There aren't any recommended settings other than the default. What you need to set it for is based on your specific and unique usage and data patterns. If you are getting lots of flood triggers and you believe they are false positives, then raise the thresholds.
Although specific to them, the idea is the same. Essentially:
- You will set it to high-ish values. - Clear current counters - Monitor session/connection/packet rate counters samples - Depending on your environment, try to get samples for daily averages, weekly averages, and, if possibly, monthly averages (though, that may take too long) - Make sure to account for weird traffic patterns that may occur regularly (such as end-of-month accounting or lunch time web browsing patterns) - Finally, adjust your settings based on the data you've gathered for the individual setting keeping 25% headroom (multiple your averages by 1.25) for misc/unaccounted for traffic and peaks - As your traffic patterns change come back and re-do these settings and adjust as appropriate (maybe an annual calendar reminder)
Also, f you are coming from another firewall platform, you can find those settings and, if they worked well for you, migrate them over as best you can.
Edit: Also, I don't know what specific commands you would need to get regarding this from the shell. You CAN go to WebAdmin -> Logging & Repporting -> Network Usage" and look at the "Concurrent Connections" section for the Daily Weekly, Monthly, and Yearly sections to get an idea of what you may need. Unfortunately, this section seems to show "connections" and the Anti-DoS/Flooding settings seem to be configured based on packet rate per second so YMMV.
these abilities inside the UTM webadmin are a bit misleading. A minor attack the utm can stop..but if you get one big enough to stuff your pipe there's nothing UTM(or any other gateway device) can do about it. I leave them at the default as i've never seen anything be affected by the built in protection by changing them....not saying there's not a specific use case for changing them i just have not run across one yet.
