End-of-Life (EoL)
Objects > Security Profiles > DoS Protection
DoS Protection profiles are designed for high-precision
targeting and they augment Zone Protection profiles. A DoS Protection
profile specifies the threshold rates at which new connections per
second (cps) trigger an alarm and an action (specified in the DoS Protection
policy). The DoS Protection profile also specifies the maximum rate
of connections per second and how long a blocked IP address remains
on the Block IP list. You apply a DoS protection profile to a DoS
protection policy rule where you specify the criteria for packets
to match the rule.
A DoS Protection profile is configured to be an Aggregate or
Classified type. You can apply a Classified DoS Protection profile
to a Classified DoS Protection rule.
- A Classified DoS Protection rule hasClassifiedselected and specifies a Classified DoS Protection profile. When a DoS Protection rule action isProtect, the firewall counts connections toward the cps thresholds of the DoS Protection profile if the packet meets the specified Address type: source-ip-only, destination-ip-only, or src-dest-ip-both.
- By comparison, a DoS Protection rule is an Aggregate rule whenClassifiedis not selected. When a DoS Protection rule action isProtect, an Aggregate rule causes the firewall to count all connections that meet the criteria for the rule (the aggregate) toward the cps thresholds that are specified in the Aggregate DoS Protection profile identified in the rule.
To apply a DoS Protection profile to a DoS Protection policy,
see Policies
> DoS Protection.
If you have a multiple virtual system (multi-vsys) environment
and have configured the following:
- External zones to enable inter-virtual system communication and
- Shared gateways to allow virtual systems to share a common interface and a single IP address for external communications, then
The
following Zone and DoS protection mechanisms are disabled on the
external zone:
- SYN cookies
- IP fragmentation
- ICMPv6
To enable IP fragmentation and ICMPv6 protection,
create a separate zone protection profile for the shared gateway.
To
protect against SYN floods on a shared gateway, you can apply a
SYN Flood protection profile with either Random Early Drop or SYN
cookies. On an external zone, only Random Early Drop is available
for SYN Flood protection.
DoS
Protection Profile Settings | |
---|---|
Name | Enter a profile name (up to 31 characters).
This name appears in the list of log forwarding profiles when defining security
policies. The name is case-sensitive and must be unique. Use only
letters, numbers, spaces, hyphens, and underscores. |
Shared | Select this option if you want the profile
to be available to:
|
Disable override ( Panorama only ) | Select this option to prevent administrators
from overriding the settings of this DoS Protection profile in device groups
that inherit the profile. This selection is cleared by default, which
means administrators can override the settings for any device group
that inherits the profile. |
Description | Enter a description of the profile (up to
255 characters). |
Type | Select one of the following profile types:
|
Flood Protection Tab | |
SYN Flood tab UDP Flood tab ICMP
Flood tab ICMPv6 tab Other IP tab | Select this option to enable the type of
flood protection indicated on the tab and specify the following
settings:
|
Resources Protection Tab | |
Sessions | Select this option to enable resources protection. |
Max Concurrent Limit | Specify the maximum number of concurrent sessions.
|
Recommended For You
Recommended Videos
Recommended videos not found.