Fortinet Document Library

Version:

Version:

Version:

Version:

Version:


Table of Contents

Handbook

Configuring an IP fragmentation policy

IP Packet fragmentation assures that IP data grams can flow through any other type of network. It allows data grams created as a single packet to be split into many smaller packets for transmission and reassembled at a receiving host. A DDoS attack can deny services to the network by creating a fragmented data gram of a large enough size to overrun the buffers in your router.

The attack purpose is to consume the system memory and network bandwidth in the shortest possible time. We can limit the maximum usage of memory in each socket, the maximum distance counters between fragmentation packages from the same source IP, and the receiving timeout for an entire package.

Before you begin:

  • You must have Read-Write permission for Security settings.

To configure an IP fragmentation policy:

  1. Go to DoS Protection > Networking> IP Fragmentation Protection.
  2. Click Edit to display the configuration editor.
  3. Complete the configuration.

    Max Memory Size Limit

    Maximum memory size of the IP fragmentation packet for the vdom. If the limit is reached, FortiADC will stop doing IP fragmentation reassemble.

    Min Memory Size Limit

    When total IP fragmentation memory size drops to this limit, FortiADC will start to do fragmentation reassemble again.

    Timeout

    Max life time for each fragmentation queue. All the fragmentation packets in the queue will be dropped if the queue exceed this timeout.

  4. Save the configuration.

 

Configuring an IP fragmentation policy

IP Packet fragmentation assures that IP data grams can flow through any other type of network. It allows data grams created as a single packet to be split into many smaller packets for transmission and reassembled at a receiving host. A DDoS attack can deny services to the network by creating a fragmented data gram of a large enough size to overrun the buffers in your router.

The attack purpose is to consume the system memory and network bandwidth in the shortest possible time. We can limit the maximum usage of memory in each socket, the maximum distance counters between fragmentation packages from the same source IP, and the receiving timeout for an entire package.

Before you begin:

  • You must have Read-Write permission for Security settings.

To configure an IP fragmentation policy:

  1. Go to DoS Protection > Networking> IP Fragmentation Protection.
  2. Click Edit to display the configuration editor.
  3. Complete the configuration.

    Max Memory Size Limit

    Maximum memory size of the IP fragmentation packet for the vdom. If the limit is reached, FortiADC will stop doing IP fragmentation reassemble.

    Min Memory Size Limit

    When total IP fragmentation memory size drops to this limit, FortiADC will start to do fragmentation reassemble again.

    Timeout

    Max life time for each fragmentation queue. All the fragmentation packets in the queue will be dropped if the queue exceed this timeout.

  4. Save the configuration.