/
Configuration Examples
Document toolboxDocument toolbox

Configuration Examples

Owned by Ashish Khabde
Apr 26, 2019

Depending on how you want the appliance to handle incoming traffic, you can configure applicable parameters so they work hand-in-hand to deliver desired results. Following are some examples that demonstrate how you can use the Rate algorithm, Packets per second and Drop interval parameters.

Example 1

If source IP 100.10.10.1 sends queries at a rate of 100 packets per second, and you have the following configuration for a threat protection rule:

Packets per second = 40

Drop interval = 3

Rate algorithm = blocking

The appliance handles incoming traffic in the following manner:

1st second: 40 packets are allowed; all other packets are blocked

2nd second: All traffic from 100.10.10.1 is blocked

3rd second: All traffic from 100.10.10.1 is blocked

4th second: All traffic from 100.10.10.1 is blocked

5th second: All traffic from 100.10.10.1 is blocked

6th second: All traffic from 100.10.10.1 is blocked

In this example, the appliance evaluates historic data of the client behavior. If the client traffic exceeds the limit, then the appliance continuously drops traffic, which may result in an indefinite traffic blockage for a client that continuously violates the rate limit.

Example 2

Source IP 100.10.10.1 sends queries at a rate of 100 packets per second for a duration of two seconds. It then sends 30 packets per second for three seconds and 50 packets afterwards; and you have the following configuration for a threat protection rule:

Packets per second = 40

Drop interval = 1

Rate algorithm = rate limiting

The appliance handles incoming traffic in the following manner:

1st second: 40 packets are allowed; all other packets are blocked for the remainder of the second

2nd second: 40 packets are allowed; all other packets are blocked for the remainder of the second

3rd second: All traffic from 100.10.10.1 is allowed

4th second: All traffic from 100.10.10.1 is allowed

5th second: All traffic from 100.10.10.1 is allowed

6th second: 40 packets are allowed; all other packets are blocked for the remainder of the second

In this case, the appliance re-evaluates the client behavior every second. If client traffic exceeds the rate limit, the appliance processes queries up to the rate limit and drops all excessive queries for the remainder of the second.