Policies > DoS Protection
A DoS Protection policy allow you to protect against DoS attacks by specifying whether to deny or allow packets that match a source interface, zone, address or user, and/or a destination interface, zone, or user.
Alternatively, you can choose the Protect action and specify a DoS profile where you set the thresholds (sessions or packets per second) that trigger an alarm, activate a protective action, and indicate the maximum rate above which packets are dropped. Thus, you can control the number of sessions between interfaces, zones, addresses, and countries based on aggregate sessions or source and/or destination IP addresses. For example, you can control traffic to and from certain addresses or address groups, or from certain users and for certain services.
The firewall enforces DoS Protection policy rules before Security policy rules to ensure the firewall uses its resources in the most efficient manner. If a DoS Protection policy rule denies a packet, that packet never reaches a Security policy rule.
Use this page to Add, edit, or delete DoS Protection policy rules.
The following tables describe the captive portal policy settings:
Looking for more?
DoS Protection General Tab
Select the General tab to configure a name and description for the DoS Protection policy. You can also configure a tag to allow you to sort or filter policies when many policies exist.
Field Description
Name Enter a name to identify the rule. The name is case-sensitive and can have up to 31 characters, which can be letters, numbers, spaces, hyphens, and underscores. The name must be unique on a firewall and, on Panorama, unique within its device group and any ancestor or descendant device groups.
Description Enter a description for the rule (up to 255 characters).
Tag If you want to tag the policy, click Add to specify the tag. A policy tag is a keyword or phrase that allows you to sort or filter policies. This is useful when you have defined many policies and want to view those that are tagged with a particular keyword. For example, you may want to tag certain security policies with Inbound to DMZ, decryption policies with the words Decrypt and No-decrypt, or use the name of a specific data center for policies associated with that location.
DoS Protection Source Tab
Select the Source tab to define the source interface(s) or source zone(s), and optionally the source address(es) and source user(s) that define the incoming traffic to which the DoS policy rule applies.
Field Description
Type Select the Type of source to which the DoS Protection policy rule applies: Interface —Apply the rule to traffic coming from the specified interface or group of interfaces. Zone —Apply the rule to traffic coming from any interface in a specified zone. Click Add to specify multiple interfaces or zones.
Source Address Specify one or more source addresses to which the DoS Protection policy rule applies. Click Add to specify multiple addresses. Select Negate to choose any address except the configured ones.
Source User Specify one or more source users to which the DoS Protection policy rule applies: any —Include any traffic regardless of user data. pre-logon —Include remote users that are connected to the network using GlobalProtect, but are not logged into their system. When the Pre-logon option is configured on the Portal for GlobalProtect clients, any user who is not currently logged into their machine will be identified with the username pre-logon. You can then create policies for pre-logon users and although the user is not logged in directly, their machines are authenticated on the domain as if they were fully logged in. known-user —Include all authenticated users, which means any IP address with user data mapped. This option is equivalent to the “domain users” group on a domain. unknown —Include all unauthenticated users, which means IP addresses that are not mapped to a user. For example, you could use unknown for guest level access to something because they will have an IP address on your network, but will not be authenticated to the domain and will not have IP to user mapping information on the firewall. Select —Include selected users as determined by the selection in this window. For example, you may want to add one user, a list of individuals, some groups, or manually add users. If you are using a RADIUS server and not the User-ID Agent, the list of users does not display; you must enter user information manually.
DoS Protection Destination Tab
Select the Destination tab to define the destination zone or interface and destination address that define the destination traffic to which the policy applies.
Field Description
Type Specify the type of destination to which the rule applies: Interface —Apply the DoS Protection policy rule to traffic coming from an interface or a group of interfaces. Zone —Apply the DoS policy needs to be applied to traffic coming from all interfaces in a given zone. Click Add to specify multiple interfaces or zones.
Destination Address Specify one or more destination addresses to apply the DoS Protection policy rule to traffic to specific destination addresses. Click Add to specify multiple addresses. Select Negate to specify any address except the configured ones.
DoS Protection Option/Protection Tab
Select the Option/Protection tab to configure options for the DoS Protection policy rule, such as the type of service (http or https) to which the rule applies, the action to take against packets that match the rule, and whether or not to trigger a log forward for matched traffic. You can define a schedule for when the rule is active.
You can also select an aggregate DoS Protection profile and/or a classified DoS Protection profile, which determine the threshold rates that, when exceeded, cause the firewall to take protective actions, such as trigger an alarm, activate an action such as Random Early Drop, and drop packets that exceed the maximum threshold rate.
Field Description
Service Click Add and select one or more services to apply the DoS policy to only the configured services. The default is Any service.
Action Select the action the firewall will take against packets that match the rule: Deny —Drop all packets that match the rule. Allow —Permit all packets that match the rule. Protect —Enforce protections (on packets that match the rule) specified in the DoS Protection profile applied to this rule. Packets that match the rule are counted toward the threshold rates in the DoS Protection profile, which in turn trigger an alarm, activate another action, and trigger packet drops when the maximum rate is exceeded.
Schedule Specify the schedule when the DoS Protection policy rule is in effect. The default setting of None indicates no schedule; the policy is always in effect. Alternatively, select a schedule or create a new schedule to control when the DoS Protection policy rule is in effect. Enter a Name for the schedule. Select Shared to share this schedule with every virtual system on a multiple virtual system firewall. Select a Recurrence of Daily, Weekly, or Non-recurring. Add a Start Time and End Time in hours:minutes, based on a 24-hour clock.
Log Forwarding If you want to trigger forwarding of threat log entries to an external service—such as a syslog server or Panorama—select a log forwarding profile from the drop-down or click Profile to create a new one. Note that only traffic that matches an action in the rule will be logged and forwarded.
Aggregate Select an Aggregate DoS Protection profile, which specifies the threshold rates at which the incoming traffic triggers an alarm, activates an action, and exceeds a maximum rate. All incoming connections (the aggregate) count toward the thresholds specified in an Aggregate DoS Protection profile. See Objects > Security Profiles > DoS Protection. An Aggregate profile setting of None means there are no threshold settings in place for the aggregate traffic.
Classified Select this option and specify the following: Profile —Select a Classified DoS Protection profile or create a new DoS Protection profile to apply to this rule. Address —Select whether incoming connections count toward the thresholds in the profile if they match the source-ip-only, destination-ip-only, or src-dest-ip-both. If you specify a Classified DoS Protection profile, only the incoming connections that match a source IP address, destination IP address, or source and destination IP address pair count toward the thresholds specified in the profile. For example, you can specify a Classified DoS Protection profile with a Max Rate of 100 and specify an Address setting of source-ip-only in the rule. The result would be a limit of 100 sessions at any given time for that particular source IP address. See Objects > Security Profiles > DoS Protection.

Related Documentation