DoS Protection Policy Rules

DoS protection policy rules provide granular matching criteria so that you have flexibility in defining what you want to protect:
  • Source zone or interface
  • Destination zone or interface
  • Source IP addresses and address ranges, address group objects, and countries
  • Destination IP addresses and address ranges, address group objects, and countries
  • Services (by port and protocol)
  • Users
The flexible matching criteria enable you to protect entire zones or subnets, a single server, or anything in between. When traffic matches a DoS protection policy rule, the firewall takes one of three actions:
  • Deny
    —The firewall denies access and doesn’t apply a DoS protection profile. Denying essentially blacklists traffic that matches the rule.
  • Allow
    —The firewall permits access and doesn’t apply a DoS protection profile. Allowing essentially whitelists traffic that matches the rule.
  • Protect
    —The firewall applies the specified DoS protection profile or profiles. A DoS protection policy rule can have one aggregate DoS protection profile and one classified DoS protection profile. Incoming packets count against both DoS protection profiles if the they match the rule. The
    Protect
    action protects against floods by applying the thresholds set in the DoS protection profile or profiles to traffic that matches the rule.
The firewall only applies DoS protection profiles if the
Action
is
Protect
. If the DoS protection policy rule’s
Action
is
Protect
, specify the appropriate aggregate and/or classified DoS protection profile in the rule so that the firewall applies the DoS protection profile to traffic that matches the rule.
You can attach both an aggregate and a classified DoS protection profile to a DoS protection policy rule. The firewall checks and enforces the aggregate rate limits before it checks the classified rate limits, so if the match criteria matches both profiles, the thresholds in the aggregate profile are used first.

Related Documentation