Fortinet white logo
Fortinet white logo

CLI Reference

config security dos dos-protection-profile

config security dos dos-protection-profile

A DoS Protection profile references the DoS policies that are to be enforced.

Syntax

configure security dos dos-protection-profile

edit <name>

set http-access-limit <datasource>

set http-connection-flood-protection <datasource>

set http-request-flood-protection <datasource>

set tcp-access-flood-protection <datasource>

set tcp-slowdata-attack-protection <datasource>

set dns-query-flood-protection <datasource>

set dns-reverse-flood-protection <datasource>

set http-send-timeout <integer>

next

end

http-access-limit

Specify an HTTP Access Limit policy. Limit the request number per second from an IP.

http-connection-flood-protection

Specify an HTTP Connection Flood policy. Limit the number of connections from a client, which is marked by a cookie.

http-request-flood-protection

Specify an HTTP Request Flood policy. Limit the request number per second from a client, which is marked by a cookie.

tcp-access-flood-protection

Specify TCP Connection Access Flood Protection policy.

A TCP connection flood attempts to prevent legitimate requests from being established by flooding the server with requests for new connections. By setting a threshold limit for TCP requests, FortiADC can detect and take action to protect against a TCP connection flood.

tcp-slowdata-attack-protection

Specify a TCP Slow Data Flood Protection policy.

After the TCP connection is established (the three-way handshake is completed), if FortiADC sends data to the client but the client returns a zero window (a zero window appears when, for example, the client does not take the data out of the TCP receive queue of the client OS when the data sent by the FortiADC fills up the queue), FortiADC will stop sending data. In this case, FortiADC can actively abort TCP connections and release related resources to avoid occupying its resources for a long time.

dns-query-flood-protection

Specify a DNS Query Flood Protection policy. The DNS Query Flood Protection policy can limit the number of DNS request per second to mitigate against DNS query flood attacks that aim to overwhelm DNS servers with high volumes of illegitimate DNS queries.

dns-reverse-flood-protection

Specify a DNS Reverse Flood Protection policy. The DNS Reverse Flood Protection policy can limit the number of ANY type DNS requests per second to mitigate against DNS reverse flood attacks that aim to overwhelm network resources with high volumes of DNS responses.

http-send-timeout

After receiving an HTTP request, FortiADC may forward a response which comes from the backend server. If FortiADC cannot send out all the response messages, it will save the rest of the data in a buffer, and will try to send out again when possible. When there occurs a timeout, if the buffer still has data to be sent, FortiADC will abort this TCP connection.

Example

configure security dos dos-protection-profile

edit dos-profile

set http-access-limit access-limit

set http-connection-flood-protection conn-limit

set http-request-flood-protection req-limit

set http-send-timeout 3

next

end

configure security dos dos-protection-profile

edit dos-profile

set http-access-limit access-limit

set http-connection-flood-protection conn-limit

set http-request-flood-protection req-limit

next

end

config security dos dos-protection-profile

config security dos dos-protection-profile

A DoS Protection profile references the DoS policies that are to be enforced.

Syntax

configure security dos dos-protection-profile

edit <name>

set http-access-limit <datasource>

set http-connection-flood-protection <datasource>

set http-request-flood-protection <datasource>

set tcp-access-flood-protection <datasource>

set tcp-slowdata-attack-protection <datasource>

set dns-query-flood-protection <datasource>

set dns-reverse-flood-protection <datasource>

set http-send-timeout <integer>

next

end

http-access-limit

Specify an HTTP Access Limit policy. Limit the request number per second from an IP.

http-connection-flood-protection

Specify an HTTP Connection Flood policy. Limit the number of connections from a client, which is marked by a cookie.

http-request-flood-protection

Specify an HTTP Request Flood policy. Limit the request number per second from a client, which is marked by a cookie.

tcp-access-flood-protection

Specify TCP Connection Access Flood Protection policy.

A TCP connection flood attempts to prevent legitimate requests from being established by flooding the server with requests for new connections. By setting a threshold limit for TCP requests, FortiADC can detect and take action to protect against a TCP connection flood.

tcp-slowdata-attack-protection

Specify a TCP Slow Data Flood Protection policy.

After the TCP connection is established (the three-way handshake is completed), if FortiADC sends data to the client but the client returns a zero window (a zero window appears when, for example, the client does not take the data out of the TCP receive queue of the client OS when the data sent by the FortiADC fills up the queue), FortiADC will stop sending data. In this case, FortiADC can actively abort TCP connections and release related resources to avoid occupying its resources for a long time.

dns-query-flood-protection

Specify a DNS Query Flood Protection policy. The DNS Query Flood Protection policy can limit the number of DNS request per second to mitigate against DNS query flood attacks that aim to overwhelm DNS servers with high volumes of illegitimate DNS queries.

dns-reverse-flood-protection

Specify a DNS Reverse Flood Protection policy. The DNS Reverse Flood Protection policy can limit the number of ANY type DNS requests per second to mitigate against DNS reverse flood attacks that aim to overwhelm network resources with high volumes of DNS responses.

http-send-timeout

After receiving an HTTP request, FortiADC may forward a response which comes from the backend server. If FortiADC cannot send out all the response messages, it will save the rest of the data in a buffer, and will try to send out again when possible. When there occurs a timeout, if the buffer still has data to be sent, FortiADC will abort this TCP connection.

Example

configure security dos dos-protection-profile

edit dos-profile

set http-access-limit access-limit

set http-connection-flood-protection conn-limit

set http-request-flood-protection req-limit

set http-send-timeout 3

next

end

configure security dos dos-protection-profile

edit dos-profile

set http-access-limit access-limit

set http-connection-flood-protection conn-limit

set http-request-flood-protection req-limit

next

end