DoS policy notify

Reply
L4 Transporter

DoS policy notify

Hi,

 

We have configured a DoS policy in order to limit the connections to several internal services.

So when we launch a test in order to check that the connections are being limit we dont see any logs or event reporting it.

But looking in policy statistics we see that its being applied.

how can we verify that the policy DoS is working???? should we see any log or event about DoS?

 

thanks

 

Highlighted
L7 Applicator

Re: DoS policy notify

@jesuscano,

Within the threat logs your subtype will be flood. This will show you whenever one of your policies are triggered. 

( subtype eq flood ) 

Then if you want to get notified you would just setup Log Forwarding profiles. 

L4 Transporter

Re: DoS policy notify

Hi BPry,

 

We dont know any event in "Threat logs" about this test. What are the causes to not show anything in "threat" logs?

L7 Applicator

Re: DoS policy notify

@jesuscano,

Are you sure that you are at least hitting the 'alert' value if not the 'activate' or the 'maximum'? The DoS Protection rules should show hits regardless of if you passed any of these values, as the profiles are actively evalutating the traffic. 

L4 Transporter

Re: DoS policy notify

I attach the config:

 

1.JPG

 

DoS Protection Policy

 

1.1.JPG

 

We dont see any log after testing the profile:

 

3.JPG

 

Counter DoS. And DoS rule with 610 current, no drops.

 

2.jpgWhy is not limiting the connections??

L7 Applicator

Re: DoS policy notify

Hi @jesuscano

 

The max rate that you specified to 200 does only apply for TCP-SYN packets and not for already established sessions. If you want to limit the concurrent sessions you will find the corresponding configuration in the "ressource protection" tab.

 

Screenshot_20180913-111912_Chrome.jpg

L7 Applicator

Re: DoS policy notify

@jesuscano,

To go along with what @vsys_remo mentioned; you are also running this as Classified and specifying a TCP-Syn alarm rate of 180 packets per second. That's quite a lot for one client to generate to actually trigger an alarm in a production environment, and I wouldn't expect this to actually trigger in most enviroments.  

Have you actually went through and baselined expected traffic volume? Keep in mind that your DoS profile will show a hit for any traffic that matches that policy and is analyzed; that doesn't mean that it's dropped traffic 610 times. 

 

When initially setting up a DoS Profile I would highly recommend setting an incredibly high 'Activate' and 'Max' rate; then play around with the Alarm rate to see where you actually triggering the DoS Profile. This ensures that you aren't dropping anyones traffic until you actually know what your baseline is, and you can set your Activate and Max rates accordingly. The Session Limit you can't really play with, you need to properly baseline expected session levels before setting a session limit or you may see yourself dropping traffic that you don't necessary want to. 

L4 Transporter

Re: DoS policy notify

Yes, one thing:

 

The configuration we are looking for does not require (and should not) limit the number of concurrent connections.  We should only control the growth of connections over time. The idea is that, before an 'avalanche' of connections to a specific service, only 200 (for example) are allowed every 2 seconds, although after a few seconds / minutes, there are, for example, 2500 concurrent connections.

 

We have done tests (using j-meter), we observe that the DoS policy is executed, but we do not have logs or any trace or historical evidence, only We can see in real time, reviewing the status of the application of DoS policies.

L7 Applicator

Re: DoS policy notify


@jesuscano wrote:

We have done tests (using j-meter), we observe that the DoS policy is executed, but we do not have logs or any trace or historical evidence, only We can see in real time, reviewing the status of the application of DoS policies.


Explain this one for me a bit.if the DoS policy is activated then this will be recorded. If you are flooding the interface or running into limitations on your box then that's a different issue all together; but a properly functioning firewall will always record when a DoS policy hits an 'Activate', 'Max', or session limit event. 

L4 Transporter

Re: DoS policy notify

Hi Bpry,

 

Yes, in this thread you can see the screenshot about how SYN flood (max) is enabled. So we see that the DoS policy is being applied but we dont see any "floof" event in threat logs. So we also would like to know how to find event about flooding in PA.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!