dos-config
Use dos-config
to configure denial of service (DoS) policies and rules. You can turn on flood protection for SYN, UDP, ICMP, and IP packet types by configuring the maximum packets per second to be allowed per source, per destination, or globally. If the traffic exceeds the limit, the firewall considers it an attack.
Command
system dos-config
Syntax
system dos-config
add [dos-policy] [policy_name] [string] [ICMP-Flood | IP-Flood | SYN-Flood | UDP-Flood] [<1-10000> pps] [global | per-dst | per-src]
add [dos-rule] [rule_name] [string] [srcip | dstip] [ipaddress] [netmask] [netmask value] [protocol] [icmp | ip | tcp | udp] [rule-position] [position number] [src-interface] [interfacename] [src-zone] [DMZ | LAN | WAN | VPN | WiFi | custom zone] [dos-policy] [policy name]
delete [dos-policy] [dos-rule] [dos-policy] [rule-name | policy-name] [string]
flush [dos-rules | dos-rules | dos-policies] [rule-name | policy-name] [show | string]`
Options
add [dos-policy] [policy_name] [string] [ICMP-Flood | IP-Flood | SYN-Flood | UDP-Flood] [<1-10000> pps] [global | per-dst | per-src]
-
Create a denial-of-service (DoS) policy.
The packets per second (PPS) value options are 1 to 10000 packets.
IP flood
: You can only configureIP flood
through the device console. It isn't available in the web admin console. If you turn onIP flood
, the Applied column in Intrusion prevention > DoS attacks will still show as No. This is the expected behavior.per-src
: You can configure packets per second (PPS) allowed from a single source. If more packets come from a single source, Sophos Firewall drops the packets. The limit applies to individual source requests per user or IP address.per-dest
: You can configure packets per second (PPS) allowed to a single destination. The limit applies to individual destination requests per user or IP address.global
: Apply the limit on the entire network traffic regardless of source and destination requests. This setting doesn't apply to the counters shown in Intrusion prevention > DoS attacks.With the
per-src
option configured, if the source rate is 2500 packets/second and the network consists of 100 users, then each user is allowed a packet rate of 2500 packets per second. If you select theglobal
option, configure the limit as 2500 packets per second, and the network consists of 100 users, only 2500 packets per second are allowed for all traffic from all users. add [dos-rule] [rule_name] [string] [srcip | dstip] [ipaddress] [netmask] [netmask value] [protocol] [icmp | ip | tcp | udp] [rule-position] [position number] [src-interface] [interfacename] [src-zone] [DMZ | LAN | WAN | VPN | WiFi | custom zone] [dos-policy] [policy name]
-
Create a denial-of-service (DoS) rule to apply to all packet types or specific packet types.
flush [dos-rules | dos-rules | dos-policies] [rule-name | policy-name] [show | string]
-
Flush or view DoS rules and policies. The string must be the name of your DoS rule or policy.
delete [dos-policy] [dos-rule] [dos-policy] [rule-name | policy-name] [string]
-
Delete a DoS rule or policy. The string must be the name of your DoS rule or policy.