DDOS exclusion settings

Jackson

I have a question about the following settings. I want to exclude the source address 1.1.1.1 from DDoS protection, so I have configured the settings as follows. For UDP communication from 1.1.1.1 to 2.2.2.2, glid 20 or glid 10 is applied, and a traffic threshold exceedance is detected.

Shouldn't glid 30 from the class-list be applied if there is a src-dst-pair-class-list in the ddos dst entry? Is it expected behavior that a glid with a lower threshold is being applied?

class-list Class-List
　1.1.1.1 /32 cid 1
!
ddos dst entry DDoS_Dst_Entry 2.2.2.2
　log-enable
　log-periodic
　l4-type udp
　　glid 10
　src-dst-pair default
　log-enable
　log-periodic
　　l4-type-src-dst udp
　　　glid 20
　src-dst-pair-class-list Class-List
　log-enable
　log-periodic
　　cid 1
　　　l4-type-src-dst-cid udp
　　　　glid 30
!
glid 10
　pkt-rate-limit 2000
!
glid 20
　pkt-rate-limit 1000
!
glid 30
　conn-limit 16000000
　conn-rate-limit 16000000
　pkt-rate-limit 16000000
　frag-pkt-rate-limit 16000000

liliseo

It looks like GLID 30 should be applied, but the system might be prioritizing GLID 10 or 20 first. This could be due to rule evaluation order or the system applying the most restrictive GLID. Check your logs to confirm which rule is triggering, pharmacie-bien-et-sain and try adjusting the rule order if needed.

Jackson

Thank you for your comment. According to the manufacturer's documentation, the evaluation order of the rules prioritizes the Class-list. However, upon checking the logs, it seems that glid 10 is being applied, which raised my doubts.