Open topic with navigation

Zone and Zone Services Manual Mode

Allows you to implement Zone and Zone Service configurations manually.

Edit the Zone Limit

To edit an existing zone limit, perform the following steps:

  1. Go to Incidents > Mitigation Console.
  2. Expand the Zone Stats tab and click Configure. The Edit Zone page appears.

  3. From the Zone Limit drop-down list, select a zone limit. The Edit Zone Limit page appears.

    If you require to edit an already applied zone limit, click the Modify link. If you require to apply a new zone limit, select a new zone limit and edit the fields.

  4. On the Edit Zone Limit page, edit the fields as per your requirement.

  5. Under Over Limit Action, select Enable.

    Over limit action is applicable when GLID is used by Protected Destination Entry. When GLID is referred by Protected Zone, the action specified within the zone service is applicable.

  6. Under Action Type, select one of the following actions:

    • Drop: Select this action to drop the traffic if it matches the zone limit.
    • Blacklist Source: Select this action to blacklist the traffic if it matches the zone limit. If you select Blacklist Source as an action, you must specify time between 1-30 minutes.
  7. Click Save & Push to apply the configuration.
Create the Zone Limit

To create a new zone limit, perform the following steps:

  1. Go to Incidents >Mitigation Console.

  2. Expand the Zone Stats tab and click Configure. The Edit Zone page appears.

    Make sure that no zone limit is applied. If a zone limit is already applied, you must first delete the applied zone limit.

  3. On the Edit Zone page, click Create to a new zone limit.

  4. On the Create Zone Limit page, perform the following steps:

    Table 42 : Zone Services
    Fields

    Purpose
    Name

    Enter the Name of the GLID. The supported value is a string of 1-26 characters.

    If you are trying to recreate a deleted template that was previously associated to a few zones, an Associated Zones link appears next to the Name field. This Associated Zones link displays the zones with which the template was previously associated.
    Description

    Enter a description of the GLID parameters. The supported value is a string of 1-63 characters.
    Rate Unit

    Select a rate unit such as System Global Setting or Per Second.

    System Global Setting is per device setting which could be either 100ms or 1sec. Selecting System Global Setting means the rate unit set on the device will be used for this GLID.
    Concurrent Connections

    Specifies the maximum number of concurrent connections. The supported value is 1-16000000.
    New Connections

    Specifies the maximum number of new connections allowed per interval. The supported value is 1-16000000.
    Kibit Rate

    Specifies the maximum number of Kibits allowed within a DDoS Mitigation interval. The GLID action for overlimit traffic is applied to bits received after the limit is reached. There are no default bandwidth rate limits. To set a bandwidth limit, you must configure the limit in a GLID and apply (bind) the GLID to a DDoS Mitigation rule. Separate bandwidth limits are configurable for each Layer 4 type (TCP, UDP, ICMP, and Other). The supported value is 1-16000000.

    NOTE: If a GLID bound to a DDoS Mitigation rule does not specify a packet rate limit or a bandwidth rate limit, the rate for the matching traffic is unlimited.
    NOTE: If there is no GLID bound to a rule, ACOS applies the applicable packet rate limit to the matching traffic.
    Packet Rate

    Specifies the maximum number of packets allowed per interval. The supported value is 1-16000000.
    Fragmented Packet Rate

    Specifies the maximum number of fragmented packets allowed per interval. The supported value is 1-16000000.
    SYN Cookie Failures

    Specifies the maximum number of SYN-cookie failures allowed per interval. A SYN-cookie failure occurs when the sequence number in a TCP ACK from a client does not pass the SYN-cookie check. The supported value is 1-16.
    Over Limit Action

    Enables the action taken when traffic exceeds one or more of the limits.

    Specifies the action taken when traffic exceeds one or more of the limits. The supported values are:

    • Disable (default)
    • Enable
    NOTE: With Send Flowspec, when this GLID is configured on a zone or zone-service or src-port, upon violation, Flowspec rules will automatically get created for all the zone IPs.
    Action Type

    Select one of the following actions:

    • Drop: Select this action to drop the traffic if it matches the zone limit.

    • Blacklist Source: Select this action to blacklist the traffic if it matches the zone limit.

      If you select Blacklist Source as an action, you must specify time between 1-30 minutes.

    • Show Flowspec: Select this action to automatically create rules ffor all the zone IPs.
NOTE: You may need to configure Source Port Policies and IP Port Policies, if required. For more details, see Zone Stats.

COMPANY INFORMATION: Copyright © 2025 A10 Networks, Inc. All Rights Reserved. Legal Notice