Fortinet white logo
Fortinet white logo

Handbook

Service Protection Policy Feature Settings

Service Protection Policy Feature Settings

Settings

Guidelines

Name

Name of SPP rule.

This field accepts alphanumeric characters and doesn’t allow special characters. It should match regular expression /^[A-Z a-z0-9_.-]*@?[A-Za-z0-9_.-]*$/.

Status

Default and recommended Enabled.

This feature control allows the user to disable the SPP Rule. If this SPP has configured Protection Subnets, this action will result in traffic to those subnets being monitored by any other SPP with next longest prefix match or by the default SPP.

Note: You will receive a warning when disabling SPP status.

Inbound Operation Mode

Set the mode for traffic received from WAN-side interfaces:

  • Detection—Logs events and builds traffic statistics for the profile but does not limit or block traffic.
  • Prevention—Limits and blocks traffic that exceeds thresholds.

Outbound Operation Mode

Set the mode for traffic received from LAN-side interfaces:

  • Detection—Logs events and builds traffic statistics for the profile but does not limit or block traffic.
  • Prevention—Limits and blocks traffic that exceeds thresholds.

Adaptive Mode

Several important “Scalar” Thresholds use machine learning to adapt the System Recommended Thresholds to recent traffic trends. This feature determines if the feature is used.

  • Adaptive (default and recommended)—Uses the adaptive limit. The System Recommendation, Configured Minimum Thresholds are automatically adapted by this algorithm. When enabled, traffic is not validated or dropped until the higher of the Configured Minimum Threshold (System Recommendation) or the Adaptive Threshold is crossed, to a maximum of the Adaptive Limit (see below).
  • Fixed—Does not use the adaptive limit. The System Recommendation, Configured Minimum Thresholds are the maximum limits.

Adaptive Limit

A percentage of the configured minimum threshold that establishes the upper limit of the estimated threshold. The adaptive limit is an upper rate limit beyond which the system blocks all traffic. The valid range is 100% to 300%.

For example, the default is 150%. The system uses the dynamic threshold estimation algorithm to raise the calculated threshold up to 150% of the value of the configured minimum threshold. Thus, if the inbound threshold for Protocol 17 (UDP) is 10,000, the threshold never falls below 10,000 and never exceeds 15,000.

When the adaptive limit is 100, the system does not use dynamic threshold estimation to adjust thresholds.

Source MAC Address Aggressive Aging

MAC address used to send TCP resets to the protected server when aggressive aging is triggered. Please note, any packets generate by FortiDDoS will use MAC address specified here.

By default, the system uses the MAC address of the management interface (mgmt1), but the MAC address displayed in the web UI is 00:00:00:00:00:00.

If you change this setting, the system uses the MAC address you specify.

Cloud Signaling Status

This setting allows to enable/disable Cloud signaling feature for this specific SPP Rule.

Tooltip

To configure using the CLI:

config ddos spp rule

edit <spp_name>

set status { enable | disable }

set inbound-operating-mode { detection | prevention }

set outbound-operating-mode { detection | prevention }

set adaptive-mode { fixed | adaptive }

set adaptive-limit <integer>

set source-mac-address-aggressive-aging <string>

set cloud-signaling-status { enable | disable }

next

end

Service Protection Policy Feature Settings

Service Protection Policy Feature Settings

Settings

Guidelines

Name

Name of SPP rule.

This field accepts alphanumeric characters and doesn’t allow special characters. It should match regular expression /^[A-Z a-z0-9_.-]*@?[A-Za-z0-9_.-]*$/.

Status

Default and recommended Enabled.

This feature control allows the user to disable the SPP Rule. If this SPP has configured Protection Subnets, this action will result in traffic to those subnets being monitored by any other SPP with next longest prefix match or by the default SPP.

Note: You will receive a warning when disabling SPP status.

Inbound Operation Mode

Set the mode for traffic received from WAN-side interfaces:

  • Detection—Logs events and builds traffic statistics for the profile but does not limit or block traffic.
  • Prevention—Limits and blocks traffic that exceeds thresholds.

Outbound Operation Mode

Set the mode for traffic received from LAN-side interfaces:

  • Detection—Logs events and builds traffic statistics for the profile but does not limit or block traffic.
  • Prevention—Limits and blocks traffic that exceeds thresholds.

Adaptive Mode

Several important “Scalar” Thresholds use machine learning to adapt the System Recommended Thresholds to recent traffic trends. This feature determines if the feature is used.

  • Adaptive (default and recommended)—Uses the adaptive limit. The System Recommendation, Configured Minimum Thresholds are automatically adapted by this algorithm. When enabled, traffic is not validated or dropped until the higher of the Configured Minimum Threshold (System Recommendation) or the Adaptive Threshold is crossed, to a maximum of the Adaptive Limit (see below).
  • Fixed—Does not use the adaptive limit. The System Recommendation, Configured Minimum Thresholds are the maximum limits.

Adaptive Limit

A percentage of the configured minimum threshold that establishes the upper limit of the estimated threshold. The adaptive limit is an upper rate limit beyond which the system blocks all traffic. The valid range is 100% to 300%.

For example, the default is 150%. The system uses the dynamic threshold estimation algorithm to raise the calculated threshold up to 150% of the value of the configured minimum threshold. Thus, if the inbound threshold for Protocol 17 (UDP) is 10,000, the threshold never falls below 10,000 and never exceeds 15,000.

When the adaptive limit is 100, the system does not use dynamic threshold estimation to adjust thresholds.

Source MAC Address Aggressive Aging

MAC address used to send TCP resets to the protected server when aggressive aging is triggered. Please note, any packets generate by FortiDDoS will use MAC address specified here.

By default, the system uses the MAC address of the management interface (mgmt1), but the MAC address displayed in the web UI is 00:00:00:00:00:00.

If you change this setting, the system uses the MAC address you specify.

Cloud Signaling Status

This setting allows to enable/disable Cloud signaling feature for this specific SPP Rule.

Tooltip

To configure using the CLI:

config ddos spp rule

edit <spp_name>

set status { enable | disable }

set inbound-operating-mode { detection | prevention }

set outbound-operating-mode { detection | prevention }

set adaptive-mode { fixed | adaptive }

set adaptive-limit <integer>

set source-mac-address-aggressive-aging <string>

set cloud-signaling-status { enable | disable }

next

end