dos-config

The dos-config command lets you configure denial-of-service (DoS) or distributed denial-of-service (DDoS) policies and rules. Use this command to turn on flood protection for SYN, UDP, ICMP, and IP traffic.

If traffic exceeds the configured thresholds, the firewall classifies it as a DoS attack and drops the packets.

You must configure DoS policies first before configuring DoS rules.

Command

system dos-config

Syntax

system dos-config
add dos-policy policy-name <string> {[ICMP-Flood|IP-Flood|SYN-Flood|UDP-Flood] <1-10000> pps [global|per-dst|per-src]}
add dos-rule rule_name <string> dos-policy <DoS policy name> [dstip <ipaddress> [netmask <netmask>]] [protocol {icmp [icmptype <0-40> [icmpcode <0-15>]]|ip [protonumber <0-142>]|tcp [dport <1-65535>]|udp [dport <1-65535>]}] [rule-position <number>] [src-interface <port>] [src-zone [DMZ|LAN|VPN|WAN|WiFi|custom zone]] [srcip <ipaddress> [netmask <netmask>]]
delete dos-policy policy-name <policy name>
delete dos-rule rule-name <rule name>
flush dos-rules
show dos-policies policy-name <policy name>
show dos-rules rule-name <rule name>

Options

DoS policy

system dos-config add dos-policy policy-name <string> {[ICMP-Flood|IP-Flood|SYN-Flood|UDP-Flood] <1-10000> pps [global|per-dst|per-src]}

DoS policies specify the packets-per-second (pps) thresholds per source, per destination, or globally for each attack type.

You can create multiple DoS policies that can be applied to multiple DoS rules. You can combine different flood types in a DoS policy.

ICMP-Flood: Configure the threshold for ICMP flooding.

SYN-Flood: Configure the threshold for SYN flooding.

`UDP-Flood: Configure the threshold for UDP flooding.

Note

For more information on ICMP flood, SYN flood, and UDP flood, see DoS settings.

IP-Flood: A high rate of IP packets that overwhelms a target's network stack, device, or link capacity.

You can only configure IP flood through the CLI. It isn't available in the web admin console.

Note

When IP-Flood is turned on, the Applied column under Intrusion prevention > DoS attacks continues to display No. This behavior is expected.

pps: Packets-per-second range: 1 to 10000

global: Configure the limit on the entire network traffic regardless of source and destination requests.

Example

If the limit is set to 2500 packets-per-second and the network has 100 users, the total combined traffic from all users mustn't exceed 2500 packets-per-second.

Note

This setting doesn't apply to the counters shown in Intrusion prevention > DoS attacks.

per-dst: Configure the allowed packets-per-second to a single destination request from all source IP addresses.

Example

If the limit is set to 2500 packets-per-second and the network has 100 users, the total combined traffic from all users mustn't exceed 2500 packets-per-second to a single destination.

per-src: Configure the allowed packets-per-second from an individual source request per user or IP address.

Example

If the limit is set to 2500 packets-per-second and the network has 100 users, each user is allowed up to 2500 packets-per-second.

DoS rule

system dos-config add dos-rule rule_name <string> dos-policy <DoS policy name> [dstip <ipaddress> [netmask <netmask>]] [protocol {icmp [icmptype <0-40> [icmpcode <0-15>]]|ip [protonumber <0-142>]|tcp [dport <1-65535>]|udp [dport <1-65535>]}] [rule-position <number>] [src-interface <port>] [src-zone [DMZ|LAN|VPN|WAN|WiFi|custom zone]] [srcip <ipaddress> [netmask <netmask>]]

DoS rules specify the traffic conditions under which a DoS policy is applied.

You can create multiple DoS rules and apply a DoS policy to each rule.

Note

DoS rules only supports IPv4.

General options

flush dos-rules

Flush DoS rules.

delete {[dos-policy policy-name <policy name>]|[dos-rule rule-name <rule name>]}

Delete a DoS policy or rule.

show {[dos-policies policy-name <policy name>]|[dos-rules rule-name <rule name>]}

Show the DoS policies or rules.

Use cases

Learn how to use DoS policies and rules through example use cases.