Skip to content
ATO Pathways
Log In
Overview
Search
Catalogs
SCAP
OSCAL
Catalogs
Profiles
Documents
References
Knowledge Base
Platform Documentation
Compliance Dictionary
Platform Changelog
About
Catalogs
XCCDF
Palo Alto Networks ALG Security Technical Implementation Guide
SRG-NET-000362-ALG-000112
SRG-NET-000362-ALG-000112
An XCCDF Group - A logical subset of the XCCDF Benchmark
Details
Profiles
Prose
SRG-NET-000362-ALG-000112
1 Rule
<GroupDescription></GroupDescription>
The Palo Alto Networks security platform must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.
High Severity
<VulnDiscussion>If the network does not provide safeguards against DoS attacks, network resources may be unavailable to users. Installation of content filtering gateways and application-layer firewalls at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume/type. Detection components that use rate-based behavior analysis can detect attacks when signatures for the attack do not exist or are not installed. These attacks include zero-day attacks that are new attacks for which vendors have not yet developed signatures. Rate-based behavior analysis can detect sophisticated, Distributed DoS (DDoS) attacks by correlating traffic information from multiple network segments or components. PAN-OS can use either Zone-Based Protection or End Host Protection to mitigate DoS attacks. Zone-Based Protection protects against most common floods, reconnaissance attacks, and other packet-based attacks and is applied to any zone. End Host Protection is specific to defined end hosts. Zone Protections are always applied on the ingress interface, so to protect against floods or scans from the internet, apply the profile on the zone containing the untrusted internet interface. Security administrators wishing to harden their networks even further can apply Zone Protections to both internal and external interfaces to ensure that protective measures are being applied across the entire environment. It is important to set the Flood Protection parameters that are suitable for the enclave or system. The Administrator should perform a traffic baseline to tune these parameters. Refer to https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVkCAK.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>