Aggregate vs Zone protection profiles

Reply
Highlighted
L4 Transporter

Aggregate vs Zone protection profiles

We have separate zone protection profiles for each zone. And the definition of aggregate says that "all thresholds apply to the entire group of devices specified in a DoS Protection policy rule". So if we are trying to protect servers in DMZ, unless we use smaller groups (for which our environment doesn't seem to have a usecase). Do we even need to use Aggregate DOS protection. Only using Classified seems more appropriate in this scenario, 

 

Also as i understand, I should be able club multiple DMZ servers in same DOS policy and the thresholds will apply to each server individually.

 


Accepted Solutions
Highlighted
Cyber Elite

@raji_toor,

So your understanding is that you shouldn't set an aggregate profile because you already have Zone Protection configured on the zone right? The zone protection can accomplish the same thing as an aggregate profile, but you would generally have your Zone Protection values set much higher than you ever would on a DoS profile. If you're just going to set those values high enough that your ZP would trip anyways then yes you wouldn't setup an aggregate profile. 

View solution in original post


All Replies
Highlighted
Cyber Elite

@raji_toor,

Also as i understand, I should be able club multiple DMZ servers in same DOS policy and the thresholds will apply to each server individually.

If you have everything setup under just classified profile then yes that's correct. 

 

So not knowing anything about your environment I can't tell you if you should use aggregate, but I can tell you that in the vast majority of environments you wouldn't throw all of your public services in the same DoS entry. If you're properly tuning your DoS profiles you shouldn't have the exact same values for your website as you would have for website or your Exchange server for instance. It's pretty rare I come across an environment where grouping them all under a sole entry is advisable. 

Highlighted
L4 Transporter

@BPry  I understand it can be different for classified depending server/application itself, but am I right in my understanding of aggregate vs zone protection profiles.

Highlighted
Cyber Elite

@raji_toor,

So your understanding is that you shouldn't set an aggregate profile because you already have Zone Protection configured on the zone right? The zone protection can accomplish the same thing as an aggregate profile, but you would generally have your Zone Protection values set much higher than you ever would on a DoS profile. If you're just going to set those values high enough that your ZP would trip anyways then yes you wouldn't setup an aggregate profile. 

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!