DoS Protection Policy Rules
Specify which resources to protect from DoS attacks and
how to protect them.
DoS Protection policy rules control the systems to which
the firewall applies DoS protection (the flood thresholds configured
in DoS Protection profiles that you attach to DoS Protection policy
rules), what action to take when traffic matches the criteria defined
in the rule, and how to log DoS traffic. Because DoS protection
consumes firewall resources, use it only to defend specific critical resources
against session floods, especially common targets that users access
from the internet, such as web servers and database servers. Use
Zone Protection profiles to protect entire zones against floods
and other attacks. DoS Protection policy rules provide granular
matching criteria so that you have the flexibility to define exactly what
you want to protect:
- Source zone, interface, IP address (including whole regions), and user.
- Destination zone, interface, and IP address (including whole regions).
- Services (by port and protocol). DoS protection applies only to the services you specify. However, specifying services doesn’t allow the services and implicitly block all other services. Specifying services limits DoS protection to those services, but doesn’t block other services.In addition to protecting service ports in use on critical servers, you can also protect against DoS attacks on the unused service ports of critical servers. For critical systems, you can do this by creating one DoS Protection policy rule and profile to protect ports with services running, and a different DoS Protection policy rule and profile to protect ports with no services running. For example, you can protect a web server’s normal service ports, such as 80 and 443, with one policy/profile, and protect all of the other service ports with the other policy/profile. Be aware of the firewall’s capacity so that servicing the DoS counters doesn’t impact performance.
When traffic matches a DoS Protection policy rule, the firewall
takes one of three actions:
- Deny—The firewall denies access and doesn’t apply a DoS Protection profile. Traffic that matches the rule is blocked.
- Allow—The firewall permits access and doesn’t apply a DoS Protection profile. Traffic that matches the rule is allowed.
- Protect—The firewall protects the devices defined in the DoS Protection policy rule by applying the specified DoS Protection profile or profiles thresholds to traffic that matches the rule. A rule can have one aggregate DoS Protection profile and one classified DoS Protection profile, and for classified profiles, you can use the source IP, destination IP, or both to increment the flood threshold counters, as described in Classified Versus Aggregate DoS Protection. Incoming packets count against both DoS Protection profile thresholds if the they match the rule.
The firewall applies DoS Protection profiles only if the
Action
is Protect
.
If the DoS Protection policy rule’s Action
is Protect
,
specify the appropriate aggregate and/or classified DoS Protection
profiles in the rule so that the firewall applies the DoS Protection
profile’s thresholds to traffic that matches the rule. Most rules
are Protect
rules.The
Allow
and Deny
actions
enable you to make exceptions within larger groups but do not apply
DoS protection to the traffic. For example, you can deny the traffic
from most of a group but allow a subset of that traffic. Conversely,
you can allow the traffic from most of a group and deny a subset
of that traffic. You can
Schedule
when a DoS Protection
policy rule is active (start and end time, recurrence period). One
use case for scheduling is to apply different flood thresholds at
different times of the day or week. For example, if your business
experiences significantly less traffic at night than during the
day, you may want to apply higher flood thresholds during the day
than at night. Another use case is to schedule special thresholds
for special events, providing that the firewall supports the CPS
rates.For easier management and granular reporting, configure
Log Forwarding
to
separate DoS protection logs from other threat logs. Forward DoS
threshold violation events directly to the administrators via email
in addition to forwarding the logs to a server such an SNMP or syslog
server. Providing that the firewalls are appropriately sized, threshold
breaches should not be frequent and will be strong indicators of
an attack attempt.Recommended For You
Recommended Videos
Recommended videos not found.