Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • CLI Reference

    Home FortiADC 7.6.0 CLI Reference
    7.6.0
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config security dos dos-protection-profile

    config security dos dos-protection-profile

    A DoS Protection profile references the DoS policies that are to be enforced.

    Syntax

    configure security dos dos-protection-profile

    edit <name>

    set http-access-limit <datasource>

    set http-connection-flood-protection <datasource>

    set http-request-flood-protection <datasource>

    set tcp-access-flood-protection <datasource>

    set tcp-slowdata-attack-protection <datasource>

    set dns-query-flood-protection <datasource>

    set dns-reverse-flood-protection <datasource>

    set http-send-timeout <integer>

    next

    end

    http-access-limit

    Specify an HTTP Access Limit policy. Limit the request number per second from an IP.

    http-connection-flood-protection

    Specify an HTTP Connection Flood policy. Limit the number of connections from a client, which is marked by a cookie.

    http-request-flood-protection

    Specify an HTTP Request Flood policy. Limit the request number per second from a client, which is marked by a cookie.

    tcp-access-flood-protection

    Specify TCP Connection Access Flood Protection policy.

    A TCP connection flood attempts to prevent legitimate requests from being established by flooding the server with requests for new connections. By setting a threshold limit for TCP requests, FortiADC can detect and take action to protect against a TCP connection flood.

    tcp-slowdata-attack-protection

    Specify a TCP Slow Data Flood Protection policy.

    After the TCP connection is established (the three-way handshake is completed), if FortiADC sends data to the client but the client returns a zero window (a zero window appears when, for example, the client does not take the data out of the TCP receive queue of the client OS when the data sent by the FortiADC fills up the queue), FortiADC will stop sending data. In this case, FortiADC can actively abort TCP connections and release related resources to avoid occupying its resources for a long time.

    dns-query-flood-protection

    Specify a DNS Query Flood Protection policy. The DNS Query Flood Protection policy can limit the number of DNS request per second to mitigate against DNS query flood attacks that aim to overwhelm DNS servers with high volumes of illegitimate DNS queries.

    dns-reverse-flood-protection

    Specify a DNS Reverse Flood Protection policy. The DNS Reverse Flood Protection policy can limit the number of ANY type DNS requests per second to mitigate against DNS reverse flood attacks that aim to overwhelm network resources with high volumes of DNS responses.

    http-send-timeout

    After receiving an HTTP request, FortiADC may forward a response which comes from the backend server. If FortiADC cannot send out all the response messages, it will save the rest of the data in a buffer, and will try to send out again when possible. When there occurs a timeout, if the buffer still has data to be sent, FortiADC will abort this TCP connection.

    Example

    configure security dos dos-protection-profile

    edit dos-profile

    set http-access-limit access-limit

    set http-connection-flood-protection conn-limit

    set http-request-flood-protection req-limit

    set http-send-timeout 3

    next

    end

    configure security dos dos-protection-profile

    edit dos-profile

    set http-access-limit access-limit

    set http-connection-flood-protection conn-limit

    set http-request-flood-protection req-limit

    next

    end

    Previous
    Next

    config security dos dos-protection-profile

    config security dos dos-protection-profile

    A DoS Protection profile references the DoS policies that are to be enforced.

    Syntax

    configure security dos dos-protection-profile

    edit <name>

    set http-access-limit <datasource>

    set http-connection-flood-protection <datasource>

    set http-request-flood-protection <datasource>

    set tcp-access-flood-protection <datasource>

    set tcp-slowdata-attack-protection <datasource>

    set dns-query-flood-protection <datasource>

    set dns-reverse-flood-protection <datasource>

    set http-send-timeout <integer>

    next

    end

    http-access-limit

    Specify an HTTP Access Limit policy. Limit the request number per second from an IP.

    http-connection-flood-protection

    Specify an HTTP Connection Flood policy. Limit the number of connections from a client, which is marked by a cookie.

    http-request-flood-protection

    Specify an HTTP Request Flood policy. Limit the request number per second from a client, which is marked by a cookie.

    tcp-access-flood-protection

    Specify TCP Connection Access Flood Protection policy.

    A TCP connection flood attempts to prevent legitimate requests from being established by flooding the server with requests for new connections. By setting a threshold limit for TCP requests, FortiADC can detect and take action to protect against a TCP connection flood.

    tcp-slowdata-attack-protection

    Specify a TCP Slow Data Flood Protection policy.

    After the TCP connection is established (the three-way handshake is completed), if FortiADC sends data to the client but the client returns a zero window (a zero window appears when, for example, the client does not take the data out of the TCP receive queue of the client OS when the data sent by the FortiADC fills up the queue), FortiADC will stop sending data. In this case, FortiADC can actively abort TCP connections and release related resources to avoid occupying its resources for a long time.

    dns-query-flood-protection

    Specify a DNS Query Flood Protection policy. The DNS Query Flood Protection policy can limit the number of DNS request per second to mitigate against DNS query flood attacks that aim to overwhelm DNS servers with high volumes of illegitimate DNS queries.

    dns-reverse-flood-protection

    Specify a DNS Reverse Flood Protection policy. The DNS Reverse Flood Protection policy can limit the number of ANY type DNS requests per second to mitigate against DNS reverse flood attacks that aim to overwhelm network resources with high volumes of DNS responses.

    http-send-timeout

    After receiving an HTTP request, FortiADC may forward a response which comes from the backend server. If FortiADC cannot send out all the response messages, it will save the rest of the data in a buffer, and will try to send out again when possible. When there occurs a timeout, if the buffer still has data to be sent, FortiADC will abort this TCP connection.

    Example

    configure security dos dos-protection-profile

    edit dos-profile

    set http-access-limit access-limit

    set http-connection-flood-protection conn-limit

    set http-request-flood-protection req-limit

    set http-send-timeout 3

    next

    end

    configure security dos dos-protection-profile

    edit dos-profile

    set http-access-limit access-limit

    set http-connection-flood-protection conn-limit

    set http-request-flood-protection req-limit

    next

    end

    Previous
    Next