You configure DoS rules at the security-policy dos-rules level. For more details on the command structure, see Configuring Rules Using UPL.
|
Parameter |
Description |
|---|---|
|
PASS WARNING DENY |
DoS rule action:
|
|
enabled |
Enable/disable a rule:
|
|
name |
Name of the DoS rule. Example: name("DoS rule example"). |
|
desc |
A description of the rule. Example: desc("DoS rule example configured in CLI"). |
|
profile |
DoS protection profile. You can only select a profile for rules with the WARNING action. To specify a profile: profile("DoS profile example"). For more details about how to create and configure protection profiles, see Configuring DoS profiles. |
|
scenario |
Scenario that needs to be active for the rule to trigger. To specify a scenario: scenario = "Example of a scenario". For more details on configuring scenarios, see Configuring scenarios. |
|
rule_log |
Log traffic information if the rule is triggered. The available options are:
|
|
src.zone |
Traffic source zone. To specify a source zone, such as Trusted: src.zone = Trusted. For more details about configuring zones using the CLI, see Zones. |
|
src.ip |
Add source IP address or domain lists. Example for IP addresses: src.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses. Example for domains: src.ip = lib.url(). Specify the URL to which necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists. |
|
src.geoip |
Source GeoIP. Specify a country code (for example, src.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15. |
|
user |
Users and user groups for which the DoS protection rule applies (local or LDAP). To add LDAP groups and users, you need to have a correctly configured LDAP connector (for more information about configuring LDAP connectors via the CLI, see Configuring LDAP connectors). The following line describes how to add a local user (local_user) and group (Local Group), a user (example.local\AD_user), and an LDAP group (AD group):
user = (local_user, "CN=Local Group, DC=LOCAL", "example.loc\\AD_user", "CN=AD group, OU=Example, DC= example, DC=loc")The Active Directory domain example.loc has been already configured. When adding LDAP users and groups, you can specify a list of paths on the server, starting from which the system will search for users and groups. |
|
dst.zone |
Traffic destination zone. Example of setting source zone: src.zone = Untrusted. For more details about configuring zones using the CLI, see Zones. |
|
dst.ip |
Add lists of destination IP addresses or domains. To specify an IP address list: dst.ip = lib.network(). Specify the list name in parentheses. For more details about how to create and configure IP address lists using CLI, see Configuring IP addresses. To specify a domain list: dst.ip = lib.url(). Specify the URL to which the necessary domains were added in parentheses. For more details about how to create and configure URL lists using the CLI, see Configuring URL lists. |
|
dst.geoip |
Destination GeoIP. Specify a country code (for example, dst.geoip = AE). Click here for the list of ISO 3166-1 country codes. Important! There is a limit on the number of GeoIPs that can be specified: the number cannot exceed 15. |
|
service |
Service type. You can specify a service or a services group (for more details, see Configuring services and Configuring service groups). To specify a single service: service = "service name". To specify multiple services: service = (service-name1, service-name2, ...). To specify a services group: service = lib.service(). Provide the services group name in parentheses. |
|
time |
Set a schedule for a rule. To set a schedule: time = lib.time(). Specify a time set group name in parentheses. For more details on configuring time sets, see Configuring time sets. |