IPS DoS attack policies

Question

Hello, 
 When i am enabling IPS DoS Policies, TCP Flood, UDP Flood, SYN Flood, i can't access admin portal of Sophos XG Firewall plus user browsing will stoped, I need your help. 
 
 Thanks 
 Habib

Ronak Sheth · Answer

Hello Habib Yaqubi 
 You only have to enable DoS for Sync, UDP and ICMP. TCP flood should be enabled only during debugging. 
 
 For Syn and UDP flood. 
 Packet/Min: 1200 
 Packet/Sec: 200 
 
 P.S. if you are using any TS, kindly increase Syn flood to 12000-500 else you can add TS in DoS bypass Rule. 
 
 ICMP flood. 200 
 
 Regards, Ronak.

Ronak Sheth · Answer

Hi Ian, 
 
 Yes, I agree Sophos default value is 12000. But you can always fine tune the settings. In an ideal scenario, when a user (standalone PC and not Terminal Server) browse a site like Facebook, linkedIn, MSN the max SYN packet are 10-15/sec followed by all TCP packet. 
 
 In case of UDP application like VOIP, VPN, etc you will have to increase UDP flood to 12000+ or add DoS bypass rule. 
 
 Regards, Ronak.

Ronak Sheth · Answer

Hello Habib Yaqubi , 
 
 For SYN, UDP and ICMP you only have to enable on Source.

Regards, Ronak.