How do I setup Rate-Based Attack Prevention on the FTD using Snort 2?

Dynamic rule states are policy-specific.

A Revert appears in a field when you enter an invalid value; click it to revert to the last valid value for that field or to clear the field if there was no previous value.

Note

Dynamic rule states cannot enable disabled rules or drop traffic that matches disabled rules.

Procedure:

Procedure

Step 1

On the CDO menu bar, click Tools & Services > Firewall Management Center to view the Services page.

Step 2

Choose Cloud-Delivered FMC and click the links in the Actions, Management, or System pane to navigate to cloud-delivered Firewall Management Center to perform various actions. See View Services Page Information.

Step 3

Choose Policies > Access Control > Intrusion.

Step 4

Click Snort 2 Version next to the policy you want to edit.

If View (View button) appears instead, the configuration belongs to an ancestor domain, or you do not have permission to modify the configuration.

Step 5

Click Rules immediately under Policy Information in the navigation pane.

Step 6

Choose the rule or rules where you want to add a dynamic rule state.

Step 7

Choose Dynamic State > Add Rate-Based Rule State.

Step 8

Choose a value from the Track By drop-down list.

Step 9

If you set Track By to Source or Destination, enter the address of each host you want to track in the Network field. You can specify a single IP address, address block, variable, or a comma-separated list comprised of any combination of these.

Step 10

Next to Rate, specify the number of rule matches per time period to set the attack rate:

Step 11

From the New State drop-down list, specify the new action to be taken when the conditions are met.

Step 12

Enter a value in the Timeout field.

After the timeout occurs, the rule reverts to its original state. Specify 0 or leave the Timeout field blank to prevent the new action from timing out.

Step 13

Click OK.

Note

The system displays a Dynamic State next to the rule in the Dynamic State column. If you add multiple dynamic rule state filters to a rule, a number over the filter indicates the number of filters.

Note

To delete all dynamic rule settings for a set of rules, choose the rules on the Rules page, then choose Dynamic State > Remove Rate-Based States. You can also delete individual rate-based rule state filters from the rule details for the rule by choosing the rule, clicking Show details, then clicking Delete by the rate-based filter you want to remove.

Step 14

To save changes you made in this policy since the last policy commit, click Policy Information, then click Commit Changes.

If you leave the policy without committing changes, changes since the last commit are discarded if you edit a different policy.