waf application-layer-dos-prevention
Use this command to create an HTTP-layer DoS protection policy. Once you create the policy, reference it in an inline protection profile that is used by a server policy.
To use this command, your administrator account’s access control profile must have either w
or rw
permission to the wafgrp
area. For details, see Permissions.
Syntax
config waf application-layer-dos-prevention
set enable-HTTP-session-based-prevention {enable | disable}
set HTTP-connection-flood-check-rule "<rule_name>"
set HTTP-request-flood-prevention-rule "<rule_name>"
set enable-layer4-dos-prevention {enable | disable}
set layer4-access-limit-rule "<rule_name>"
set layer4-connection-flood-check-rule "<rule_name>"
set layer3-fragment-protection {enable | disable}
next
end
Variable | Description | Default |
Enter the name of a new or existing rule. The maximum length is 63 characters. To display the list of existing rules, enter:
|
No default. | |
Enable to use DoS protection based on session cookies. Also configure HTTP-connection-flood-check-rule "<rule_name>" and HTTP-request-flood-prevention-rule "<rule_name>". | disable
|
|
Enter the name of an existing rule that sets the maximum number of HTTP requests per second to a specific URL. The maximum length is 63 characters. To display a list of the existing rules, enter:
This setting applies only if enable-HTTP-session-based-prevention {enable | disable} is enabled. |
No default. | |
Enter the name of an existing rule that limits TCP connections from the same client. The maximum length is 63 characters. To display a list of the existing rules, enter:
This setting applies only if enable-HTTP-session-based-prevention {enable | disable} is enabled. |
No default. | |
Enable to use DoS protection that is not based on session cookies. Also configure layer4-access-limit-rule "<rule_name>" and layer4-connection-flood-check-rule "<rule_name>". | disable
|
|
Enter the name of a rule that limits the number of HTTP requests per second from any source IP address. The maximum length is 63 characters. To display a list of the existing rules, enter:
This setting applies only if enable-layer4-dos-prevention {enable | disable} is enabled. |
No default. | |
Enter the name of an existing rule that limits the number of TCP connections from the same source IP address. The maximum length is 63 characters. To display a list of the existing rules, enter:
This setting applies only if enable-layer4-dos-prevention {enable | disable} is enabled. |
No default. | |
Enable to prevent attacks of fragmented packets. |
|
Example
This example shows the settings for a DoS protection policy that protects a web portal using existing DoS prevention rules.
config waf application-layer-dos-prevention
edit "Web Portal DoS Policy"
set enable-HTTP-session-based-prevention enable
set HTTP-connection-flood-check-rule "Web Portal TCP Connect Limit"
set HTTP-request-flood-prevention-rule "Web Portal HTTP Request Limit"
set enable-layer4-dos-prevention enable
set layer4-access-limit-rule "Web Portal HTTP Request Limit"
set layer4-connection-flood-check-rule "Web Portal Network Connect Limit"
next
end