Skip to content
Catalogs
XCCDF
Palo Alto Networks ALG Security Technical Implementation Guide
SRG-NET-000362-ALG-000112
The Palo Alto Networks security platform must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.
The Palo Alto Networks security platform must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints. An XCCDF Rule
The Palo Alto Networks security platform must block outbound traffic containing denial-of-service (DoS) attacks to protect against the use of internal information systems to launch any DoS attacks against other networks or endpoints.
High Severity
<VulnDiscussion>If the network does not provide safeguards against DoS attacks, network resources may be unavailable to users. Installation of content filtering gateways and application-layer firewalls at key boundaries in the architecture mitigates the risk of DoS attacks. These attacks can be detected by matching observed communications traffic with patterns of known attacks and monitoring for anomalies in traffic volume/type.
Detection components that use rate-based behavior analysis can detect attacks when signatures for the attack do not exist or are not installed. These attacks include zero-day attacks that are new attacks for which vendors have not yet developed signatures. Rate-based behavior analysis can detect sophisticated, Distributed DoS (DDoS) attacks by correlating traffic information from multiple network segments or components.
PAN-OS can use either Zone-Based Protection or End Host Protection to mitigate DoS attacks. Zone-Based Protection protects against most common floods, reconnaissance attacks, and other packet-based attacks and is applied to any zone. End Host Protection is specific to defined end hosts. Zone Protections are always applied on the ingress interface, so to protect against floods or scans from the internet, apply the profile on the zone containing the untrusted internet interface. Security administrators wishing to harden their networks even further can apply Zone Protections to both internal and external interfaces to ensure that protective measures are being applied across the entire environment.
It is important to set the Flood Protection parameters that are suitable for the enclave or system. The Administrator should perform a traffic baseline to tune these parameters. Refer to https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClVkCAK.</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>