Tuning Cisco IOS Firewall Denial-of-Service Protection

Prior to Cisco IOS Software Release 12.4(11)T, Cisco IOS Firewall provided Denial-of-Service (DoS) attack protection as a default when either Classic or Zone-Based Policy Firewall was applied. Cisco IOS Software Release 12.4(11)T modified the default DoS settings so protection is effectively disabled, but the connection activity counters are still active. This paper provides procedures to tune Cisco IOS Firewall DoS protection values for both Classic and Zone-Based Cisco IOS Firewall. Cisco IOS Firewall maintains counters of the number of "Half-open" TCP connections, as well as the total connection rate through the firewall and intrusion prevention software, in both Classic Firewall (ip inspect) and Zone-Based Policy Firewall.