IPv4 DoS Policy
To configure a IPv4 DoS Policy in the GUI
- Goto Policy & Objects > IPv4 DoS Policy
The right side window will display a table of the existing IPv4 DoS Policies.
- To edit an existing policy, double click on the policy you wish to edit l To create a new policy, select the Create New icon in the top left side of the right window.
- Set the Incoming Interface parameter by using the drop down menu to select a single interface.
- Set the Source Address parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
- Set the Destination Address parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.
- Set the Services parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
- Set the parameters for the various traffic anomalies.
All of the anomalies that profiles have been created for are in 2 tables. These tables break up the anomaly profiles into L3 Anomalies and L4 Anomalies. All of the anomalies have the following parameters that can be set on a per anomaly or per column basis.
- Status – enable or disable the indicated profile l Logging – enable or disable logging of the indicated profile being triggered l Action – whether to Pass or Block traffic when the threshold is reached l Threshold – the number of anomalous packets detected before triggering the action.
The listing of anomaly profiles includes:
L3 Anomalies
- ip_src_session l ip_dst_session
L4 Anomalies
- tcp_syn_flood l tcp_port_scan l tcp_src_session l tcp_dst_session l udp_flood l udp_scan l udp_src_session l udp_dst_session IPv4
- icmp_flood l icmp_sweep l icmp_src_session l sctp_flood l sctp_scan l sctp_src_session l sctp_dst_session
- Toggle whether or not to Enable this policy.The default is enabled.
- Select the OK button to save the policy.
Example
The company wishes to protect against Denial of Service attach. They have chosen some where they wish to block the attacks of the incidence goes above a certain threshold and for some others they are just trying to get a baseline of activity for those types of attacks so they are letting the traffic pass through without action.
- The interface to the Internet is on WAN1 l There is no requirement to specify which addresses are being protected or protected from. l The protection is to extend to all services.
- The TCP attacks are to be blocked l The UDP, ICMP, and IP attacks are to be recorded but not blocked.
- The SCTP attack filters are disabled
- The tcp_syn_flood attach’s threshold is to be changed from the default to 1000
Configuring the DoS Policy in the GUI
- Go to Policy & Objects > Policy > DoS.
- Create a new policy
- Fill out the fields with the following information:
Field | Value | |
Incoming Interface | wan1 | |
Source Address | all | |
Destination Addresses | all | |
Service | ALL |
L3 Anomalies
Name | Status | Logging | Action | Threshold |
ip_src_session | enabled | enabled | Pass | 5000 |
ip_dst_session | enabled | enabled | Pass | 5000 |
L4 Anomalies
Name | Status | Logging | Action | Threshold | |
tcp_syn_flood | enabled | enabled | Block | 1000 | |
tcp_port_scan | enabled | enabled | Block | <default value> | |
tcp_src_session | enabled | enabled | Block | <default value> | |
tcp_dst_session | enabled | enabled | Block | <default value> | |
udp_flood | enabled | enabled | Pass | <default value> | |
udp_scan | enabled | enabled | Pass | <default value> | |
udp_src_session | enabled | enabled | Pass | <default value> | |
udp_dst_session | enabled | enabled | Pass | <default value> | |
icmp_flood | enabled | enabled | Pass | <default value> | |
icmp_sweep | enabled | enabled | Pass | <default value> | |
icmp_src_session | enabled | enabled | Pass | <default value> | |
icmp_dst_session | enabled | enabled | Pass | <default value> | |
sctp_flood | not enabled | not enabled | Pass | <default value> | |
sctp_scan | not enabled | not enabled | Pass | <default value> | |
sctp_src_session | not enabled | not enabled | Pass | <default value> | |
sctp_dst_session | not enabled | not enabled | Pass | <default value> |
- Toggle the button next to Enable this policy to ON.
- Select OK.
Configuring the IPv4 DoS Policy in the GUI
Using the CLI of your choice, enter the following commands:
config firewall DoS-policy edit 0
set status enable set interface wan1 set srcaddr all set dstaddr all set service ALL config anomaly
IPv4
edit “tcp_syn_flood” set status enable set log disable set action block set threshold 1000 next
edit “tcp_port_scan” set status enable set log disable set action block set threshold 1000 next
edit “tcp_src_session”
set status enable set log disable set action block set threshold 5000 next
edit “tcp_dst_session”
set status enable set log disable set action block set threshold 5000 next
edit “udp_flood” set status enable set log disable set action pass set threshold 2000 next
edit “udp_scan” set status enable set log disable set action pass set quarantine none set threshold 2000 next
edit “udp_src_session”
set status enable set log disable set action pass set threshold 5000 next
edit “udp_dst_session”
set status enable set log disable set action pass set threshold 5000 next
edit “icmp_flood” set status enable set log disable set action pass set threshold 250 next
edit “icmp_sweep” set status enable set log disable set action pass set threshold 100 next
edit “icmp_src_session” set status enable set log disable set action pass set threshold 300 next
edit “icmp_dst_session” set status enable set log disable set action pass set threshold 1000 next
edit “ip_src_session” set status disable set log enable set action pass set threshold 5000 next
edit “ip_dst_session” set status disable set log enable set action pass set threshold 5000 next
edit “sctp_flood” set status disable set log disable set action pass set threshold 2000 next
edit “sctp_scan” set status disable set log disable set action pass set threshold 1000 next
edit “sctp_src_session” set status disable set log disable set action pass set threshold 5000 next
edit “sctp_dst_session” set status disable set log disable set action pass set threshold 5000 next end end end
IPv6
In this example of the CLI, all of the relevant settings have been left in, but some of them are default settings and would not have to have been specifically set to work. For instance, if the action parameter is not set it automatically defaults to pass.