IPv4 DoS policy
To configure a IPv4 DoS policy in the GUI
- Go to Policy & Objects > IPv4 DoS Policy
The right side window will display a table of the existing IPv4 DoS Policies.
- To edit an existing policy, double click on the policy you wish to edit
- To create a new policy, select the Create New icon in the top left side of the right window.
- Set the Incoming Interface parameter by using the drop down menu to select a single interface.
- Set the Source Address parameter by selecting the field with the "+" next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
- Set the Destination Address parameter by selecting the field with the "+" next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.
- Set the Services parameter by selecting the field with the "+" next to the field label. Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option. For more information on services, see Services and TCP ports.
- Set the parameters for the various traffic anomalies.
All of the anomalies that profiles have been created for are in 2 tables. These tables break up the anomaly profiles into L3 Anomalies and L4 Anomalies. All of the anomalies have the following parameters that can be set on a per anomaly or per column basis.
- Status - enable or disable the indicated profile
- Logging - enable or disable logging of the indicated profile being triggered
- Action - whether to Pass or Block traffic when the threshold is reached
- Threshold - the number of anomalous packets detected before triggering the action.
The listing of anomaly profiles includes:
L3 Anomalies
- ip_src_session
- ip_dst_session
L4 Anomalies
- tcp_syn_flood
- tcp_port_scan
- tcp_src_session
- tcp_dst_session
- udp_flood
- udp_scan
- udp_src_session
- udp_dst_session
- icmp_flood
- icmp_sweep
- icmp_src_session
- sctp_flood
- sctp_scan
- sctp_src_session
- sctp_dst_session
- Toggle whether or not to Enable this policy.The default is enabled.
- Select the OK button to save the policy.
Example
The company wishes to protect against Denial of Service attach. They have chosen some where they wish to block the attacks of the incidence goes above a certain threshold and for some others they are just trying to get a baseline of activity for those types of attacks so they are letting the traffic pass through without action.
- The interface to the Internet is on WAN1
- There is no requirement to specify which addresses are being protected or protected from.
- The protection is to extend to all services.
- The TCP attacks are to be blocked
- The UDP, ICMP, and IP attacks are to be recorded but not blocked.
- The SCTP attack filters are disabled
- The tcp_syn_flood attach’s threshold is to be changed from the default to 1000
Configuring the DoS policy in the GUI
- Go to Policy & Objects > Policy > DoS.
- Create a new policy
- Fill out the fields with the following information:
Field Value Incoming Interface wan1 Source Address all Destination Addresses all Service ALL L3 Anomalies
Name Status Logging Action Threshold ip_src_session enabled enabled Pass 5000 ip_dst_session enabled enabled Pass 5000 L4 Anomalies
Name Status Logging Action Threshold tcp_syn_flood enabled enabled Block 1000 tcp_port_scan enabled enabled Block <default value> tcp_src_session enabled enabled Block <default value> tcp_dst_session enabled enabled Block <default value> udp_flood enabled enabled Pass <default value> udp_scan enabled enabled Pass <default value> udp_src_session enabled enabled Pass <default value> udp_dst_session enabled enabled Pass <default value> icmp_flood enabled enabled Pass <default value> icmp_sweep enabled enabled Pass <default value> icmp_src_session enabled enabled Pass <default value> icmp_dst_session enabled enabled Pass <default value> sctp_flood not enabled not enabled Pass <default value> sctp_scan not enabled not enabled Pass <default value> sctp_src_session not enabled not enabled Pass <default value> sctp_dst_session not enabled not enabled Pass <default value> - Toggle the button next to Enable this policy to ON.
- Select OK.
Configuring the IPv4 DoS policy in the GUI
Using the CLI of your choice, enter the following commands:
config firewall DoS-policy
edit 0
set status enable
set interface wan1
set srcaddr all
set dstaddr all
set service ALL
config anomaly
edit "tcp_syn_flood"
set status enable
set log disable
set action block
set threshold 1000
next
edit "tcp_port_scan"
set status enable
set log disable
set action block
set threshold 1000
next
edit "tcp_src_session"
set status enable
set log disable
set action block
set threshold 5000
next
edit "tcp_dst_session"
set status enable
set log disable
set action block
set threshold 5000
next
edit "udp_flood"
set status enable
set log disable
set action pass
set threshold 2000
next
edit "udp_scan"
set status enable
set log disable
set action pass
set quarantine none
set threshold 2000
next
edit "udp_src_session"
set status enable
set log disable
set action pass
set threshold 5000
next
edit "udp_dst_session"
set status enable
set log disable
set action pass
set threshold 5000
next
edit "icmp_flood"
set status enable
set log disable
set action pass
set threshold 250
next
edit "icmp_sweep"
set status enable
set log disable
set action pass
set threshold 100
next
edit "icmp_src_session"
set status enable
set log disable
set action pass
set threshold 300
next
edit "icmp_dst_session"
set status enable
set log disable
set action pass
set threshold 1000
next
edit "ip_src_session"
set status disable
set log enable
set action pass
set threshold 5000
next
edit "ip_dst_session"
set status disable
set log enable
set action pass
set threshold 5000
next
edit "sctp_flood"
set status disable
set log disable
set action pass
set threshold 2000
next
edit "sctp_scan"
set status disable
set log disable
set action pass
set threshold 1000
next
edit "sctp_src_session"
set status disable
set log disable
set action pass
set threshold 5000
next
edit "sctp_dst_session"
set status disable
set log disable
set action pass
set threshold 5000
next
end
In this example, all of the relevant settings have been left in, but some of them are default settings and would not have to have been specifically set to work. For instance, if the action parameter is not set it automatically defaults to pass. |