Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 3 answers
  • Subscribers 26 subscribers
  • Views 14789 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DDoS configuration

Paul Digby

I have created the DDoS signatures in IP, IPS Policies.

I have followed the guide (https://community.sophos.com/kb/en-us/123182), but the last line reads - Navigate to Firewall and apply the Intrusion Prevention policy to the User/Network Rule.

My question is, what User / Network Policy?



This thread was automatically locked due to age.
Parents
  • 0

    Paul version 15 of XG was using a different UI and 3 different types of firewall rules compared to 2.

    On current version when you create a firewall rule (not the business application rule) you are creating a network rule (compared to v15). If in the same rule you tick "match know users" the rule becomes a user rule (v15)

    Regards

  • 0 in reply to lferrara

    I am using v16.05 (MR6).

     

    I am assuming that one needs to create a new rule specifically to use the IPS DDoS IPS Policy? If so, with what criteria? I only have two incoming rules, one for email (SMTP) and one for HTTPS.

     

Reply Children
  • 0 in reply to Paul Digby

    IPS policy can be applied to every firewall rule under the Advanced section as showed above.

    Regards

  • 0 in reply to lferrara

    Thanks for your reply - I know where to find it (Advanced, Intrusion Prevention), it was which rule to apply to.

    So, I have two inbound rules, one for SMTP and one for HTTPS. I apply this IPS policy to both these rules and every other inbound rule that I create?

  • 0 in reply to Paul Digby

    Paul,

    IPS is resource consuming so pay attention of which signature you add into each IPS profile. Be selective as much as you can. So in this case if you have one firewall rule where SMTP server/client is to be protected, create an IPS Profile where you include only SMTP protection (SMTP server attacks or Client mail attacks) and then create another IPS Profile where you add signature only for the web server you have (IIS, Apache) and so on.

    Regards