DoS Policy
The company wishes to protect against Denial of Service attach. They have chosen some where they wish to block the attacks of the incidence goes above a certain threshold and for some others they are just trying to get a baseline of activity for those types of attacks so they are letting the traffic pass through without action.
• The interface to the Internet is on WAN1
• There is no requirement to specify which addresses are being protected or protected from.
• The protection is to extend to all services.
• The TCP attacks are to be blocked
• The UDP, ICMP, and IP attacks are to be recorded but not blocked.
• The tcp_syn_flood attach’s threshold is to be changed from the default to 1000
Go to Policy & Objects > Policy > DoS.
Create a new policy
Fill out the fields with the following information:
Incoming Interface | wan1 |
Source Address | all |
Destination Addresses | all |
Service | ALL |
Anomalies
Name | Status | Logging | Action | Threshold |
tcp_syn_flood | enabled | enabled | Block | 1000 |
tcp_port_scan | enabled | enabled | Block | <default value> |
tcp_src_session | enabled | enabled | Block | <default value> |
tcp_dst_session | enabled | enabled | Block | <default value> |
udp_flood | enabled | enabled | Pass | <default value> |
udp_scan | enabled | enabled | Pass | <default value> |
udp_src_session | enabled | enabled | Pass | <default value> |
udp_dst_session | enabled | enabled | Pass | <default value> |
icmp_flood | enabled | enabled | Pass | <default value> |
icmp_sweep | enabled | enabled | Pass | <default value> |
icmp_src_session | enabled | enabled | Pass | <default value> |
icmp_dst_session | enabled | enabled | Pass | <default value> |
ip_src_session | enabled | enabled | Pass | <default value> |
ip_dst_session | enabled | enabled | Pass | <default value> |
sctp_flood | not enabled | not enabled | Pass | <default value> |
sctp_scan | not enabled | not enabled | Pass | <default value> |
sctp_src_session | not enabled | not enabled | Pass | <default value> |
sctp_dst_session | not enabled | not enabled | Pass | <default value> |
Toggle the button next to Enable this policy to ON
Select OK
Enter the following CLI command:
config firewall DoS-policy
edit 0
set status enable
set interface ''
config anomaly
edit "tcp_syn_flood"
set status enable
set log enable
set action block
set threshold 1000
next
edit "tcp_port_scan"
set status enable
set log enable
set action block
next
edit "tcp_src_session"
set status enable
set log enable
set action block
next
edit "tcp_dst_session"
set status enable
set log enable
set action block
next
edit "udp_flood"
set status enable
set log enable
next
edit "udp_scan"
set status disable
set status enable
set log enable
next
edit "udp_src_session"
set status enable
set log enable
next
edit "udp_dst_session"
set status enable
set log enable
next
edit "icmp_flood"
set status enable
set log enable
next
edit "icmp_sweep"
set status enable
set log enable
next
edit "icmp_src_session"
set status enable
set log enable
next
edit "icmp_dst_session"
set status enable
set log enable
next
edit "ip_src_session"
set status enable
set log enable
next
edit "ip_dst_session"
set status enable
set log enable
next
end
next
end