DOS profile for critical servers

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

DOS profile for critical servers

L2 Linker

Hi Guys,

 

I want to create the DOS profile for critical servers. I read that I can use classified type so connection count toward only one IP address.

My question is can I add multiple servers IPs in same DOS Rule or I need to create multiple DOS rules. Also, I might need to tune threshold base on servers so is it better to create new DOS rule?

If I use same DOS rule then connection count will still be per destination IP or will it act like aggregate to all the Destination IPs ?

1 accepted solution

Accepted Solutions

Cyber Elite
Cyber Elite

@shafi021,

My question is can I add multiple servers IPs in same DOS Rule or I need to create multiple DOS rules. Also, I might need to tune threshold base on servers so is it better to create new DOS rule?

You can add multiple IPs to the same DoS rulebase entry, but keep in mind that you can only have one aggregate and one classified profile assigned to the entry. So if you have multiple public resources servicing for example DNS services, I would generally only make one entry. That entry would have an aggregate and a classified rulebase entry that has been fined tuned for that service. 

 

If I use same DOS rule then connection count will still be per destination IP or will it act like aggregate to all the Destination IPs ?

So this actually depends on how you setup the entry. An aggregate profile would effect every destination in that rule. Classified can take into account specific destination IPs which would be limited to the destination address instead of aggregated across the entry matched rulebase entry. 

 

Just in general, I would never configure a DOS Protection rulebase entry to service multiple different services. If you have a public Exchange server I would want to see a separate entry for Exchange, likewise I would create a separate entry  for public web resources or VPN appliances. 

You want to have your DoS profiles (aggregate and classified) as specific as you can get them to allow them to actually do their job. You can't really do that if you have the same profile protecting a wide array of services. 

The only caveat that would come into play is on smaller platforms where you have the potential of running into object limits on the DoS profiles. That's the only time where I start recommending people group like services into the same profile. So maybe instead of having a separate profile for each web service we go down to a generic "Public Websites" type of profile; but if your platform is capable of supporting a profile for each public service, there's no reason not to fully utilize that capability.  

View solution in original post

3 REPLIES 3

L2 Linker

@OwenFuller  @BPry  when I tried to answer on my RFC1918 post, I am not able to do that. It is giving me Error. Thanks Owen and BPry, yes, we are using Public IP addresses and it is just my manager want to implement to have better security to block private IP block from public zone.

Also, can you please look into my DOS profile rule question. Thanks for the help and support.

 

Thank you.

Cyber Elite
Cyber Elite

@shafi021,

My question is can I add multiple servers IPs in same DOS Rule or I need to create multiple DOS rules. Also, I might need to tune threshold base on servers so is it better to create new DOS rule?

You can add multiple IPs to the same DoS rulebase entry, but keep in mind that you can only have one aggregate and one classified profile assigned to the entry. So if you have multiple public resources servicing for example DNS services, I would generally only make one entry. That entry would have an aggregate and a classified rulebase entry that has been fined tuned for that service. 

 

If I use same DOS rule then connection count will still be per destination IP or will it act like aggregate to all the Destination IPs ?

So this actually depends on how you setup the entry. An aggregate profile would effect every destination in that rule. Classified can take into account specific destination IPs which would be limited to the destination address instead of aggregated across the entry matched rulebase entry. 

 

Just in general, I would never configure a DOS Protection rulebase entry to service multiple different services. If you have a public Exchange server I would want to see a separate entry for Exchange, likewise I would create a separate entry  for public web resources or VPN appliances. 

You want to have your DoS profiles (aggregate and classified) as specific as you can get them to allow them to actually do their job. You can't really do that if you have the same profile protecting a wide array of services. 

The only caveat that would come into play is on smaller platforms where you have the potential of running into object limits on the DoS profiles. That's the only time where I start recommending people group like services into the same profile. So maybe instead of having a separate profile for each web service we go down to a generic "Public Websites" type of profile; but if your platform is capable of supporting a profile for each public service, there's no reason not to fully utilize that capability.  

L0 Member

TEST 2

  • 1 accepted solution
  • 3161 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!