Link Search Menu Expand Document

Firewall Protection Profiles

Configuration > Overlays & Security > Security > Firewall Protection Profiles

Use the Firewall Protection Profiles tab to add or modify a protection profile on any appliance with a firewall, to enable baseline learning, and to manage DoS thresholds and corresponding response actions on designated appliances, segments, and zones.

Baseline Learning, Auto Rate Limit, and Smart Burst

When you enable baseline learning, the system establishes a baseline for network performance during normal operations. Flow baselines are established at regular intervals by analyzing network statistics and identifying new patterns based on observed data. The default interval for baseline learning is 14 days, but you can set the interval to 7-56 days. Baseline calculations are based on a snapshot of a combination of metrics and are computed in the background.

The baselines provide a way to continuously collect and aggregate data about your network that you can use to assess network zone capacities and platform performance levels. The baselines are also used to build the graphs and charts found on Flow Baselines and Flow Baseline Trends.

You can enable baseline learning without adding any firewall protection profiles. However, if you plan to use the Auto rate limit or Smart burst DoS thresholds, you must enable baseline learning, as baseline calculations are used to calculate targets for both. Baseline learning, Auto rate limit, and Smart burst all require either an AS (Advanced Security) license or an AAS-DTD (Dynamic Threat Defense) license.

NOTE: To disable baseline learning, you must first remove any firewall protection profiles that use Auto rate limit or Smart burst. If these are not removed before you disable baseline learning, a notification appears on the screen, and you cannot proceed with disabling the feature.

Auto Rate Limit

Auto rate limit is a DoS threshold setting that uses baseline learning to compute the minimum DoS threshold. The maximum DoS threshold is configured above the baseline minimum. Auto rate limit helps assess network zone capacities and platform performance levels; normal versus oversubscribed. It allows significant burst but limits a zone to a percentage of appliance capacity. The maximum value is not sensitive to zone trends, and flows that exceed the maximum value are “tail dropped” even if the zone or appliance has flow capacity.

Smart Burst

Smart burst is a DoS threshold setting that uses baseline learning to compute both minimum and maximum DoS thresholds and allocates extra flow capacity. It uses a triple token bucket zone-based policer schema for burst management. Smart burst does the following:

  • Optimizes the use of appliance capacity by zones.

  • Protects baseline flow capacity for all zones.

  • Automatically calculates reserve/spare flow capacity.

  • Supports two levels of bursts to mitigate tail drops and manages spare capacity of appliances to support bursts.

    • The spare capacity is distributed among all zones and is called committed burst. Committed burst is the first level of burst capacity.

    • On a per second basis, unused committed burst in zones is made available as a second level of burst capacity that is referred to as excess burst. Unused excess burst capacity goes back to the respective committed burst periodically.

Enable Baseline Learning

The following instructions describe how to enable baseline learning for one EdgeConnect appliance. To enable baseline learning for multiple EdgeConnect appliances using a template, see Firewall Protection Profiles Template.

NOTE: Baseline learning, Auto rate limit, and Smart burst all require either an AS (Advanced Security) license or an AAS-DTD (Dynamic Threat Defense) license.

  1. Click the edit icon next to the appliance you want to enable baseline learning for.

    The Firewall Protection Profiles dialog box opens.

  2. Select the Baseline Learning check box.

  3. To customize the baseline learning settings, click Baseline Settings.

    The Baseline Settings dialog box opens.

  4. Enter the following information based on your network or click Cancel to use the default settings.

    Field Description
    Data aggregation method The technique used for data aggregation. The default is percentile and there are currently no other options.
    Data aggregation limit Indicates what percentage of the sample data is used to determine baseline values. The default setting is 95%, which means the top 5% of the sample is discarded and the other 95% is considered when computing the baselines. You can enter a value between 75-100%.
    Computation interval The time that passes before the system computes new baselines. The default is 8 hours. For example, when using the default, the baselines are computed every 8 hours using the latest sample data collected during the Model training interval. This can be configured in 4-hour units (e.g., 4, 8, 12, and so on) up to 240 hours.
    Model training interval During this period, data is collected for various metrics every five minutes and is aggregated into a data file. This data is used to compute the baselines. The default is 14 days, the minimum is 7 days, and the maximum is 56 days.

    NOTE: This period should include a diverse set of data that covers various types of legitimate traffic and captures the characteristics that distinguish normal traffic from malicious traffic during an attack.
    Baseline upper limit The upper limit for the minimum baseline. An alarm is raised when this value is reached. This setting is useful if Auto rate limit is configured without Smart burst. The setting is a percentage of the maximum baseline value, which is set manually. The default is 90%. You can enter a value between 50-100%.
    TCP inactivity timeout Inactivity timeout used for TCP flows created using burst support levels. Inactive flow gets deleted after this timeout. The default is 300 seconds. You can enter a value between 30-1800 seconds.
    Headroom for baseline plus The percentage of headroom that is added to the baseline. The default is 20%. You can enter a value between 5-100%.
    Per-source limit for committed burst The committed burst for a zone is available to all sources in the zone. This determines the percentage of committed burst in a zone that one source can use. The default is 50%. You can enter a value between 1-50%.
    Reserve flow capacity distribution Spare flow capacity is distributed among all zones by Smart burst using different methods (Proportional or Equal). The default method is Proportional.
    Excess burst credit interval On a per second basis, the zone is supposed to use a portion of committed burst capacity. Unused committed burst capacity of zones is made available as excess burst capacity every second. After this interval of time, unused excess burst capacity goes back to the respective committed burst. The default is 30 seconds. Enter a value between 30-100 seconds.
    Minimum reserve capacity limit The minimum amount of reserve flow capacity that should be available before Smart burst redistributes new reserve capacity after a baseline computation interval. Smart burst continues with previously distributed capacities if the minimum reserve capacity limit is not available. The default is 20%. You can enter a value between 10-50%.
  5. Click OK.

Create a Firewall Protection Profile

  1. Select an appliance or group of appliances from the list on the right-side menu.

  2. Navigate to Configuration > Overlays & Security > Security > Firewall Protection Profiles.

    img

  3. Click the edit icon next to the appliance you want to configure a profile for.

    The Firewall Protection Profiles - <Appliance Name> dialog box opens.

    img

  4. Under the Firewall Protection Profiles header, click Add.

    The Firewall Protection Profile dialog box opens.

    img

  5. Enter a name for the profile.

  6. Select or clear any of the Security Settings check boxes.

    NOTE: When asymmetric routing is configured, strict three-way TCP enforcement and deep packet inspection (DPI) validation cannot be performed. To enable these settings, turn off asymmetric routing.

  7. In the DoS Thresholds field, select a preset threshold (Lenient, Moderate, Strict, Auto rate limit, or Smart burst). To further edit a preset threshold, click the edit icon next to the classification you want to edit.

    Alternatively, click Add custom threshold to define specific threshold values. For more information, see Set Firewall Protection Profile Thresholds.

    NOTE: To use Auto rate limit or Smart burst, you must enable baseline learning first. These options only appear in the menu after baseline learning is enabled.

  8. (Optional) Add exceptions to the following fields:

    Field Description
    Allowlist Enter an existing Address Group. Any IP address contained within the Address Group will be exempt from DoS threshold analysis. The Allowlist does not exempt flows from the options shown in the Security Settings section.
    Blocklist Enter an existing Address Group to explicitly block any IP address contained within the configured Address Group.
  9. (Optional) Click Show advanced settings and set the following fields:

    Field Description
    Rapid aging Set a threshold value (in seconds) to enforce the tearing down of TCP connections when the period of inactivity matches the configured value (for example, 30s).
    Block duration Enforce dynamic blocking of flows originating from a source for a specified duration (for example, 300s).
    Embryonic timeout Set this value so that the firewall can tear down half-open TCP connections when the timeout value is reached (for example, 30s). While TCP connection goes through the three-way handshake (SYN, ACK, SYN-ACK), an embryonic connection is a half-open connection that produces (for example) a SYN without the other two parts of the handshake. This is a popular form of denial of service (DoS) attack.
    Share committed burst Select this check box to enable unused committed burst to be shared with other zones. This check box is enabled by default. For critical zones, you can disable this option, which retains the committed burst capacity for the zone itself.
  10. Click OK.

Set Firewall Protection Profile Thresholds

To view the threshold settings on an existing firewall protection profile, click the link in the Thresholds Count column of the Firewall Protection Profiles table.

To change the threshold settings:

  1. Click the edit icon next to the appliance you want to configure.

    The Firewall Protection Profiles - <Appliance Name> dialog box opens.

  2. Click the edit icon next to the profile name whose threshold you want to edit.

    The Firewall Protection Profile dialog box opens.

  3. Either select a preset threshold from the DoS Thresholds drop-down list, or click Add Custom Threshold.

    The DoS Threshold dialog box opens.

  4. Set the following parameters:

    Field Description
    Classification Classify flows in two ways:

    Zone level: Flows originating from multiple endpoints that are part of a single firewall zone.

    Source level: All flows originating from a single endpoint or source device.
    Metric DoS thresholds can be configured with any or all of the three metrics available in a firewall protection profile:

    Flows per second: Rate of flow (fps). A single flow is a unidirectional set of packets containing common attributes (source and destination IP, ports, protocols).

    Concurrent Flows: Number of flows that are active at a given point in time.

    Embryonic Flows: A half-open connection. While TCP connection goes through the three-way handshake (SYN, ACK, SYN-ACK), an embryonic connection is a half-open connection that produces (for example) a SYN without the other two parts of the handshake.
    IP Protocol Select an IP protocol (TCP, UDP, ICMP, Others, or All) for use in threshold settings.
    Min Label Select the method used to determine the min value:

    Baseline – If selected, the min value is determined by the system using baseline learning, and the corresponding Value field shows “Dynamic”.

    Custom – If selected, you configure the min value by entering a percentage in the corresponding Value field.
    Value Minimum threshold value as a percentage of target appliance flow capacity. When this value is breached, the protection profile takes a corresponding minimum action. If Baseline is selected as the Min Label, the system determines this value, and it cannot be configured.
    Action Action to take when the min value is breached (Log, Rapid aging, Drop excess, or Block source). Because this corresponds to the min value, less intensive action can be configured.
    Max Label Select the method used to determine the max value:

    Custom – If selected, you configure the max value by entering a percentage in the corresponding Value field.

    Baseline plus – A buffer of 20% is added to the computed baseline when determining flow capacity. If selected, the max value is determined by the system using baseline learning and the corresponding Value field shows “Dynamic”.

    Committed burst – Reserve flow capacity is divided equally or proportionally among all zones configured for Smart burst. If selected, the max value is determined by the system using baseline learning and the corresponding Value field shows “Dynamic”.

    Excess burst – Continuously, on a per second basis, unused committed burst (distributed reserve flow capacity) is collected from all zones and shared as a second level of support for all zones. If selected, the max value is determined by the system using baseline learning and the corresponding Value field shows “Dynamic”.
    Value Maximum threshold value as a percentage of target appliance flow capacity. When this value is breached, the protection profile takes a corresponding maximum action. If Baseline plus, Committed burst, or Excess burst are selected as the Max Label, the system determines this value, and it cannot be configured.
    Action Action to take when the max value is breached (Log, Rapid aging, Drop excess, or Block source). Because this corresponds to the max value, more intensive action can be configured.
  5. Click OK.

Add Profile Mappings

After you create a profile, you can map it to a segment and zone of your firewall to achieve the expected behavior.

To map a profile to a segment:

  1. Click Add under the Profile Mappings header.

  2. Click the box under the Segment field and start typing the segment you want to map to your profile, then click the segment.

  3. Click the box under the Zone field and start typing the zone you want to assign to your profile, then click the zone.

  4. Click the box under the Profile Name field and select the profile you created earlier.

  5. Click Save.

Add Firewall Protection Profile to a Template Group

  1. On the Firewall Protection Profiles tab, click Manage Firewall Protection Profiles with Templates.

  2. Select a template group to add the firewall protection profile to, and then click Add/Edit.

    Firewall Protection Profiles appears as a template under Active Templates > Policies.

    img

View DoS Threshold Information

You can quickly view information about DoS thresholds from the Firewall Protection Profiles page.

  1. In the Firewall Protection Profiles table, click the value in the Thresholds Count column that corresponds to the appliance/segment/zone entity you want to view.

    The DoS Thresholds - <Appliance Name> dialog box opens.

  2. View the following parameters:

    Field Description
    Classification Zone level flows originate from multiple endpoints that are part of a single firewall zone.

    Source level flows originate from a single endpoint or source device.

    Both zone-level and source-level classifications are applicable for thresholds.
    Metric Flows per second is the rate of flow (fps). A single flow is a unidirectional set of packets containing common attributes (source and destination IP, ports, protocols).

    Concurrent flows are the Number of active flows at a given point in time.

    Embryonic flows are half-open connections that produce (for example) a SYN without the other two parts (ACK, SYN-ACK) of a three-way TCP handshake.
    IP protocol The IP protocol (TCP, UDP, ICMP, Others, or All) used in threshold settings.
    Min label The method used to determined the min value (Baseline or Custom).
    Min value Minimum threshold value as a percentage of target appliance flow capacity.
    Min action Action taken when the min value is breached (Log, Rapid aging, Drop excess, or Block source).
    Min exceed sources If flows have exceeded a threshold value, the number of flows appears in this column. If no flows have exceeded a threshold value, this column will be blank.

    This value applies to source-level classifications only. It does not apply to zone-level classifications.
    Min exceed time Time since the threshold breach occurred. This data can be extracted and analyzed in firewall logs.
    Max label The method used to determined the max value (Custom, Baseline plus, Committed burst, Excess burst).
    Max value Maximum threshold value as a percentage of target appliance flow capacity.
    Max action Action taken when the max value is breached (Log, Rapid aging, Drop excess, or Block source).
    Max exceed sources If flows have exceeded a threshold value, the number of flows appears in this column. If no flows have exceeded a threshold value, this column will be blank.

    This value applies to source-level classifications only. It does not apply to zone-level classifications.

    NOTE: When a flow breaches both min and max threshold values, it appears in the Max exceed sources column.
    Max exceed time Time since the threshold breach occurred. This data can be extracted and analyzed in firewall logs.
    Trends Click the value to open the Protection Profile Trends tab. The selected threshold filters are applied showing real-time trends data. See Protection Profile Trends.

You can also view the number of min and max threshold breaches on the main table on the Firewall Protection Profiles tab, in the Min Thresholds/Max Thresholds columns.

View DoS Threshold Alarms

To view a list of alarms triggered when a DoS threshold is breached, navigate to Monitoring > Summary > Alarms, and then search for “DoS” in the search bar. For more information, see Alarms.