Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.1
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    CLI Reference

    Home FortiADC 8.0.1 CLI Reference
    8.0.1
    8.0.2
    8.0.1
    8.0.0
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.1.5
    7.1.4
    7.1.3
    7.1.2
    7.1.1
    7.1.0
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.6
    6.2.5
    6.2.4
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.6
    6.1.5
    6.1.4
    6.1.3
    6.1.2
    6.1.1
    6.1.0
    6.0.2
    6.0.1
    6.0.0
    5.4.5
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.3.0
    4.8.1
    4.7.0

    config security dos ip-fragmentation-protection

    config security dos ip-fragmentation-protection

    IP packet fragmentation ensures that IP datagrams can traverse various types of networks by splitting large packets into smaller ones for transmission, which are then reassembled by the receiving host. However, during a DDoS attack, malicious actors can exploit IP fragmentation by creating large fragmented datagrams designed to overwhelm router buffers. The objective of this attack is to rapidly consume system memory and network bandwidth.

    To mitigate this, FortiADC allows administrators to limit the maximum memory usage per socket, control the maximum allowable distance between fragmented packets from the same source IP, and set a timeout for the reassembly of the entire fragmented packet. These measures help reduce the impact of fragmentation-based DDoS attacks.

    Syntax

    config security dos ip-fragmentation-protection

    set max-memory-size <integer>

    set min-memory-size <integer>

    set time <integer>

    set exception <datasource>

    end

    max-memory-size

    Defines the maximum memory size (in KB) allocated for IP fragmentation reassembly within the VDOM. When this limit is reached, FortiADC will stop reassembling fragmented packets. The default value is 4096 KB, with a valid range from 0 to 4096 KB.

    min-memory-size

    Specifies the minimum memory size (in KB) for IP fragmentation reassembly. When the total memory size falls below this threshold, reassembly will resume. The default value is 3072 KB, with a valid range from 0 to 4096 KB.

    time

    Sets the maximum lifetime (in seconds) for each fragmentation queue. If the queue exceeds this timeout, all fragmentation packets within the queue are discarded. The default value is 30 seconds, with a valid range from 0 to 256 seconds.

    exception

    Specify the DoS Exception configuration object. See config security dos exception.

    When the memory usage for fragmented packets reaches the configured Max Memory Size limit, FortiADC stops reassembling fragments and drops new fragmented traffic. However, if the source IP of a fragmented packet matches an exception rule, FortiADC continues to accept and forward the packet, bypassing the memory enforcement restriction.

    Example

    configure security dos ip-fragmentation-protection

    set max-memory-size 4096

    set max-memory-size 3072

    set time 30

    set exception exception_1

    end

    Previous
    Next

    config security dos ip-fragmentation-protection

    config security dos ip-fragmentation-protection

    IP packet fragmentation ensures that IP datagrams can traverse various types of networks by splitting large packets into smaller ones for transmission, which are then reassembled by the receiving host. However, during a DDoS attack, malicious actors can exploit IP fragmentation by creating large fragmented datagrams designed to overwhelm router buffers. The objective of this attack is to rapidly consume system memory and network bandwidth.

    To mitigate this, FortiADC allows administrators to limit the maximum memory usage per socket, control the maximum allowable distance between fragmented packets from the same source IP, and set a timeout for the reassembly of the entire fragmented packet. These measures help reduce the impact of fragmentation-based DDoS attacks.

    Syntax

    config security dos ip-fragmentation-protection

    set max-memory-size <integer>

    set min-memory-size <integer>

    set time <integer>

    set exception <datasource>

    end

    max-memory-size

    Defines the maximum memory size (in KB) allocated for IP fragmentation reassembly within the VDOM. When this limit is reached, FortiADC will stop reassembling fragmented packets. The default value is 4096 KB, with a valid range from 0 to 4096 KB.

    min-memory-size

    Specifies the minimum memory size (in KB) for IP fragmentation reassembly. When the total memory size falls below this threshold, reassembly will resume. The default value is 3072 KB, with a valid range from 0 to 4096 KB.

    time

    Sets the maximum lifetime (in seconds) for each fragmentation queue. If the queue exceeds this timeout, all fragmentation packets within the queue are discarded. The default value is 30 seconds, with a valid range from 0 to 256 seconds.

    exception

    Specify the DoS Exception configuration object. See config security dos exception.

    When the memory usage for fragmented packets reaches the configured Max Memory Size limit, FortiADC stops reassembling fragments and drops new fragmented traffic. However, if the source IP of a fragmented packet matches an exception rule, FortiADC continues to accept and forward the packet, bypassing the memory enforcement restriction.

    Example

    configure security dos ip-fragmentation-protection

    set max-memory-size 4096

    set max-memory-size 3072

    set time 30

    set exception exception_1

    end

    Previous
    Next