Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiADC 8.0.2 Administration Guide
    8.0.2
    8.0.2
    8.0.1
    8.0.0
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0

    Configuring an IP Fragmentation Protection policy

    Configuring an IP Fragmentation Protection policy

    IP packet fragmentation ensures that IP datagrams can traverse various types of networks by splitting large packets into smaller ones for transmission, which are then reassembled by the receiving host. However, during a DDoS attack, malicious actors can exploit IP fragmentation by creating large fragmented datagrams designed to overwhelm router buffers. The objective of this attack is to rapidly consume system memory and network bandwidth.

    To mitigate this, FortiADC allows administrators to limit the maximum memory usage per socket, control the maximum allowable distance between fragmented packets from the same source IP, and set a timeout for the reassembly of the entire fragmented packet. These measures help reduce the impact of fragmentation-based DDoS attacks.

    Before you begin:
    • You must have Read-Write permission for Security settings.
    To configure an IP fragmentation policy:
    1. Navigate to Network Security> Networking.
      The configuration page displays the IP Fragmentation Protection tab.

    2. Configure the following settings:

      Setting

      Description

      Max Memory Size Limit

      Defines the maximum memory size (in KB) allocated for IP fragmentation reassembly within the VDOM. When this limit is reached, FortiADC will stop reassembling fragmented packets. The default value is 4096 KB, with a valid range from 0 to 4096 KB.

      Min Memory Size Limit

      Specifies the minimum memory size (in KB) for IP fragmentation reassembly. When the total memory size falls below this threshold, reassembly will resume. The default value is 3072 KB, with a valid range from 0 to 4096 KB.

      Timeout

      Sets the maximum lifetime (in seconds) for each fragmentation queue. If the queue exceeds this timeout, all fragmentation packets within the queue are discarded. The default value is 30 seconds, with a valid range from 0 to 256 seconds.

      Exception Name

      Specify the DoS Exception configuration object. See Configuring DoS Exceptions.

      When the memory usage for fragmented packets reaches the configured Max Memory Size limit, FortiADC stops reassembling fragments and drops new fragmented traffic. However, if the source IP of a fragmented packet matches an exception rule, FortiADC continues to accept and forward the packet, bypassing the memory enforcement restriction.
    3. Save the configuration.
    Previous
    Next

    Configuring an IP Fragmentation Protection policy

    Configuring an IP Fragmentation Protection policy

    IP packet fragmentation ensures that IP datagrams can traverse various types of networks by splitting large packets into smaller ones for transmission, which are then reassembled by the receiving host. However, during a DDoS attack, malicious actors can exploit IP fragmentation by creating large fragmented datagrams designed to overwhelm router buffers. The objective of this attack is to rapidly consume system memory and network bandwidth.

    To mitigate this, FortiADC allows administrators to limit the maximum memory usage per socket, control the maximum allowable distance between fragmented packets from the same source IP, and set a timeout for the reassembly of the entire fragmented packet. These measures help reduce the impact of fragmentation-based DDoS attacks.

    Before you begin:
    • You must have Read-Write permission for Security settings.
    To configure an IP fragmentation policy:
    1. Navigate to Network Security> Networking.
      The configuration page displays the IP Fragmentation Protection tab.

    2. Configure the following settings:

      Setting

      Description

      Max Memory Size Limit

      Defines the maximum memory size (in KB) allocated for IP fragmentation reassembly within the VDOM. When this limit is reached, FortiADC will stop reassembling fragmented packets. The default value is 4096 KB, with a valid range from 0 to 4096 KB.

      Min Memory Size Limit

      Specifies the minimum memory size (in KB) for IP fragmentation reassembly. When the total memory size falls below this threshold, reassembly will resume. The default value is 3072 KB, with a valid range from 0 to 4096 KB.

      Timeout

      Sets the maximum lifetime (in seconds) for each fragmentation queue. If the queue exceeds this timeout, all fragmentation packets within the queue are discarded. The default value is 30 seconds, with a valid range from 0 to 256 seconds.

      Exception Name

      Specify the DoS Exception configuration object. See Configuring DoS Exceptions.

      When the memory usage for fragmented packets reaches the configured Max Memory Size limit, FortiADC stops reassembling fragments and drops new fragmented traffic. However, if the source IP of a fragmented packet matches an exception rule, FortiADC continues to accept and forward the packet, bypassing the memory enforcement restriction.
    3. Save the configuration.
    Previous
    Next