Cisco Cisco Firepower 9300 Security Appliance
Chapter 5 – Managing
DefensePro Network Protection
Policies
Network Protection policies protect your configured networks using protection profiles. Each Network Protection
policy uses one or more protection profiles that are applied on a predefined network segment. In addition, each
policy includes the action to take when an attack is detected.
Before you configure Network Protection policies and profiles, ensure that you have enabled all the required
Before you configure Network Protection policies and profiles, ensure that you have enabled all the required
protections and configured the corresponding global protection parameters under Setup > Security Settings.
Note:
The terms Network Protection Policy, and network policy may be used interchangeably in APSolute Vision
and in the documentation.
There are two main types of network protections, Intrusion Preventions (see
There are two main types of network protections, Intrusion Preventions (see
Table 69 - Intrusion Prevention
Protections, page 119
) and Denial of Service protection (see
Table 70 - Denial of Service Protections, page 119
).
The set of supported protections depends on the Radware DefensePro DDoS Mitigation version.
Table 69: Intrusion Prevention Protections
Protection
Description
DoS Shield
Protects against known flood attacks and flood-attack tools that can also
cause a denial-of-service effect.
Table 70: Denial of Service Protections
Protection
Description
Behavioral DoS (BDoS)
Protects against zero-day DoS/DDoS-flood attacks.
SYN Protection
Protects against SYN-flood attacks using SYN cookies.
DNS Protection
Protects against zero-day DNS-flood attacks.
Out-of-State Protection
Detects out-of-state packets to provide additional protection for TCP- session–
based attacks.
Configuring Network Protection Policies
Each Network Protection policy consists of two parts:
•
The classification that defines the protected network segment.
•
The action applied when an attack is detected on the matching network segment. The action defines the
protection profiles applied to the network segment, and whether the malicious traffic should be blocked.
Malicious traffic is always reported.
Note:
The terms Network Protection policy and network policy may be used interchangeably in APSolute Vision
and in the documentation.
In this version of Radware DefensePro DDoS Mitigation, you can configure up to 50 Network Protection policies.
In this version of Radware DefensePro DDoS Mitigation, you can configure up to 50 Network Protection policies.
© 2016 Cisco | Radware. All rights reserved. This document is Cisco Public.
Page 121 of 281