Action "deny" does exactly what is says - it denies traffic.

Same as you block in security policy.

Don't enable this rule.

What you wan't to do is to "protect"

@Raido

so basically with out a profile attached to this rule it is going to deny all traffice coming for the outside zone as a source to the destination zones of DMZ, net-services and working. so my question is why is there an option to do this with out a profile either to deny or block seems like protect should be your only option.

@TranceforLife

Yes I downloaded that and I do think its a good article thanks. So is anyone doing DoS protection and how is it working for you

I don't know why there is deny option.

I guess it is assumed you have DoS profile in place and if you fall under attack and suddenly want to block this traffic completely you can do so.

But yes this option will just deny like security policy.

@Raido

Thanks thats exactly what I thought too :)

@Raido

are you using DoS protection on your firewall? Can you add DoS protection as a profile on to you policies? I don't see a way to do that or do they stand alone

---

@Raido wrote:

I don't know why there is deny option.

I guess it is assumed you have DoS profile in place and if you fall under attack and suddenly want to block this traffic completely you can do so.

But yes this option will just deny like security policy.

---

It's not exacly the same as security policys ... at least on more powerful hardware with FPGA's (I don't know exactly which hardware has specific FPGA's and for what features) ...

because DoS policys are processed first, so if you are under Attack or want to drop a lot of traffic because of another reason, doing this with DoS policys will affect your DP processor much less than dropping the traffic in later stages of the packet processing (security policy)

So it isn't added as a profile to an existing policy but is hit first and then goes to the policies