Who rated this post

Yes the  --enable-internal option applies to all of SecureXL's DoS functions including the Penalty Box.  However there are two things to be aware of when setting this option:

1) A corner case to be aware of when enabling the SecureXL penalty box involves selective synchronization of services in a ClusterXL cluster. Suppose the penalty box is configured with the default values on all members of the cluster, and TCP port 443 connections are NOT currently being synchronized between the cluster members to reduce sync interface traffic. When a failover occurs, huge amounts of TCP port 443 packets from the existing connections at the time of failover will be dropped as "out of state" by the newly-active gateway. In this case if more than 500 drops occur from a IP address within one second, that system will be penalty-boxed and no longer be able to send or receive traffic through the firewall for 3 minutes by default. This is a particular issue with Content Delivery Networks (CDNs) employed by popular websites on the Internet, and can also impact your critical internal servers with --enable-internal set.

2) The Penalty Box does have an allow list (whitelist) option via fwaccel dos allow, consider adding your critical internal server subnets proactively to avoid them getting accidentally penalty boxed which will cause major problems.