Protect against downloading malware from an infected external
client or placing malware on an external server from an infected
data center server. Create allow rules for applications required
for business purposes and create an External Dynamic List (EDL) to block bad
IP addresses. For each rule, configure
Log at Session
tab and set
up Log Forwarding to track and analyze rule violations.
example restricts the applications and destinations for internet-to-data-center
traffic, and uses the
option to prevent
communication with the
Bad IPs List
similar rules for traffic from the internet to other server groups
(if allowed) and other applications. Make each rule specific to
limit access to only the required applications and servers.
Configure SSL Inbound Inspection (and import the destination
server certificates into the firewall) to decrypt partner, contractor,
and customer traffic that Security policy rules allow for internet-to-data-center
traffic. This example shows the Decryption policy for the preceding
Security policy rule.
Decryption rules to match traffic that internet-to-data-center Security
policy rules allow.
internet-to-data-center DoS Protection policy rules to protect
sensitive servers from Denial-of-Service (DoS) attacks by limiting the
number of connections-per-second (CPS) the firewall allows to the
servers to prevent a SYN flood attack.
Attackers target the web server tier because if they take
it down, they prevent most legitimate access to the data center.
Apply a classified DoS Protection policy rule with a DoS Protection profile that limits the
incoming CPS to prevent traffic spikes that can affect server performance
Create a classified DoS
Protection profile to protect the web server tier and prevent SYN
flood attacks. The CPS thresholds you set depend on the baseline peak
Create a DoS Protection policy rule to specify the web servers
you’re protecting and apply the classified DoS Protection profile
against SYN flood attacks from internal sources, create a separate
DoS Protection policy rule that specifies your internal zones as
the source zone instead of
rules for external and internal attack sources provides separate
reporting that makes investigating attack attempts easier.
In addition, configure Packet Buffer Protection for
each data center zone to protect the firewall from single-session
DoS attacks that can cause legitimate traffic to drop.