Step 9: Deploy the system in Prevention Mode
After you have set the statistical baseline and evaluated the configured minimum thresholds, you change to Prevention Mode. In Prevention Mode, the system uses the configured minimum threshold in its calculations that determine the estimated thresholds. The estimated thresholds are rate limits that are enforced by packet drops. The estimated thresholds are also the triggers for reporting flood attacks and entering SYN flood attack mitigation mode.
As needed, you repeat the tuning: monitor observed throughput, estimated thresholds, and drops; adjust the configured minimum thresholds; monitor; adjust.
Basic steps
1. Go to Protection Profiles > SPP Settings and change the configuration to Prevention Mode. Do this for each SPP.
2. On the Protection Profiles > SPP Settings page, enable the recommended TCP session state anomalies options: seq-validation, syn-validation, foreign-packet-validation, state-transition-anomalies-validation, allow-tuple-reuse.
3. Continue to monitor traffic.
4. Tune the configuration if necessary. Go to Protection Profiles > Thresholds > Thresholds to set rates manually or Protection Profiles > Thresholds > System Recommendation to adjust percentages applied at OSI layers or to adjust the low traffic threshold.
For details, refer to the online help or see
“Configuring SPP settings”.
For details, refer to the online help or see
“Modifying threshold settings”.
