Re: Configuring DOS and Other Filters Best Practices on the FMC

davsnet2000 · ‎11-05-2021

Hello Cisco Community,

I'm trying to find the procedures to create a filter policy that will prevent Denial of Service (DOS) attacks and can't find the information to filter the below settings. We have to comply with Tenable Security Center and DISA STIGs and can't locate where this information is configured.

Below are the settings I've got to enter into the FMC to block DOS attacks. What other filters are used for Security Best Practices?

set filter1 icmp ip-sweep threshold 1000
set filter2 tcp port-scan threshold 1000
set filter3 tcp syn-flood alarm-threshold 1000
set filter3 tcp syn-flood attack-threshold 1100
set filter4 tcp syn-flood source-threshold 100
set filter5 tcp syn-flood destination-threshold 2048
set filter6 tcp syn-flood timeout 20
set filter7 tcp tcp-sweep threshold 1000
set filter8 udp flood threshold 5000
set filter9 udp udp-sweep threshold 1000

Marvin Rhoads · ‎11-07-2021

These are generally configured as service policy elements within FMC and deployed to the managed FTD devices.Details on how to do so can be found here:

https://www.cisco.com/c/en/us/td/docs/security/firepower/660/configuration/guide/fpmc-config-guide-v66/threat_defense_service_policies.html#id_71062

The STIGs (and Tenable) aren't always up to date with respect to what's possible/available on the newer platforms so you may need to adjust accordingly.

davsnet2000 · ‎11-08-2021

Marvin,

Thank you for your reply. I was just looking at another reply you made when I reviewed your reply to me, see below.

From looking at both VTD equivalent is rate-based attack prevention and in the FMC are service policy elements. Good to know.

I'll see if I can find the recomended settings.

https://community.cisco.com/t5/network-security/ftd2100-ddos-protection/td-p/4143697