I am tweaking my DoS policies and have two inquiries for further clarification purposes. I understand that my destination address in the policy needs to be the public facing IP address for the servers/services I am wanting to protect.
1. Is the firewall's interface (or NAT pool) inferred in that (even though you specify the server's VIP address as the destination only)? So what I mean is, if the firewall's WAN interface is 184.108.40.206 and the server's VIP is 220.127.116.11 and I specify just the server's address in the destination, should I also receive anomaly info on the 18.104.22.168 as well should my policy threshold trip? I'm asking this as I am getting anomalies on my firewall's NAT pool interface for just general egress traffic that I don't have defined in my DoS Policy destination, so was curious about that.
2. Is there any benefit in separating out policies, i.e... one for L4 ICMP anomalies for all destinations and one for L4 TCP_src anomalies for specific destinations for example?
Edited to respond that I answered my own inquiry. First query was due to the fact that I totally forgot that my SSL VPN was also a public facing service. Second query was more just a matter of my preference in that I created on policy to cover ICMP only to all destinations with ICMP anomalies only and a second policy where I was very granular to those public facing servers on only the ports I had open for those VIPs with tcp anomalies only (no tcp_dst since this is Internet sourced policy and not an outbound destined).