Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Prevent DoS and DDoS attacks

Best practices for protecting your network from Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) attacks.

Protect your network from a DoS attack

You can protect your network against DoS attacks for both IPv4 and IPv6 traffic by configuring the appropriate DoS settings.

  1. Go to Intrusion prevention > DoS & spoof protection.
  2. Under DoS settings, set the packet and burst rates according to your network traffic, and select Apply Flag next to each setting.

    For example, for ICMP/ICMPv6 flood, we've set Packet rate per Source (Packet/min) to 1200 and selected Apply Flag next to it to turn on scanning for ICMP and ICMPv6 traffic.

    IPS DoS attack.

  3. Click Apply.

When the DoS settings are applied, the firewall checks the network traffic to make sure that it doesn't exceed the configured limit.

In the example, the firewall scans the network traffic for ICMP and ICMPv6 packets. If the number of ICMP and ICMPv6 packets from a specific source exceeds 1200 per minute, it drops the excessive packets and continues dropping until the attack is over.

Protect your network from a DDoS attack

You can protect your network against DDoS attacks by using intrusion prevention policies.

Note

DDoS signatures are only available in XGS 5500 and higher-capacity firewalls.

  1. Go to Intrusion prevention > IPS policies.
  2. Click Add.
  3. Enter a name for the policy. For example, DDoS_Protection.
  4. Click Save.
  5. Click Edit Edit button. for the DDoS_Protection policy.
  6. Click Add.
  7. For Smart filter, type ddos and press Enter.
  8. Set Action to Drop packet.
  9. Click Save, then click Save.
  10. Go to Rules and policies and apply the intrusion prevention policy to a firewall rule.

    Apply IPS policy to firewall rule.

More resources