Forum Discussion

etherchannel01's avatar
etherchannel01
Icon for Nimbostratus rankNimbostratus
Jan 11, 2023
Solved

DoS Profiles

If I assign the same DoS profile to provide application protection for all my virtual servers is automatic threshold learning done at the virtual server level or is it applied to the overarching policy itself?

  • Hi etherchannel01 , 
    It is Not Recommended at all , 
    you should separate all security profiles for each virtual server specially Dos or Bot Defense profiles. 

    I say that to prevent a huge headache in troubleshooting in issues. 
    Also this separation on Dos profiles level will give the availability to configure all Dos profile features such as heavy urls and so on. 

    Anyway , it’s not recommended to group all virtual servers in one Dos profile , this is my opinion. 

7 Replies

  • Hi,

    Each Application has different behavior and traffic processing, if you use an automatic threshold with many applications to create a DDOS profile, it could extend the threshold to some application that doesn´t need it, I recommend you create a DDOS Profile for each application Virtual Server, this automatic process will take the maximum threshold of all Virtual Servers that have applied this profile.

    Hope it´s works.

  • Hi etherchannel01 , 
    It is Not Recommended at all , 
    you should separate all security profiles for each virtual server specially Dos or Bot Defense profiles. 

    I say that to prevent a huge headache in troubleshooting in issues. 
    Also this separation on Dos profiles level will give the availability to configure all Dos profile features such as heavy urls and so on. 

    Anyway , it’s not recommended to group all virtual servers in one Dos profile , this is my opinion. 

    • PSFletchTheTek's avatar
      PSFletchTheTek
      Icon for MVP rankMVP

      Hi,

      So i've got a configuration of vip targetting vip, when it comes to dos profiles i was planning on putting this on the front level vip which is where the TCP packet will terminate, as well as the bot profile.

      If i put a dos and bot profile on each virtual server, would the vip in front of it hide any off the traffic that might trigger these protection features?
      Would i need a dos/bot profile on the front vip AND the backend vips holding the services?

      Thanks - Fletch

      • Hi PSFletchTheTek , 
        I want to clarify more please. 
        you have 2 VIPs Vip sends traffic to the other one , 
        Are both of VIPs in same appliance or separte appliance ? 
        I need to know more about the traffic flow. 
        But from the first look I see that putting Dos and Bot Profiles is sufficient in the first " Front VIP " only.