How to Set Up DoS Protection

by on ‎01-19-2016 03:05 AM - edited on ‎06-20-2017 02:44 PM by (33,965 Views)

Using a DoS protection rulebase, administrators can configure policies to protect themselves from DoS attacks.  The rulebase to configure this can be found under Policies > DoS Protection. These policies can be configured to match zone, interface, IP address or user information as match conditions.



Using DoS protection profiles, you can create DoS rules much like security policies, allowing traffic based on the configured criteria. These profiles are configured under the Objects tab > Security Profiles > DoS Protection.


First, you will need to specify the profile type. You can choose between aggregate or classified.


  • Aggregate: Apply the DoS thresholds configured in the profile to all packets that match the rule criteria on which this profile is applied. For example, an aggregate rule with a SYN flood threshold of 10000 packets per second (pps) counts all packets that hit that particular DoS rule.
  • Classified: Apply the DoS thresholds configured in the profile to all packets satisfying the classification criterion (source IP, destination IP or source-and-destination IP).


The DoS protection profiles can be used to mitigate several types of DoS attacks.


Flood protection is similar to the one used in zone protection profiles. For SYN floods, we have SYN Cookie and Random Early Drop (RED) as available options. For the other types of flood, RED is used. You'll notice the same configuration options  as in zone protection profiles. In addition, there's also Block Duration, which is the time in seconds that the offending IP address will be denied.


In addition to flood protection, we also offer resources protection. This type of protection enforces a quota for your hosts. It restricts the maximum number of sessions allowed for a particular source IP address, destination IP address or IP source-destination pair.


Next we'll go to Policies > DoS Protection to create a DoS policy similar to the way we create a security rule.


As you can see, most parameters are similar to security rules. 

After giving the rule a name, configuring the source, destination and services, you can attach the profile to your rule using the Aggregate dropdown or you can click New DoS Protection to create a new one.


The different actions are deny/allow/protect.


Deny - Drop all traffic

Allow - Permit all traffic

Protect - Enforce protections supplied in the thresholds that are configured as part of the DoS profile applied to this rule.


Using the Schedule dropdown, you can assign a schedule to apply the DoS rule to a specific date/time.  

Using the Log Forwarding dropdown, you can configure log forwarding to forward your threat log entries to an external service such as a syslog server or Panorama.


For the sake of this tutorial, I already created a classified DoS protection profile type. If you activate the checkbox, you can select the classified profile type using the Profile dropdown menu.  Below, in the Address dropdown, you can select the classification criteria I mentioned earlier (source-ip-only / destination-ip-only / src-dest-ip-both).


In the example, you can have both an aggregate and a classified DoS protection profile configured to the same DoS rule.


Click OK and Commit to save your configuration.


Using the CLI, verify your DoS rules settings using the following command:


> show dos-protection rule <name> settings


As seen in the example, we have a DoS rule with

  • name = DosRule
  • aggregate profile = DosProtection
  • classified profile = Dos_classified
  • classification criteria = source-only
  • action = Protect


In the output, you will also see all the thresholds you've configured in the profiles.


This concludes the video on DoS protection.  Feel free to leave any comments in the comments section below.





Below are links to other useful documents with examples and topics we discussed in the video:


by jprovine
on ‎02-09-2018 06:32 AM



It looks like you can set up DoS protection without a profile, is there a benefit to using it this way? I was thinking of setting up a DoS rule, set it to allow so I can get a good idea of the traffic rates in order to craft a more effective DoS profile. Is this a good way to approach it or do you have a better method?

on ‎02-12-2018 05:50 AM

Hi @jprovine,


If you allow or deny your DoS rule then it doesn't look at the profile.  The profile only comes into play when you select the action "Protect".


I don't see how you will measure traffic rate this way.


With a profile you can set the "Alarm" value really low and the "Activate/Max" rate really high and then finetune accordingly.  Not a very effective way in my opinion.  Much more effective would be to run netstat on your network or run a custom report to get the actual session count and create a profile based on that information.


Cheers !


by jprovine
on ‎02-12-2018 06:31 AM


Thanks I will take your suggestion and see what I can find out

Ignite 2018, Amsterdam, Netherlands
Ask Questions Get Answers Join the Live Community