The following is a detailed description of attack-detection behavior.

The Edge SWG (ProxySG) appliance attack detection feature limits attacks based on connection limit and number of failures:

1. If the number of failures exceed the configured failure limit, the Edge SWG (ProxySG) sends warnings to the client. Subsequently, if the number of warnings exceed the configured warning limit, the Edge SWG (ProxySG) changes the client to blocked state. The client is blocked for the configured unblocking time, and new connections will pass only after that configured time period or is manually unblocked. (Failed requests, by default, include various HTTP response failures such as 4xx client errors (excluding 401 and 407) and 5xx server errors. The HTTP responses that you want treated as failure can be so designed by creating policy.)
2. If the number of connections from a client exceed the connection limit, further connections from that client are not passed (a type of blocked state). If one of the connections is closed, the client goes below the configured limit, and the next connection from that client is passed through.

The best ways to check whether or not a client is blocked is by going to the following advanced url's: