Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=CLI-system-dos-config

dos-config

Use dos-config to configure denial of service (DoS) policies and rules. You can turn on flood protection for SYN, UDP, ICMP, and IP packet types by configuring the maximum packets per second to be allowed per source, per destination, or globally. If the traffic exceeds the limit, the firewall considers it an attack.

Command

system dos-config

Syntax

system dos-config
add [dos-policy] [policy_name] [string] [ICMP-Flood | IP-Flood | SYN-Flood | UDP-Flood] [<1-10000> pps] [global | per-dst | per-src]
add [dos-rule] [rule_name] [string] [srcip | dstip] [ipaddress] [netmask] [netmask value] [protocol] [icmp | ip | tcp | udp] [rule-position] [position number] [src-interface] [interfacename] [src-zone] [DMZ | LAN | WAN | VPN | WiFi | custom zone] [dos-policy] [policy name]
delete [dos-policy] [dos-rule] [dos-policy] [rule-name | policy-name] [string]
flush [dos-rules | dos-rules | dos-policies] [rule-name | policy-name] [show | string]`

Options

add [dos-policy] [policy_name] [string] [ICMP-Flood | IP-Flood | SYN-Flood | UDP-Flood] [<1-10000> pps] [global | per-dst | per-src]

Create a denial-of-service (DoS) policy.

The packets per second (PPS) value options are 1 to 10000 packets.

IP flood: You can only configure IP flood through the device console. It isn't available in the web admin console. If you turn on IP flood, the Applied column in Intrusion prevention > DoS attacks will still show as No. This is the expected behavior.

per-src: You can configure packets per second (PPS) allowed from a single source. If more packets come from a single source, Sophos Firewall drops the packets. The limit applies to individual source requests per user or IP address.

per-dest: You can configure packets per second (PPS) allowed to a single destination. The limit applies to individual destination requests per user or IP address.

global: Apply the limit on the entire network traffic regardless of source and destination requests. This setting doesn't apply to the counters shown in Intrusion prevention > DoS attacks.

With the per-src option configured, if the source rate is 2500 packets/second and the network consists of 100 users, then each user is allowed a packet rate of 2500 packets per second. If you select the global option, configure the limit as 2500 packets per second, and the network consists of 100 users, only 2500 packets per second are allowed for all traffic from all users.

add [dos-rule] [rule_name] [string] [srcip | dstip] [ipaddress] [netmask] [netmask value] [protocol] [icmp | ip | tcp | udp] [rule-position] [position number] [src-interface] [interfacename] [src-zone] [DMZ | LAN | WAN | VPN | WiFi | custom zone] [dos-policy] [policy name]

Create a denial-of-service (DoS) rule to apply to all packet types or specific packet types.

flush [dos-rules | dos-rules | dos-policies] [rule-name | policy-name] [show | string]

Flush or view DoS rules and policies. The string must be the name of your DoS rule or policy.

delete [dos-policy] [dos-rule] [dos-policy] [rule-name | policy-name] [string]

Delete a DoS rule or policy. The string must be the name of your DoS rule or policy.