DoS Protection Policy Rules
Specify which resources to protect from DoS attacks and how to protect them.
DoS Protection policy rules control the systems to which the firewall applies DoS protection (the flood thresholds configured in DoS Protection profiles that you attach to DoS Protection policy rules), what action to take when traffic matches the criteria defined in the rule, and how to log DoS traffic. Because DoS protection consumes firewall resources, use it only to defend specific critical resources against session floods, especially common targets that users access from the internet, such as web servers and database servers. Use Zone Protection profiles to protect entire zones against floods and other attacks. DoS Protection policy rules provide granular matching criteria so that you have the flexibility to define exactly what you want to protect:
- Source zone, interface, IP address (including whole regions), and user.
- Destination zone, interface, and IP address (including whole regions).
- Services (by port and protocol). DoS protection applies only to the services you specify. However, specifying services doesn’t whitelist the services and implicitly blacklist all other services. Specifying services limits DoS protection to those services, but doesn’t block other services.In addition to protecting service ports in use on critical servers, you can also protect against DoS attacks on the unused service ports of critical servers. For critical systems, you can do this by creating one DoS Protection policy rule and profile to protect ports with services running, and a different DoS Protection policy rule and profile to protect ports with no services running. For example, you can protect a web server’s normal service ports, such as 80 and 443, with one policy/profile, and protect all of the other service ports with the other policy/profile. Be aware of the firewall’s capacity so that servicing the DoS counters doesn’t impact performance.
When traffic matches a DoS Protection policy rule, the firewall takes one of three actions:
- Deny—The firewall denies access and doesn’t apply a DoS Protection profile. Denying blacklists traffic that matches the rule.
- Allow—The firewall permits access and doesn’t apply a DoS Protection profile. Allowing whitelists traffic that matches the rule.
- Protect—The firewall protects the devices defined in the DoS Protection policy rule by applying the specified DoS Protection profile or profiles thresholds to traffic that matches the rule. A rule can have one aggregate DoS Protection profile and one classified DoS Protection profile, and for classified profiles, you can use the source IP, destination IP, or both to increment the flood threshold counters, as described in Classified Versus Aggregate DoS Protection. Incoming packets count against both DoS Protection profile thresholds if the they match the rule.
The firewall applies DoS Protection profiles only if the Action is Protect. If the DoS Protection policy rule’s Action is Protect, specify the appropriate aggregate and/or classified DoS Protection profiles in the rule so that the firewall applies the DoS Protection profile’s thresholds to traffic that matches the rule. Most rules are Protect rules.
The Allow and Deny actions enable you to make exceptions within larger groups but do not apply DoS protection to the traffic. For example, you can deny the traffic from most of a group but allow a subset of that traffic. Conversely, you can allow the traffic from most of a group and deny a subset of that traffic.
You can Schedule when a DoS Protection policy rule is active (start and end time, recurrence period). One use case for scheduling is to apply different flood thresholds at different times of the day or week. For example, if your business experiences significantly less traffic at night than during the day, you may want to apply higher flood thresholds during the day than at night. Another use case is to schedule special thresholds for special events, providing that the firewall supports the CPS rates.
For easier management and granular reporting, configure Log Forwarding to separate DoS protection logs from other threat logs. Forward DoS threshold violation events directly to the administrators via email in addition to forwarding the logs to a server such an SNMP or syslog server. Providing that the firewalls are appropriately sized, threshold breaches should not be frequent and will be strong indicators of an attack attempt.
DoS Protection Option/Protection Tab
DoS Protection Option/Protection Tab Select the Option/Protection tab to configure options for the DoS Protection policy rule, such as the type of service to which ...
Deploy DoS and Zone Protection Using Best Practices
DoS and Zone Protection deployment best practices help to ensure a smooth rollout that protects your network and your most critical servers. ...
Zone Defense Tools
Use a layered approach with multiple levels of protection to defend your network against DoS attacks. ...
Objects > Security Profiles > DoS Protection
Objects > Security Profiles > DoS Protection DoS Protection profiles are designed for high-precision targeting and they augment Zone Protection profiles. A DoS Protection profile ...
Policies > DoS Protection
Policies > DoS Protection A DoS Protection policy allows you to protect individual critical resources against DoS attacks by specifying whether to deny or allow ...
DoS Protection Profiles and Policy Rules
Protect groups of similar resources and critical individual resources against session floods. ...
DoS Protection Against Flooding of New Sessions
DoS Protection Against Flooding of New Sessions DoS protection against flooding of new sessions is beneficial against high-volume single-session and multiple-session attacks. In a single-session ...
Protect your data center web servers and the firewall from DoS attacks to prevent attackers from taking down your data center network. ...
Multiple-Session DoS Attack
Multiple-Session DoS Attack Configure DoS Protection Against Flooding of New Sessions by configuring a DoS Protection policy rule, which determines the criteria that, when matched ...