Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 8 replies
  • Answers 3 answers
  • Subscribers 29 subscribers
  • Views 11680 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPS DoS attack policies

Habib Yaqubi

Hello,

When i am enabling IPS DoS Policies, TCP Flood, UDP Flood, SYN Flood, i can't access admin portal of Sophos XG Firewall plus user browsing will stoped, I need your help.

 

Thanks

Habib



This thread was automatically locked due to age.
Parents
  • 0

    Hello

    You only have to enable DoS for Sync, UDP and ICMP. TCP flood should be enabled only during debugging.

     

    For Syn and UDP flood.

    Packet/Min: 1200 

    Packet/Sec: 200

     

    P.S. if you are using any TS, kindly increase Syn flood to 12000-500 else you can add TS in DoS bypass Rule.

     

    ICMP flood. 200

     

    Regards, Ronak.

Reply
  • 0

    Hello

    You only have to enable DoS for Sync, UDP and ICMP. TCP flood should be enabled only during debugging.

     

    For Syn and UDP flood.

    Packet/Min: 1200 

    Packet/Sec: 200

     

    P.S. if you are using any TS, kindly increase Syn flood to 12000-500 else you can add TS in DoS bypass Rule.

     

    ICMP flood. 200

     

    Regards, Ronak.

Children
  • 0 in reply to Ronak Sheth

    Hi Ronak,

    you are suggesting dropping the Packet/Min to 1200 from 12000 which is the XG default?

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian,

     

    Yes, I agree Sophos default value is 12000. But you can always fine tune the settings. In an ideal scenario, when a user (standalone PC and not Terminal Server) browse a site like Facebook, linkedIn, MSN the max SYN packet are 10-15/sec followed by all TCP packet.

     

    In case of UDP application like VOIP, VPN, etc you will have to increase UDP flood to 12000+ or add DoS bypass rule. 

     

    Regards, Ronak.

      

  • 0 in reply to Ronak Sheth

    Hello Ronak,

     

    I have enabled SYN Flood, UDP Flood and ICMP Flood on Source and Destination, but i am unable to access admin portal of Sophos xg plus internet browsing stop working in client machines.

     

    Regard's

    Habib

  • 0 in reply to Habib Yaqubi

    Hello ,

     

    For SYN, UDP and ICMP you only have to enable on Source.

     

     

    Regards, Ronak.

  • 0 in reply to Ronak Sheth

    Hello Ronak,

     Thank you for the below instructions, I have serious problem with Connection Sessions in Sophos XG Firewall, Let me first describe the our network layout, we have place Sophos Xg Firewall in front of Cisco ASA Firewall, in Cisco ASA Firewall we have limit the connection session of WAN IP of Sophos to 2000 session. but unfortunately we are facing the connection session exceed more than 2000, internet browsing will stop working till we clear the session from cisco ASA firewall, now we increased the session to 30000 which is very risky, it also being full. i don't know what is going on. i need to troubleshoot the issue, if you have any idea please let me know.

     

    Regard's

    Habib

  • 0 in reply to Habib Yaqubi

    Hi,

    2000 sessions seems a very small number, you really need to be running at least 20,000. Those figures also depend on the number of clients connecting.

    Ian