DoS Protection Option/Protection Tab
Select the Option/Protection tab to configure options for the DoS Protection policy rule, such as the type of service to which the rule applies, the action to take against packets that match the rule, and whether to trigger log forwarding for matched traffic. You can define a schedule for when the rule is active.
You can also select an Aggregate DoS Protection profile and/or a Classified DoS Protection profile, which determine the threshold rates that cause the firewall to take protective actions when exceeded, such as triggering an alarm, activating an action such as Random Early Drop, and dropping packets that exceed the maximum threshold rate.
Click Add and select one or more services to which the DoS Protection policy applies. The default is Any service. For example, if the DoS policy protects web servers, specify HTTP, HTTPS, and any other appropriate service ports for the web applications.
For critical servers, create separate DoS Protection rules to protect the unused service ports to help prevent targeted attacks.
Select the action the firewall performs on packets that match the DoS Protection policy rule:
The object of applying DoS Protection is to protect against DoS attacks, so you should use usually Protect. Deny drops legitimate traffic along with DoS traffic and Allow doesn’t stop DoS attacks. Use Deny and Allow only to make exceptions within a group. For example, you can deny the traffic from most of a group but allow a subset of that traffic, or allow the traffic from most of a group but deny a subset of that traffic.
Specify the schedule when the DoS Protection policy rule is in effect. The default setting of None indicates no schedule; the policy is always in effect.
Alternatively, select a schedule or create a new schedule to control when the DoS Protection policy rule is in effect. Enter a Name for the schedule. Select Shared to share this schedule with every virtual system on a multiple virtual system firewall. Select a Recurrence of Daily, Weekly, or Non-recurring. Add a Start Time and End Time in hours:minutes, based on a 24-hour clock.
If you want to trigger forwarding of threat log entries for matched traffic to an external service, such as to a syslog server or Panorama, select a Log Forwarding profile or click Profile to create a new one.
The firewall logs and forwards only traffic that matches an action in the rule.
Aggregate DoS Protection profiles set thresholds that apply to combined group of devices specified in the DoS Protection rule to protect those server groups. For example, an Alarm Rate threshold of 10,000 CPS means that when the total new CPS to the entire group exceeds 10,000 CPS, the firewall triggers an alarm message.
Select an Aggregate DoS Protection profile that specifies the threshold rates at which the incoming connections per second trigger an alarm, activate an action, and exceed a maximum rate. All incoming connections (the aggregate) count toward the thresholds specified in an Aggregate DoS Protection profile.
An Aggregate profile setting of None means there are no threshold settings in place for the aggregate traffic. See Objects > Security Profiles > DoS Protection.
Classified DoS Protection profiles set thresholds that apply to each individual device specified in the DoS Protection rule to protect individual or small groups of critical servers. For example, an Alarm Rate threshold of 10,000 CPS means that when the total new CPS to any individual server specified in the rule exceeds 10,000 CPS, the firewall triggers an alarm message.
Select this option and specify the following:
If you specify a Classified DoS Protection profile, only the incoming connections that match a source IP address, destination IP address, or source and destination IP address pair count toward the thresholds specified in the profile. For example, you can specify a Classified DoS Protection profile with a Max Rate of 100 cps, and specify an Address setting of source-ip-only in the rule. The result would be a limit of 100 connections per second for that particular source IP address.
Don’t use source-ip-only or src-dest-ip-both for internet-facing zones because the firewall can’t store counters for all possible internet IP addresses. Use destination-ip-only in perimeter zones.
Use destination-ip-only to protect individual critical devices.
Use source-ip-only and the Alarm threshold to monitor suspect hosts in non-internet-facing zones.
Deploy DoS and Zone Protection Using Best Practices
DoS and Zone Protection deployment best practices help to ensure a smooth rollout that protects your network and your most critical servers. ...
Objects > Security Profiles > DoS Protection
Objects > Security Profiles > DoS Protection DoS Protection profiles are designed for high-precision targeting and they augment Zone Protection profiles. A DoS Protection profile ...
DoS Protection Policy Rules
Specify which resources to protect from DoS attacks and how to protect them. ...
Policies > DoS Protection
Policies > DoS Protection A DoS Protection policy allows you to protect individual critical resources against DoS attacks by specifying whether to deny or allow ...
Configure DoS Protection Against Flooding of New Sessions
Configure DoS Protection Against Flooding of New Sessions Configure Security policy rules to deny traffic from the attacker’s IP address and allow other traffic based ...
Zone Defense Tools
Use a layered approach with multiple levels of protection to defend your network against DoS attacks. ...
Protect your data center web servers and the firewall from DoS attacks to prevent attackers from taking down your data center network. ...
DoS Protection Profiles
Protect groups of devices and critical individual devices from flood attacks, and limit the maximum concurrent sessions for resources. ...
Multiple-Session DoS Attack
Multiple-Session DoS Attack Configure DoS Protection Against Flooding of New Sessions by configuring a DoS Protection policy rule, which determines the criteria that, when matched ...