The firewall resources are finite, so
you wouldn’t want to classify using source address on an internet-facing
zone because there can be an enormous number of unique IP addresses
that match the DoS Protection policy rule. That would require many
counters and the firewall would run out of tracking resources. Instead,
define a DoS Protection policy rule that classifies using the destination
address (of the server you are protecting).