Internet-to-Data-Center Traffic Policies

1. Create application allow list Security policy rules for internet-to-data-center traffic to control and secure partner, contractor, and customer access.
   Protect against downloading malware from an infected external client or placing malware on an external server from an infected data center server. Create allow rules for applications required for business purposes and create an External Dynamic List (EDL) to block bad IP addresses. For each rule, configure Log at Session End on the Actions tab and set up Log Forwarding to track and analyze rule violations.

   This example restricts the applications and destinations for internet-to-data-center traffic, and uses the Negate option to prevent communication with the Bad IPs List EDL.

   Create similar rules for traffic from the internet to other server groups (if allowed) and other applications. Make each rule specific to limit access to only the required applications and servers.
2. Create Decryption policy rules for internet-to-data-center-traffic to decrypt allowed traffic.
   Configure SSL Inbound Inspection (and import the destination server certificates into the firewall) to decrypt partner, contractor, and customer traffic that Security policy rules allow for internet-to-data-center traffic. This example shows the Decryption policy for the preceding Security policy rule.

   Create Decryption rules to match traffic that internet-to-data-center Security policy rules allow.
3. Create internet-to-data-center DoS Protection policy rules to protect sensitive servers from Denial-of-Service (DoS) attacks by limiting the number of connections-per-second (CPS) the firewall allows to the servers to prevent a SYN flood attack.
   Attackers target the web server tier because if they take it down, they prevent most legitimate access to the data center. Apply a classified DoS Protection policy rule with a DoS Protection profile that limits the incoming CPS to prevent traffic spikes that can affect server performance and availability.
   • Create a classified DoS Protection profile to protect the web server tier and prevent SYN flood attacks. The CPS thresholds you set depend on the baseline peak CPS rate.

   • Create a DoS Protection policy rule to specify the web servers you’re protecting and apply the classified DoS Protection profile to it.
     To protect against SYN flood attacks from internal sources, create a separate DoS Protection policy rule that specifies your internal zones as the source zone instead of L3-External. Separate rules for external and internal attack sources provides separate reporting that makes investigating attack attempts easier.
   • In addition, configure Packet Buffer Protection for each data center zone to protect the firewall from single-session DoS attacks that can cause legitimate traffic to drop.