Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
JPR
Contributor

Question regarding 'fwaccel dos'

Hi,

We have tried to configure the DoS mitigation feature 'fwaccel dos' on a single destination ip, however, we recently had an issue where it ended up blocking all connection attempts to that destination whatever source it came from. I assume that is by design, but I was wondering if it is possible to block for a single ip that generates a lot of traffic and not all connection attempts?

The way it seems to work is that if destination 1.2.3.4 (our external ip) has x amount of connections from various sources (not just one) any connection attempt will be denied.

What we wish to achieve is that if src 5.6.7.8 (attacker) has x amount of connections to destination 1.2.3.4 (our external ip) then it (attacker ip) will be blocked.

I hope my question makes sense 🙂

Thanks!

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

Yes, this is expected behavior unless you specified an explicit source in the fwaccel dos rule.
Please review https://support.checkpoint.com/results/sk/sk112454 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events