Web Server Protection: DoS Protection
The WAF, based on Apache reverse proxy, if enabled, can become a target for App layer DoS attacks.
These are easy to execute(tools are publicly available) and the WAF would take the hit rather than the backend web server. Most WAF vendors already implemented protection against such attacks.
The easiest way to mitigate these attacks can be to use ModSecurity, e.g.:
Alternatively mod_reqtimeout in combination with some ModSecurity rules can be used; this approach is described in the above link(ModSecurity blog entry).
Currently, to fend off such attacks, an workaround is to disable the WAF, use a DNAT rule and implement protection on the backend web server.
WAF on UTM9 and XG needs an upgrade. At the moment WAF protection is basic. They should include other advanced features like other WAF product:
Here is a quick listing of security coverage:
Botnet Attack detection and prevention
DoS and Brute Force Attack detection and prevention