Solved: Implementing DoS sevice-policy on ASA 5525-X v9.8

N3t W0rK3r · ‎09-11-2018

I am looking to implement a service policy to protect against DoS SYN attacks. I have this config that I'm planning to apply (see below).

Question is, it better to apply it to the outside interface (where no policy currently exists) or to the global policy? And, in doing so, would there be any interruption to data flow at the time the change is made?

Thanks in advance.

class-map SYN-DOS-class
match any
exit
!
policy-map SYN-DOS-policy
class SYN-DOS-class
set connection conn-max 9500
set connection embryonic-conn-max 5000
set connection per-client-embryonic-max 100
set connection per-client-max 75
exit

Ajay Saini · ‎09-11-2018

It does not have any impact on the data flow at the time of interruption.

If you think that DOS can appear from any interface, better apply it globally so that is is applicable to traffic originating from behind any interface, not only outside. FYI, the policy applied on an interface takes preference over the global policy.

HTH
AJ

View solution in original post

Ajay Saini · ‎09-11-2018

It does not have any impact on the data flow at the time of interruption.

If you think that DOS can appear from any interface, better apply it globally so that is is applicable to traffic originating from behind any interface, not only outside. FYI, the policy applied on an interface takes preference over the global policy.

HTH
AJ

N3t W0rK3r · ‎09-11-2018

Thanks very much Ajay!