DOS protection rule
cancel
Showing results for 
Search instead for 
Did you mean: 

DOS protection rule

L4 Transporter

We are thinking of creating a DoS rule and I was wondering what the group thinks of this rule and what affect it would have.  DoSrule.PNG

14 REPLIES 14

L6 Presenter

Action "deny" does exactly what is says - it denies traffic.

Same as you block in security policy.

Don't enable this rule.

What you wan't to do is to "protect"

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI

@Raido

so basically with out a profile attached to this rule it is going to deny all traffice coming for the outside zone as a source to the destination zones of DMZ, net-services and working. so my question is why is there an option to do this with out a profile either to deny or block seems like protect should be your only option.

@TranceforLife

Yes I downloaded that and I do think its a good article thanks. So is anyone doing DoS protection and how is it working for you

I don't know why there is deny option.

I guess it is assumed you have DoS profile in place and if you fall under attack and suddenly want to block this traffic completely you can do so.

But yes this option will just deny like security policy.

Enterprise Architect @ Cloud Carib www.cloudcarib.com
ACE, PCNSE, PCNSI

@Raido

Thanks thats exactly what I thought too :)

@Raido

are you using DoS protection on your firewall? Can you add DoS protection as a profile on to you policies? I don't see a way to do that or do they stand alone


@Raido wrote:

I don't know why there is deny option.

I guess it is assumed you have DoS profile in place and if you fall under attack and suddenly want to block this traffic completely you can do so.

But yes this option will just deny like security policy.


It's not exacly the same as security policys ... at least on more powerful hardware with FPGA's (I don't know exactly which hardware has specific FPGA's and for what features) ...

because DoS policys are processed first, so if you are under Attack or want to drop a lot of traffic because of another reason, doing this with DoS policys will affect your DP processor much less than dropping the traffic in later stages of the packet processing (security policy)

So it isn't added as a profile to an existing policy but is hit first and then goes to the policies

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!