Prevent DoS and DDoS attacks
Best practices for protecting your network from Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks.
Protect your network from a DoS attack
You can protect your network against DoS attacks for both IPv4 and IPv6 traffic by configuring the appropriate DoS settings.
- Go to Intrusion prevention > DoS & spoof protection.
Under DoS settings, set the packet and burst rates according to your network traffic, and select Apply Flag next to each setting.
For example, for ICMP/ICMPv6 flood, we've set Packet rate per Source (Packet/min) to
1200and selected Apply Flag next to it to turn on scanning for ICMP and ICMPv6 traffic.
When the DoS settings are applied, the firewall checks the network traffic to make sure that it doesn't exceed the configured limit.
In the example, the firewall scans the network traffic for ICMP and ICMPv6 packets. If the number of ICMP and ICMPv6 packets from a specific source exceeds 1200 per minute, it drops the excessive packets and continues dropping until the attack is over.
Protect your network from a DDoS attack
You can protect your network against DDoS attacks by using intrusion prevention policies.
For XG series, the DDoS signatures are only available on the XG550, XG650, and XG750 models. For XGS series, it is available from XGS5500 and later models.
- Go to Intrusion prevention > IPS policies.
- Click Add.
- Enter a name for the policy. For example,
- Click Save.
- Click Edit for the
- Click Add.
- For Smart filter, type
ddosand press Enter.
- Set Action to Drop packet.
- Click Save, then click Save.
Go to Rules and policies and apply the intrusion prevention policy to a firewall rule.