A DoS Protection policy allows you to protect individual critical resources against DoS attacks by specifying whether to deny or allow packets that match a source interface, zone, address or user and/or a destination interface, zone, or user.

Alternatively, you can choose the Protect action and specify a DoS profile where you set the thresholds (sessions or packets per second) that trigger an alarm, activate a protective action, and indicate the maximum rate above which all new connections are dropped. Thus, you can control the number of sessions between interfaces, zones, addresses, and countries based on aggregate sessions or source and/or destination IP addresses. For example, you can control traffic to and from certain addresses or address groups, or from certain users and for certain services.

The firewall enforces DoS Protection policy rules before Security policy rules to ensure the firewall uses its resources in the most efficient manner. If a DoS Protection policy rule denies a packet, that packet never reaches a Security policy rule.

The following tables describe the DoS Protection policy settings:

See DoS Protection Profiles and Objects > Security Profiles > DoS Protection.