I see a new entry in DoS protection called "IP Flood"

Hi alan weir  Thank you for reaching out to the Sophos community team, This details [ "IP Flood" ] in the DoS summary page is expected and it has been there since DoS rules from CLI were implemented long back..!

That option is only configurable via the CLI as per the CLI help guide below:

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/CommandLineHelp/DeviceConsole/SystemCommands/index.html#dos-config

console> system dos-config show dos-rules

If one has configured the same settings via CLI at that time intention is to show those Attackers/Victim IPs in UI for which the dropped packet counts are increased.

Hi Vishal_R,

that answer is not logical to me.

Ian

Hi rfcat_vk  Can you please me know which part is a bit confusing, so I can try my best to help you on the same OR another way is you may try to apply those settings in your home XG..! 

Certainly, there is no reference anywhere on the GUI about using CLI to configure IP Flood and I cannot remember seeing any entry in  previous versions of XG with IP Flood.

Ian

Hi rfcat_vk  In terms of reference, for the IP flood option, I will work with the documentation team to add notes or tool tips. Regarding the previous version query part, this option is always there under the "DoS attacks" page (i.e. the web admin page which loads after clicking on Intrusion prevention ) but not under "DoS settings". 

Please check this 4-year-old video explaining "Creating & Configuring IPS Policies with V17 and navigate to around 0:43 seconds, you will see that option (IP Flood) in that video as well which indicates that this option has been there for a long..! 

https://www.youtube.com/watch?v=uyRLYXQ5h90&list=PL_b4O8ZwWOqtLRR3iINNWhXQaQF902AIW&index=8

If this is the Mandela effect, I'm not sure, but I don't remember seeing IP Flood before either. Odd that I've been using Sophos XG for years, and I just noticed IP Flood now. 

Hello,

"IP Flood" is not a new feature and it's there since many releases (at least since v17.0+ like mentioned above).

It was given in CLI along with DoS bypass rule CLI but never make it to GUI due to other priorities and that could be the reason it might not have been observed by many admins.

Admin may want to use "IP flood" in a scenario where they would like to block all IP traffic regardless of whether it's TCP or UDP (which is given in GUI). Configuration part is in CLI and on GUI, drop counters can be seen.  

Hello,

"IP Flood" is not a new feature and it's there since many releases (at least since v17.0+ like mentioned above).

It was given in CLI along with DoS bypass rule CLI but never make it to GUI due to other priorities and that could be the reason it might not have been observed by many admins.

Admin may want to use "IP flood" in a scenario where they would like to block all IP traffic regardless of whether it's TCP or UDP (which is given in GUI). Configuration part is in CLI and on GUI, drop counters can be seen.