Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 3 replies
  • Subscribers 42 subscribers
  • Views 5382 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DDOS protection explained

Regex

Can anyone explain what Sophos meant when designing this menu?

My experience comes from fortigate where  most of options are logically ordered and described, but here im out of any Face palm

How should i interprete it ?

PIC 1 seems logical;

Pic 2  SOPHOS



This thread was automatically locked due to age.
  • 0

    Hi,

    basically what you are showing is two different approaches to the same subject.

    On the Sophos you would setup as firewall rule at the top of your firewall rule list using the country as the source network inn the WAN zone and then point the rule at a deadend NAT which points at a none existent IP address. There is a KBA on how to setup deadend NAT .

    Most recommendations are to leave the Sophos DDOS settings disabled except for the ICMP redirect and source routed packets.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    As far as I can tell, they are referring to what they say: Source and Destination of the traffic, not WAN vs LAN. 

  • 0

    DDOS is potentially flawed in all products anyway. What should be the benefit in tracking the amount of data and limiting it? You cannot deal with a DDOS attack, which is potentially destributed between plenty of Hosts. It will hit your interface anyway. If you drop it, it will still flood the interface. So if somebody wants to bring you down, nobody will use a single host, instead they will simply rent a network and bring your interface down with multiple hosts. No firewall can stop this. Potentially the ISP can do this before hitting your interface. 

    __________________________________________________________________________________________________________________

Unfiltered HTML