DoS Protection

UserGate NGFW allows you to configure the network flood protection settings for the TCP (SYN-flood), UDP, and ICMP protocols. The coarse settings are offered in the zone properties (see the Zone Configuration section) and the finer ones in this section, DoS protection. Using DoS rules, the administrator can configure DoS protection for a specific service, protocol, application, etc. To create DoS rules, follow these steps as an administrator:

Name

Description

Step 1. Create DoS profiles.

In the Security policies ➜ DoS profiles section, click Add and create one or more DoS profiles.

Step 2. Create DoS rules.

In the Security policies ➜ DoS rules section, create the rules using the DoS profiles created at the previous step.

A DoS profile is configured similar to DoS protection in NGFW zones. When creating a profile, provide the following settings:

Name

Description

Name

Profile name.

Description

Profile description.

Aggregate

If this is enabled, NGFW will count the total number of incoming packets per second from all source IP addresses instead of tallying them individually for each IP address. If you enable this setting, make sure to set sufficiently high packets/sec values on the DoS protection and Resource protection tabs.

DoS protection

This setting allows you to configure the network flood protection settings for the TCP (SYN-flood), UDP, and ICMP protocols:

  • Alert threshold: when the number of requests exceeds this threshold, the event is recorded in the system log.

  • Drop threshold: when the number of requests exceeds this threshold, NGFW starts dropping the packets and records the event in the system log.

Resource protection

This setting can be used to limit the allowed number of sessions for the resource being protected, such as a published server:

  • Enabled: enables a limit on the session number.

  • Limit sessions: sets the limit on the number of sessions.

To create a DoS rule, go to the Security policies ➜ DoS rules section, click Add, and provide the desired settings.

Note The rules are applied top to bottom in their listing order. Only the first rule in which all conditions are matched is applied. This means that more specific rules must be placed higher in the list than more general ones. To change the order in which the rules will be applied, use the Up/Down and Top/Bottom buttons or drag and drop the rules with the mouse.

Note The "Negate" checkbox changes the condition to the opposite, which corresponds to a Boolean NOT (negation).

Name

Description

Enabled

Enables or disables the rule.

Name

The name of the rule.

Description

A description of the rule.

Action

Deny: unconditionally blocks traffic, similar to how this action works in firewall rules.

Allow: allows the traffic and does not apply DoS protection. Can be used to create exceptions.

Protect: applies a DoS protection profile.

DoS profile

If Protect is selected as the action, a DoS profile must be specified.

If you do not specify additional conditions, such as destination address, when using a DoS profile with resource protection, all transit connections will be considered.

Scenario

The scenario that must be active for the rule to be triggered. For more details on how scenarios work, see the Scenarios section.

Important! A scenario is an additional condition. If the scenario was not triggered (one or more scenario triggers did not occur), the rule will not be triggered.

Enable logging

Logs traffic information when the rule is triggered. The available options are:

  • Log session start: only the session start (first packet) will be recorded in the traffic log. This is the recommended logging option.

  • Log all network packets: every transmitted network packet will be logged. For this mode, it is recommended to enable the logging limit to prevent high device load.

Source

The zone, IP address lists, Geo-IP address lists, or URL lists of the traffic source.

The URL list must include only domain names. Every 5 minutes NGFW resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, NGFW automatically updates the IP address value.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

Important! The traffic processing logic is as follows:

  • The conditions are combined using Boolean OR, if several IP address and/or domain lists are specified.

  • The conditions are combined using Boolean AND, if GeoIPs and IP address and/or domain lists are specified.

Users

The list of users or groups to which this rule is applied. The Any, Unknown, and Known user types can be used. To apply rules to specific users or Known users, user identification needs to be configured. For more details on user identification, see the Users and Devices chapter.

Destination

The zone, IP address lists, Geo-IP address lists, or URL lists of the traffic destination.

The URL list must include only domain names. Every 5 minutes NGFW resolves domain names into IP addresses and stores the result in the internal cache for the DNS record's time-to-live (TTL). When the TTL expires, NGFW automatically updates the IP address value.

Important! The maximum number of GeoIPs that can be specified is limited to 15.

Important! The traffic processing logic is as follows:

  • The conditions are combined using Boolean OR, if several IP address and/or domain lists are specified.

  • The conditions are combined using Boolean AND, if GeoIPs and IP address and/or domain lists are specified.

Service

The service type, such as HTTP or HTTPS.

Time

The time periods when the rule is active.