config : waf application-layer-dos-prevention
 
waf application-layer-dos-prevention
Use this command to create an HTTP-layer DoS protection policy. Once you create the policy, reference it in an inline protection profile that is used by a server policy.
To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For more information, see “Permissions”.
Syntax
config waf application-layer-dos-prevention
edit <app-dos-policy_name>
set enable-http-session-based-prevention {enable | disable}
set http-connection-flood-check-rule <rule_name>
set http-request-flood-prevention-rule <rule_name>
set enable-layer4-dos-prevention {enable | disable}
set layer4-access-limit-rule <rule_name>
set layer4-connection-flood-check-rule <rule_name>
next
end
Variable
Description
Default
<app-dos-policy_name>
Type the name of a new or existing rule. The maximum length is 35 characters.
To display the list of existing rules, type:
edit ?
No default.
enable-http-session-based-prevention {enable | disable}
Enable to use DoS protection based on session cookies. Also configure http-connection-flood-check-rule <rule_name> and http-request-flood-prevention-rule <rule_name>.
disable
http-connection-flood-check-rule <rule_name>
Type the name of an existing rule that sets the maximum number of HTTP requests per second to a specific URL. The maximum length is 35 characters.
To display a list of the existing rules, type:
set http-connection-flood-check-rule ?
This setting applies only if enable-http-session-based-prevention is enabled.
No default.
http-request-flood-prevention-rule <rule_name>
Type the name of an existing rule that limits TCP connections from the same client. The maximum length is 35 characters.
To display a list of the existing rules, type:
set http-request-flood-prevention-rule ?
This setting applies only if enable-http-session-based-prevention is enabled.
No default.
enable-layer4-dos-prevention {enable | disable}
Enable to use D oS protection that is not based on session cookies. Also configure layer4-access-limit-rule <rule_name> and layer4-connection-flood-check-rule <rule_name>.
disable
layer4-access-limit-rule <rule_name>
Type the name of a rule that limits the number of HTTP requests per second from any source IP address. The maximum length is 35 characters.
To display a list of the existing rules, type:
set layer4-access-limit-rule ?
This setting applies only if enable-layer4-dos-prevention is enabled.
No default.
layer4-connection-flood-check-rule <rule_name>
Type the name of an existing rule that limits the number of TCP connections from the same source IP address. The maximum length is 35 characters.
To display a list of the existing rules, type:
set layer4-connection-flood-check-rule ?
This setting applies only if enable-layer4-dos-prevention is enabled.
No default.
Example
This example shows the settings for a DoS protection policy that protects a web portal using existing DoS prevention rules.
config waf application-layer-dos-prevention
edit "Web Portal DoS Policy"
set enable-http-session-based-prevention enable
set http-connection-flood-check-rule "Web Portal TCP Connect Limit"
set http-request-flood-prevention-rule "Web Portal HTTP Request Limit"
set enable-layer4-dos-prevention enable
set layer4-access-limit-rule "Web Portal HTTP Request Limit"
set layer4-connection-flood-check-rule "Web Portal Network Connect Limit"
next
end
Related topics
config waf http-connection-flood-check-rule
config waf http-request-flood-prevention-rule
config waf layer4-access-limit-rule
config waf layer4-connection-flood-check-rule
config system dos-prevention
config system advanced
config system global