Configure DoS Protection Against Flooding of New Sessions
(Required for single-session attack mitigation or attacks that have not triggered the DoS Protection policy threshold; optional for multiple-session attack mitigation) Configure Security policy rules to deny traffic from the attacker’s IP address and allow other traffic based on your network needs. You can specify any of the match criteria in a Security policy rule, such as source IP address. This step is one of the steps typically performed to stop an existing attack. See Use the CLI to End a Single Attacking Session. Components of a Security Policy Rule Create a Security Policy Rule
Configure a DoS Protection profile for flood protection. Because flood attacks can occur over multiple protocols, as a best practice, activate protection for all of the flood types in the DoS Protection profile. Select Objects > Security Profiles > DoS Protection and Add a profile Name. Select Classified as the Type. For Flood Protection, select all types of flood protection: SYN Flood UDP Flood ICMP Flood ICMPv6 Flood Other IP Flood When you enable SYN Flood, select the Action that occurs when the Activate Rate threshold is exceeded: Random Early Drop or SYN Cookies. ( Optional ) On each of the flood tabs, change the following thresholds to suit your environment: Alarm Rate (packets/s) —Specify the threshold rate (packets per second [pps]) above which a DoS alarm is generated. (Range is 0-2,000,000; default is 10,000.) Activate Rate (packets/s) —Specify the threshold rate (pps) above which a DoS response is activated. When the Activate Rate threshold is reached, Random Early Drop occurs. (Range is 0-2,000,000; default is 10,000.) Max Rate (packets/s) —Specify the threshold rate of incoming packets per second that the firewall allows. When the threshold is exceeded, new packets that arrive are dropped. (Range is 2-2,000,000; default is 40,000.) The default threshold values in this step are only starting points and might not be appropriate for your network. You must analyze the behavior of your network to properly set initial threshold values. On each of the flood tabs, specify the Block Duration (in seconds), which is the length of time the firewall blocks packets that match the DoS Protection policy rule that references this profile. Specify a value greater than zero. (Range is 1-21,600; default is 300.) Set a low Block Duration value if you are concerned that packets you incorrectly identified as attack traffic will be blocked unnecessarily. Set a high Block Duration value if you are more concerned about blocking volumetric attacks than you are about incorrectly blocking packets that are not part of an attack. Click OK.
Configure a DoS Protection policy rule that specifies the criteria for matching the incoming traffic. Select Policies > DoS Protection and Add a Name on the General tab. The name is case-sensitive and can be a maximum of 31 characters, including letters, numbers, spaces, hyphens, and underscores. On the Source tab, choose the Type to be a Zone or Interface, and then Add the zone(s) or interface(s). ( Optional ) For Source Address, select Any for any incoming IP address to match the rule or Add an address object such as a geographical region. ( Optional ) For Source User, select any or specify a user. ( Optional ) Select Negate to match any sources except those you specify. ( Optional ) On the Destination tab, choose the Type to be a Zone or Interface, and then Add the destination zone(s) or interface(s). For example, enter the security zone you want to protect. ( Optional ) For Destination Address, select Any or enter the IP address of the device you want to protect. ( Optional ) On the Option/Protection tab, Add a Service. Select a service or click Service and enter a Name. Select TCP or UDP. Enter a Destination Port. Not specifying a particular service allows the rule to match a flood of any protocol type without regard to an application-specific port. On the Option/Protection tab, for Action, select Protect. Select Classified. For Profile, select the name of the DoS Protection profile you created. For Address, select source-ip-only or src-dest-ip-both, which determines the type of IP address to which the rule applies. Choose the setting based on how you want the firewall to identify offending traffic. Specify source-ip-only if you want the firewall to classify only on the source IP address. Because attackers often test the entire network for hosts to attack, source-ip-only is the typical setting for a wider examination. Specify src-dest-ip-both if you want to protect only against DoS attacks on the server that has a specific destination address and also ensure that every source IP address will not surpass a specific connections-per-second threshold to that server. Click OK.
Save the configuration. Click Commit.

Related Documentation