others, or All) for use in threshold settings. Min value Minimum threshold value as a percentage of target appliance flow capacity. When this value is breached, the protection profile takes a corresponding minimum action. Min action Action to take when the min value is breached (Log, Rapid aging, Drop excess, or Block source). Because this corresponds to the min value, this is a less intensive action. Max value Maximum threshold value as a percentage of target appliance flow capacity. When this value is breached, the protection profile takes a corresponding maximum action. Max action Action to take when the max value is breached (Log, Rapid aging, Drop excess, or Block source). Because this corresponds to the max value, this is a more intensive action. -
Click OK.
Add Profile Mappings
After you create a profile, you can map it to a segment and zone of your firewall to achieve the expected behavior.
To map a profile to a segment:
-
Click Add under the Profile Mappings header.
-
Click the box under the Segment field and start typing the segment you want to map to your profile, then click the segment.
-
Click the box under the Zone field and start typing the zone you want to assign to your profile, then click the zone.
-
Click the box under the Profile Name field and select the profile you created earlier.
-
Click Save.
Add Firewall Protection Profile to a Template Group
-
On the Firewall Protection Profiles tab, click Manage Firewall Protection Profiles with Templates.
-
Select a template group to add the firewall protection profile to, and then click Add/Edit.
Firewall Protection Profile appears as a template under Active Templates > Policies.
View DoS Threshold Information
You can quickly view information about DoS thresholds from the Firewall Protection Profiles page.
-
In the Firewall Protection Profiles table, click the value in the Thresholds Count column that corresponds to the appliance/segment/zone entity you want to view.
The DoS Thresholds - <Appliance Name> dialog box opens.
-
View the following parameters:
Field Description Classification Zone level flows originate from multiple endpoints that are part of a single firewall zone.
Source level flows originate from a single endpoint or source device.
Both zone-level and source-level classifications are applicable for thresholds.Metric Flows per second is the rate of flow (fps). A single flow is a unidirectional set of packets containing common attributes (source and destination IP, ports, protocols).
Concurrent flows are the Number of active flows at a given point in time.
Embryonic flows are half-open connections that produce (for example) a SYN without the other two parts (ACK, SYN-ACK) of a three-way TCP handshake.IP Protocol The IP protocol (TCP, UDP, ICMP, Others, or All) used in threshold settings. Min value Minimum threshold value as a percentage of target appliance flow capacity. Min action Action taken when the min value is breached (Log, Rapid aging, Drop excess, or Block source). Min exceed sources If flows have exceeded a threshold value, the number of flows appears in this column. If no flows have exceeded a threshold value, this column will be blank.
This value applies to source-level classifications only. It does not apply to zone-level classifications.Min exceed time Time since the threshold breach occurred. This data can be extracted and analyzed in firewall logs. Max value Maximum threshold value as a percentage of target appliance flow capacity. Max action Action taken when the max value is breached (Log, Rapid aging, Drop excess, or Block source). Max exceed sources If flows have exceeded a threshold value, the number of flows appears in this column. If no flows have exceeded a threshold value, this column will be blank.
This value applies to source-level classifications only. It does not apply to zone-level classifications.
NOTE: When a flow breaches both min and max threshold values, it appears in the Max exceed sources column.Max exceed time Time since the threshold breach occurred. This data can be extracted and analyzed in firewall logs.
You can also view the number of min and max threshold breaches on the main table of the Firewall Protection Profiles page, in the Min Thresholds/Max Thresholds columns.
View DoS Threshold Alarms
To view a list of alarms triggered when a DoS threshold is breached, navigate to Monitoring > Summary > Alarms, and then search for “DoS” in the search bar. For more information, see Alarms.