Skip to main content
Versa Networks

Configure SD-WAN DoS Protection Policies

  1. Last updated
  2. Save as PDF

Versa-logo-release-icon.pngFor supported software information, click here.

Denial-of-Service (DoS) protection is used to detect, prevent, and mitigate attacks that aim to overwhelm a network, system, or application, making it unavailable to legitimate users. You configure DoS policies to allow or deny traffic based on values, for packets and datagrams, and thresholds, for sessions and flood parameters. Once the policy is configured, you can select it when configuring a main template.

DoS protection policies consist of a set of rules for matching traffic, actions to take on traffic that matches the rule set, and a permissions list indicating which user roles can access or modify the policy. Each rule consists of a set of match criteria, an action, and permissions for the rule.

In a DoS protection rule, you can match the following criteria for packets/datagrams:

  • Source zone
  • Destination zone
  • Source address
  • Destination address
  • Service type—AH, ESP, TCP, UDP, TCP_or_UDP, or ICMP. TCP and UDP service types also include the port number of the service.
  • Service group—A service group is a collection of service types.
  • IP header—IP header attributes, such as IPv4 or IPv6 address type.

For each rule, you define actions to take on traffic that meet the match criteria:

  • Allow—Allow all traffic that matches the criteria to pass.
  • Deny—Drop all traffic that matches the criteria.
  • Profile—Follow the actions configured in a DoS protection profile. DoS protection profiles can include session and flood protection thresholds. 

This article describes how to configure DoS policies.

Create a DoS Protection Policy

You can create a DoS protection policy as part of a main template, or you can create it separately and then associate it with a main template. For more information on main templates, see Configure Main Templates.

  • To create a DoS protection policy using the main template workflow:
    1. In Tenant view, select Configure > Secure SD-WAN > Main Templates.
    2. Click + Add, or select an existing main template for which you want to configure the policy.
    3. Select workflow step 7, Security, in the top menu bar. The following screen displays.

      Step7_Security_w_DoS_tab_selectd.png
       
    4. Select the DoS Protection tab, and then click Add New DoS Protection Policy. The Add DoS Protection Policy screen displays.
    5. Continue to Configure DoS Protection Rules, below.
  • To create a DoS protection policy separately:
    1. In Tenant view, select Configure > Secure SD-WAN > Security > Policies.

      DoS_protection_policies_main_table.png
    2. Select the DoS Protection tab, and then click + Add. The Add DoS Protection Policy screen displays.
    3. Continue to Configure DoS Protection Rules, below.

Configure DoS Protection Rules

  1. In the Add DoS Protection Policy screen, click Add DoS Protection Rule.

    Add_DoS_protection_policy_main_screen.png

    The screen displays the workflow to create a rule, beginning with workflow step 1, Source & Destination Traffic.

    Create_DoS_protection_rules.png
     
  2. By default, traffic from all source and destination addresses and zones, and all sites, are included in the match criteria. You can include or exclude specific source and destination traffic to match the rule.   

    To match traffic from specific source and destination addresses, zones, and sites:
    1. Select the Source Addresses tab.

      src-dest-traffic-1.png
    2. Select a source address group or address object for the rule to match, or use the search box to find a source address group or object. To exclude the source address or addresses, click Negate Source Address.
      • To create an Address Group object, click the + icon. For more information, see the Add Address Group section in Configure Reusable Objects.
      • To create an Address Object, click the + icon. For more information, see the Add Address Object section in Configure Reusable Objects.
    3. To match on IP range, subnet, or wildcard, enter one or more values in the IP Range, Subnet, or Wildcard fields. 
    4. Select the Destination Addresses tab.

      src-dest-traffic-2.png
    5. Select a destination address group or object for the rule to match, or use the search box to find a source address or object. To exclude the destination address or addresses, click Negate Source Address.
      • To create an Address Group object, click the + icon. For more information, see the Add Address Group section in Configure Reusable Objects.
      • To create an Address Object, click the + icon. For more information, see the Add Address Object section in Configure Reusable Objects.
    6. To match on IP range, subnet, or wildcard, enter one or more values in the IP Range, Subnet, or Wildcard fields.
    7. Click the Enable Match Anycast Address to enable match on an anycast IP address, which is a shared default gateway IP address. 
    8. Select the Source Zones & Sites tab to specify source zones to include in the match criteria. Select one or more source zones or source sites from the lists. You can also select an ingress routing instance.

      src-dest-traffic-3.png
    9. Select the Destination Zones & Sites tab to specify destination zones to include in the match criteria. Select one or more destination zones or destination sites from the lists. You can also select an egress routing instance.

      src-dest-traffic-4.png
  3. Click Next or select workflow step 2, Services & Headers.
  4. By default, all services, service groups, and headers are included in the match criteria. You can specify the services, service groups, and headers for the rule to match.

    To specify services, service groups, and headers to match:
    1. Select the Services tab.

      Service_tab.png
    2. Select the services to include in the match criteria. To filter the list, click All Types, and select Predefined or User Defined. You can also search by service name.
      • To create a services object, click the + icon. For more information, see the Add a Service Object section in Configure Reusable Objects.
    3. Select the Service Groups tab.

      service-groups-update.png
    4. Select the service groups to include in the match criteria. You can search by service group name.
      • To create a service group object, click the + icon. For more information, see the Add a Service Group section in Configure Reusable Objects.
    5. Select the Headers tab. By default, all DSCP decimal values are included in the match criteria. You can specify which DSCP decimal values to include.

      Headers_tab.png
       
    6. Enter information for the following fields.
       
      Field Description

      IP Version

      		 Select the IP version to match, either IPv4 or IPv6.
      IP Flags

      Select one of the following flags to  match:

      • Don't Fragment (DF)
      • More Fragments (MF)
      DSCP Select one or more DSCP decimal values to match. The value range is 0 to 63. 
      TTL (Group of Fields) Matches the TTL value based on a comparison operator.
      • Condition

      Select the comparison operator:

      • Equal To
      • Less Than or Equal To
      • Greater Than or Equal To
      • Value
      		 Enter the value to compare to the TTL.

       
  5. Click Next or select workflow step 3, Security Enforcement.

    Rule_step_3_security_enforcement.png

    You can apply exactly one of the following security enforcements to traffic that matches the rule:
    • Allow—Allow all traffic that matches the rule to pass unfiltered.
    • Deny—Drop all traffic that matches the rule.
    • Protect—Apply a DoS protection profile to traffic that matches the rule. 
  6. To allow or deny traffic that matches the rule, click Allow or Deny.
  7. To apply a DoS protection profile to traffic that matches the rule, click Protect, and then select values for the following fields. 

    Protect_action.png
     
     
    Profile Type Description
    Aggregate Select an aggregate DoS protection profile. For information about configuring DoS protection profiles. see Configure SD-WAN DoS Protection Profiles.
    Classified Select a classified DoS protection profile. For information about configuring DoS protection profiles. see Configure SD-WAN DoS Protection Profiles.
  8. Click Next or select workflow step 4, Review and Submit.
  9. In the General section, enter information for the following fields.

    Review_and_Submit_a_Rule.png
     
    Field Description

    Name

    		 Enter a name or the rule.

    Description

    		 (Optional) Enter a description for the rule.

    Tags

    		 (Optional) Enter one or more tags. A tag is an alphanumeric text descriptor with no spaces or special characters. You can specify multiple tags added for the same object. The tags are used for searching the objects.

    Schedule

    		 Select a schedule to set the time and frequency at which the rule is in effect.

    Rule Enabled

    		 Click to disable the rule once it is saved. By default, the rule is enabled.

    Logging Disabled

    		 Click to the slider bar to enable logging for the rule. By default, logging is disabled.
    Logging Profile (Group of Fields) If you enable logging, configure the logging profile.
    • Use Default
    		 Click to use the default logging profile.
    • Custom
    		 Click to use a custom logging profile, and then select the profile from the Logging Profile field. To add a custom logging profile, go to Configuration > Reusable Objects > Logging Profile. The profile is automatically added to the Logging Profile drop-down list.
    • Events

    Select when to log events:

    • End—End of the flow. 
    • Start—Start of the flow.
    • Start & End—Start and end of the flow.

    For information about log flows, see Flow Logs.
  10. Review the remaining sections. Click the pencil-icon-blue-on-white-22.png Edit icon in any section to make changes, as needed.
  11. Click Save DoS Rule. The Add DoS Protection Policy screen displays the saved rule. 

    Rule_now_displays.png
     
  12. To add another rule, click + Add in the horizontal menu. You can also select an existing rule and perform the following operations: 
    • Clone—Creates a copy of the rule. You can change the default name of the cloned rule, if desired. The cloned rule then appears in the list of traffic steering rules.
    • Reorder—Reorder the selected policy rule. 
    • Delete—Delete the selected policy rule. 
  13. Continue to Configure Permissions, Review, and Submit the DoS Protection Policy. 

Configure Permissions, Review, and Submit the DoS Protection Policy

  1. In the Add DoS Protection Policy screen, select workflow step 2, Permissions. The following screen displays.

    permissions.png
  2. To change the permissions for a role, select Create, Read, Update, or Delete in the Permissions column. These permissions apply to the specific DoS protection policy you are configuring.
  3. Click Next or select workflow step 3, Review and Submit.
  4. In the General section, enter information for the following fields.

    General_pane_with reusable on other templates option.png
    Field Description
    Name Enter a name for the DoS protection policy. 
     
    Description Enter a text description.
    Tags Enter a tag, and then press the Enter key. You can enter multiple tags. A tag is an alphanumeric text descriptor with no spaces or special characters. The tags are used for searching the objects. 
    Reuse Options (For policies added through the Main Templates workflow only) Click Reusable on Other Templates to make the policy usable in other main templates. Otherwise, click Not Reusable. If you mark the policy as reusable, the policy is listed in the DoS Protection Policies table at Configure > SD-WAN > Security > DoS Protection.
  5. Review the settings you have selected. Click the pencil-icon-blue-on-white-22.png Edit icon to change a setting, as needed.
  6. Click Submit.

Manage SD-WAN DoS Protection Policies

You can perform the following actions on SD-WAN DoS protection policies:

  • Edit
  • Clone
  • Delete
  • View references
  • Propagate
  • Compare versions
  • View the audit log
  • Enable and disable auto delete

For information about these actions, see Manage SD-WAN Policies and Profiles.

Supported Software Information 

Releases 13.1.1 and later support all content described in this article.