At the internet-facing perimeter, do
not
place firewalls
you use for DoS protection or zone protection in front of dedicated
DDoS devices and perimeter routers and switches. Make those high-volume
devices your first line of DoS defense to mitigate volumetric flood
attacks. For zone and DoS protection at the perimeter, use high-capacity
firewalls and place them
behind
the high-volume devices.
As a rule, the closer a firewall is to the perimeter, the higher
capacity it must be to handle the volume of traffic.