08-10-2020 08:08 AM
My question is can I add multiple servers IPs in same DOS Rule or I need to create multiple DOS rules. Also, I might need to tune threshold base on servers so is it better to create new DOS rule?
You can add multiple IPs to the same DoS rulebase entry, but keep in mind that you can only have one aggregate and one classified profile assigned to the entry. So if you have multiple public resources servicing for example DNS services, I would generally only make one entry. That entry would have an aggregate and a classified rulebase entry that has been fined tuned for that service.
If I use same DOS rule then connection count will still be per destination IP or will it act like aggregate to all the Destination IPs ?
So this actually depends on how you setup the entry. An aggregate profile would effect every destination in that rule. Classified can take into account specific destination IPs which would be limited to the destination address instead of aggregated across the entry matched rulebase entry.
Just in general, I would never configure a DOS Protection rulebase entry to service multiple different services. If you have a public Exchange server I would want to see a separate entry for Exchange, likewise I would create a separate entry for public web resources or VPN appliances.
You want to have your DoS profiles (aggregate and classified) as specific as you can get them to allow them to actually do their job. You can't really do that if you have the same profile protecting a wide array of services.
The only caveat that would come into play is on smaller platforms where you have the potential of running into object limits on the DoS profiles. That's the only time where I start recommending people group like services into the same profile. So maybe instead of having a separate profile for each web service we go down to a generic "Public Websites" type of profile; but if your platform is capable of supporting a profile for each public service, there's no reason not to fully utilize that capability.
