DoS Protection Profiles and Policy Rules

Protect groups of similar resources and critical individual resources against session floods.
DoS Protection profiles and DoS Protection policy rules combine to protect specific groups of critical resources and individual critical resources against session floods. Compared to Zone Protection profiles, which protect entire zones from flood attacks, DoS protection provides granular defense for specific systems, especially critical systems that users access from the internet and are often attack targets, such as web servers and database servers. Apply both types of protection because if you only apply a Zone Protection profile, then a DoS attack that targets a particular system in the zone can succeed if the total connections-per-second (CPS) doesn’t exceed the zone’s Activate and Maximum rates.
DoS Protection is resource-intensive, so use it only for critical systems. Similar to Zone Protection profiles, DoS Protection profiles specify flood thresholds. DoS Protection policy rules determine the devices, users, zones, and services to which DoS Profiles apply.
In addition to configuring DoS protection and zone protection, apply the best practice Vulnerability Protectionprofile to each Security policy rule to help defend against DoS attacks.

Related Documentation