In addition to protecting service ports
in use on critical servers, you can also protect against DoS attacks
on the unused service ports of critical servers. For critical systems,
you can do this by creating one DoS Protection policy rule and profile
to protect ports with services running, and a different DoS Protection
policy rule and profile to protect ports with no services running.
For example, you can protect a web server’s normal service ports,
such as 80 and 443, with one policy/profile, and protect all of
the other service ports with the other policy/profile. Be aware
of the firewall’s capacity so that servicing the DoS counters doesn’t
impact performance.