DoS Protection Profiles and Policy Rules work together
to provide protection against flooding of many incoming SYN, UDP,
ICMP, and ICMPv6 packets, and other types of IP packets. You determine
what thresholds constitute flooding. In general, the DoS Protection
profile sets the thresholds at which the firewall generates a DoS
alarm, takes action such as Random Early Drop, and drops additional
incoming connections. A DoS Protection policy rule that is set to protect
(rather than to allow or deny packets) determines the criteria for
packets to match (such as source address) in order to be counted
toward the thresholds. This flexibility allows you to block certain
traffic, or allow certain traffic and treat other traffic as DoS
traffic. When the incoming rate exceeds your maximum threshold,
the firewall blocks incoming traffic from the source address.