Objects > Security Profiles > DoS Protection
DoS Protection profiles are designed for high-precision targeting and they augment Zone Protection profiles. A DoS Protection profile specifies the threshold rates at which new connections per second (CPS) trigger an alarm and an action (specified in the DoS Protection policy). The DoS Protection profile also specifies the maximum CPS rate and how long a blocked IP address remains on the Block IP list. You specify a DoS protection profile in a DoS protection policy rule, where you specify the criteria for packets to match the rule, and the policy rule determines the devices to which the profile applies.
Create DoS Protection profiles and policies to protect critical individual devices or small groups of devices, especially internet-facing devices such as web servers and database servers.
You can configure Aggregate and Classified DoS Protection profiles. You can apply an Aggregate profile, a Classified profile, or one of each type to a DoS Protection policy rule. If you apply both profile types to a rule, the firewall applies the Aggregate profile first and then applies the Classified profile if needed.
- A Classified DoS Protection profile has Classified selected as the Type. When you apply a Classified DoS Protection profile to a DoS Protection rule whose action is Protect, the firewall counts connections toward the profile’s CPS thresholds if the packet meets the specified Address type: source-ip-only, destination-ip-only, or src-dest-ip-both.
- An Aggregate DoS Protection profile has Aggregate selected as the Type. When you apply an Aggregate DoS Protection profile a DoS Protection rule whose action is Protect, the firewall counts all connections (the combined number of connections for the group of devices specified in the rule) that meet the criteria for the rule toward the profile’s CPS thresholds.
To apply a DoS Protection profile to a DoS Protection policy, see Policies > DoS Protection.
If you have a multiple virtual system (multi-vsys) environment and have configured the following:
- External zones to enable inter-virtual system communication and
- Shared gateways to allow virtual systems to share a common interface and a single IP address for external communications, then
The following Zone and DoS protection mechanisms are disabled on the external zone:
- SYN cookies
- IP fragmentation
To enable IP fragmentation and ICMPv6 protection, create a separate zone protection profile for the shared gateway.
To protect against SYN floods on a shared gateway, you can apply a SYN Flood protection profile with either Random Early Drop or SYN cookies. On an external zone, only Random Early Drop is available for SYN Flood protection.
DoS Protection Profile Settings
Enter a profile name (up to 31 characters). This name appears in the list of log forwarding profiles when defining security policies. The name is case-sensitive and must be unique. Use only letters, numbers, spaces, hyphens, and underscores.
Enter a description of the profile (up to 255 characters).
Shared (Panorama only)
Select this option if you want the profile to be available to:
Disable override (Panorama only)
Select this option to prevent administrators from overriding the settings of this DoS Protection profile in device groups that inherit the profile. This selection is cleared by default, which means administrators can override the settings for any device group that inherits the profile.
Select one of the following profile types:
Flood Protection Tab
SYN Flood tab
UDP Flood tab
ICMP Flood tab
ICMPv6 Flood tab
Other IP Flood tab
Select this option to enable the type of flood protection indicated on the tab and specify the following settings:
Resources Protection Tab
Select this option to enable resources protection.
Max Concurrent Limit
Specify the maximum number of concurrent sessions.
DoS Protection Profiles
Protect groups of devices and critical individual devices from flood attacks, and limit the maximum concurrent sessions for resources. ...
Deploy DoS and Zone Protection Using Best Practices
DoS and Zone Protection deployment best practices help to ensure a smooth rollout that protects your network and your most critical servers. ...
DoS Protection Option/Protection Tab
DoS Protection Option/Protection Tab Select the Option/Protection tab to configure options for the DoS Protection policy rule, such as the type of service to which ...
Classified Versus Aggregate DoS Protection
Protect groups of devices with aggregate DoS protection and protect critical individual devices with classified DoS protection. ...
Protect your data center web servers and the firewall from DoS attacks to prevent attackers from taking down your data center network. ...
Protect the entire zone against SYN, UDP, ICMP, ICMPv6, and Other IP flood attacks. ...
Configure DoS Protection Against Flooding of New Sessions
Configure DoS Protection Against Flooding of New Sessions Configure Security policy rules to deny traffic from the attacker’s IP address and allow other traffic based ...
Zone Defense Tools
Use a layered approach with multiple levels of protection to defend your network against DoS attacks. ...
Take Baseline CPS Measurements for Setting Flood Thresholds
Taking baseline measurements of average and peak CPS for each zone helps define reasonable thresholds to prevent floods without unnecessarily throttling traffic. ...