06-07-2017 02:11 PM
I like this article. This requires planning a bit........:
06-07-2017 02:18 PM
Action "deny" does exactly what is says - it denies traffic.
Same as you block in security policy.
Don't enable this rule.
What you wan't to do is to "protect"
06-08-2017 06:02 AM
so basically with out a profile attached to this rule it is going to deny all traffice coming for the outside zone as a source to the destination zones of DMZ, net-services and working. so my question is why is there an option to do this with out a profile either to deny or block seems like protect should be your only option.
06-08-2017 06:03 AM
Yes I downloaded that and I do think its a good article thanks. So is anyone doing DoS protection and how is it working for you
06-08-2017 06:04 AM
I don't know why there is deny option.
I guess it is assumed you have DoS profile in place and if you fall under attack and suddenly want to block this traffic completely you can do so.
But yes this option will just deny like security policy.
06-08-2017 06:10 AM
Thanks thats exactly what I thought too 🙂
06-08-2017 07:09 AM
are you using DoS protection on your firewall? Can you add DoS protection as a profile on to you policies? I don't see a way to do that or do they stand alone
06-08-2017 07:18 AM - edited 06-08-2017 07:19 AM
@Raido_Rattameister wrote:I don't know why there is deny option.
I guess it is assumed you have DoS profile in place and if you fall under attack and suddenly want to block this traffic completely you can do so.
But yes this option will just deny like security policy.
It's not exacly the same as security policys ... at least on more powerful hardware with FPGA's (I don't know exactly which hardware has specific FPGA's and for what features) ...
because DoS policys are processed first, so if you are under Attack or want to drop a lot of traffic because of another reason, doing this with DoS policys will affect your DP processor much less than dropping the traffic in later stages of the packet processing (security policy)
06-08-2017 07:38 AM
So it isn't added as a profile to an existing policy but is hit first and then goes to the policies
06-08-2017 07:59 AM
DoS protection can be set at 2 places.
One is zone protection profile that is processed first.
It is highly suggested to set it up because it does not take too much bandwitdh to fill firewall session table with lots of hping requests and take you offline.
Downside is that you don't see IP's in log (but in case of DoS do you need to see all those IPs?).
Second place is DoS policy what we are currently discussing.
This is good to use if you need to protect specific resource or you are service provider and need to limit how many concurrent sessions specific server or client can have.
Also don't use "random early drop" but "syn cookies" 😉
06-08-2017 08:26 AM
To add, the initial policy rule that you have in your screenshot is a really poor use of the DoS protection profile and it looks like you are attempting to do Zone protection in the wrong area. When you build out DoS protection profiles you should attempt to limit them to your public services and set them up specific to that, for example you would have one for SMTP, one for DNS, one for any service that you have open to the outside world if that's doable.
Also when you are making this policy it's probably best to put things into an Allow action and look at the logs specifically so that this doesn't actually start affecting traffic until you have a baseline of the rates that are normal for your public services. DoS profiles take a little bit of time to actually setup properly and ensure that you have everything correct before you start allowing it to take action against traffic.
06-08-2017 08:27 AM
FYI I am just investigating a rule that someon wants to put in and am really looking for the best way to stop a denial of service attach
06-08-2017 08:36 AM
So if we did want to do DoS, the best way would be to start out in with the allow action and base the profiles on that information.
So should I have both DoS and Zone protection set up? I think the main focus is to make sure we are not deisabled by a DoS attach and we need to figure out the best way to do that
06-08-2017 08:46 AM
I would generally want to see both a Zone Protection profile in place along with DoS policies for any public service when setting up a firewall. Zone Protection is a good way to limit everything from a ZONE level, this protection profile however isn't specific as it looks at an entire Zone and you set limits at that level.
The DoS protection profile you can get way more granular, so for example we have a public DNS server that would be vulnerable to multiple types of attack I can protect that so that it doesn't get flooded and I can limit the amount of traffic to something that would be a 'normal' rate.
Obviously before you actually setup a DoS or a Zone Protection profile with an 'Activate' and 'Maximum' value you would want to keep lowering your 'Alert' value or someone keep track of what your normal traffic rate is. If you setup your Activate and Maximum values without knowing your normal traffic rate then your DoS and Zone Protection profiles are going to be pretty much useless as it wouldn't take your actual traffic rate into account.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
