Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    6.3.2
    7.0.3
    7.0.1
    7.0.0
    6.6.3
    6.6.3
    6.6.1
    6.6.0
    6.5.1
    6.5.0
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.1

    Manual Threshold Setting

    Manual Threshold Setting

    Any Threshold can be manually adjusted using the edit button for the Threshold or range from the GUI and adjusting the Inbound and/or Outbound Thresholds. For most applications where outbound traffic is not relevant to DDoS mitigation, outbound thresholds should be set very high to avoid 'false-positives' on graphing. Some outbound drops can impact Inbound traffic even if the outbound direction is set in Detection Mode.

    For example, outbound TCP 'floods' can result in the TCP session being removed from the session tables, resulting in inbound traffic for that session being dropped as 'Foreign Packets'. Outbound Thresholds should be tuned to ensure no drops are seen.

    Threshold

    Label

    Order

    Scalar

    Any meaningful label. Follow the field entry guidelines. Generally, non-unicode characters with no spaces are allowed.

    Not Important

    Protocols

    Any meaningful label. Follow the field entry guidelines. Generally, non-unicode characters with no spaces are allowed.

    The order is not important but Protocol number ranges cannot overlap. For example, if there is a range of Protocol 18-255 set and you want to add a specific Threshold for Protocol 47 (GRE), you need to delete the 18-155 range and create 3 new ranges: 18-46, 47-47, and 48-255. These can be created in any order but numerical order makes it easier for future users to understand.

    HTTP Methods

    N/A

    Each HTTP Method should have system-generated Thresholds. These can be modified but no Method can be added and none should be removed.

    TCP and UDP Ports

    Must NOT match the System recommended label (sys_reco_vX_Y). Otherwise, any meaningful label.

    Follow field entry guidelines. Generally non-unicode characters with no spaces are allowed.

    Order is not important but port number ranges cannot overlap.

    For example, if there is a range of Ports 10000-65535 set and you want to add a specific Threshold for Port 11211, you need to delete the 10000-65535 range and create 3 new ranges: 10000-11210, 11211-11211, 11212-65535. These can be created in any order but numerical order makes it easier for future users to understand.

    ICMP Types Codes

    Must NOT match the System recommended label (sys_reco_vX_Y). Otherwise, any meaningful label.

    Follow field entry guidelines. Generally non-unicode characters with no spaces are allowed.

    Order not important but Type/Code ranges cannot overlap. There are 65535 possible ICMP Types and Codes, so modifying this manually should not be done by non-experts.

    Please contact Fortinet TAC for help with this, if needed.

    URLs, Hosts, Referers, Cookies, User Agents

    If you wish to add an individual entry for any of these parameters, the label must NOT match the System Recommended label (sys_reco_vX_Y). Otherwise, any meaningful label. Follow field entry guidelines. Generally non-unicode characters with no spaces allowed.

    Entries for these parameters are hashed by the system and cannot be 'un-hashed' so are difficult to interpret. For this reason, is it not recommended that you attempt to change any HTTP parameter ranges. If these parameters are causing issues, either manually change the thresholds only or re-run Traffic Statistics and System Recommendations to create new ranges and Thresholds.
    Adding TCP or UDP Port Ranges

    After the System Recommendations are created, there will only be one range for TCP and UDP “high” (>9999) ports labeled as “sys_reco_v10000_65535”.

    If you use specific and/or want to exclude specific high ports, you must enter these manually. You cannot have overlapping port ranges. To add a port or range, first delete the existing range.

    For example, if you want to allow Port 4500 for high traffic and leave all others as default:

    1. Delete the port range “sys_reco_v10000_65535”.
    2. Add port '4500':

      Name: IPSEC

      Port Start: 4500

      Port End: 4500

      Inbound Threshold: as required to system max of 16,777,215

      Outbound Threshold: as required to system max of 16,777,215

    3. Replace deleted range with two ranges:

      Add Range

      Name: Default10000_4499

      Port Start: 10000

      Port End: 4499

      Inbound Threshold: 500

      Outbound Threshold: 500

      Add Range

      Name: DefaultAbove4500

      Port Start: 4501

      Port End: 65535

      Inbound Threshold: 500

      Outbound Threshold: 500

    Note the following:

    • Name labels can be alphanumeric plus “-“ and “_” only, 35 characters maximum.
    • It is not necessary to follow the system label syntax of “sys_reco_vXXX_YYYYY” for ports or protocols. You must follow this for all other thresholds.
    • Sorting is not supported for values under 'Threshold' column. If you expect to enter many manual ranges, plan ahead to add them in Start Port order. The entry order of Thresholds has no impact on the system but it is easier to read in numerical order.
    Adjusting minimum thresholds by percentage

    You can arbitrarily adjust SPP thresholds by percentage. This is useful when you expect a spike in legitimate traffic (for example, because of a news story or an advertising campaign). You can adjust the thresholds by as much as 300%.

    Before you begin:

    • Go to Protection Profiles > Thresholds > Thresholds and note the settings so that you can later verify the adjustment procedure or subsequently reset the thresholds to the values before the adjustment procedure.
    • You must have Read-Write permission for Protection Profile settings

    To adjust minimum thresholds by percentage:

    1. Go to Service Protection > Service Protection Policy > {SPP Rule} > Thresholds > Percent Adjust.
    2. Specify a percentage in the text box. The range of adjustment is from -100% to (+)300%

      For example:

      • 100 pps Threshold + 20% adjustment = 120 pps
      • 100 pps Threshold - 17% adjustment = -83 pps (Be careful while raising and lowering thresholds this way.)
      • 100 pps Threshold + 120% adjustment = 220 pps
      • 100 pps Threshold - 20% adjustment = 80 pps
      • 100 pps Threshold - 100% adjustment = 0 pps
    3. Save the configuration.
    4. Go to Protection Profiles > Thresholds > Thresholds and verify that the adjustment has been applied.
    To configure using the CLI:

    config ddos spp rule

    edit <spp_name>

    set threshold-percent-adjust <integer>

    next

    end

    Note: <integer> value can be in range -100 to 300

    Previous
    Next

    Manual Threshold Setting

    Manual Threshold Setting

    Any Threshold can be manually adjusted using the edit button for the Threshold or range from the GUI and adjusting the Inbound and/or Outbound Thresholds. For most applications where outbound traffic is not relevant to DDoS mitigation, outbound thresholds should be set very high to avoid 'false-positives' on graphing. Some outbound drops can impact Inbound traffic even if the outbound direction is set in Detection Mode.

    For example, outbound TCP 'floods' can result in the TCP session being removed from the session tables, resulting in inbound traffic for that session being dropped as 'Foreign Packets'. Outbound Thresholds should be tuned to ensure no drops are seen.

    Threshold

    Label

    Order

    Scalar

    Any meaningful label. Follow the field entry guidelines. Generally, non-unicode characters with no spaces are allowed.

    Not Important

    Protocols

    Any meaningful label. Follow the field entry guidelines. Generally, non-unicode characters with no spaces are allowed.

    The order is not important but Protocol number ranges cannot overlap. For example, if there is a range of Protocol 18-255 set and you want to add a specific Threshold for Protocol 47 (GRE), you need to delete the 18-155 range and create 3 new ranges: 18-46, 47-47, and 48-255. These can be created in any order but numerical order makes it easier for future users to understand.

    HTTP Methods

    N/A

    Each HTTP Method should have system-generated Thresholds. These can be modified but no Method can be added and none should be removed.

    TCP and UDP Ports

    Must NOT match the System recommended label (sys_reco_vX_Y). Otherwise, any meaningful label.

    Follow field entry guidelines. Generally non-unicode characters with no spaces are allowed.

    Order is not important but port number ranges cannot overlap.

    For example, if there is a range of Ports 10000-65535 set and you want to add a specific Threshold for Port 11211, you need to delete the 10000-65535 range and create 3 new ranges: 10000-11210, 11211-11211, 11212-65535. These can be created in any order but numerical order makes it easier for future users to understand.

    ICMP Types Codes

    Must NOT match the System recommended label (sys_reco_vX_Y). Otherwise, any meaningful label.

    Follow field entry guidelines. Generally non-unicode characters with no spaces are allowed.

    Order not important but Type/Code ranges cannot overlap. There are 65535 possible ICMP Types and Codes, so modifying this manually should not be done by non-experts.

    Please contact Fortinet TAC for help with this, if needed.

    URLs, Hosts, Referers, Cookies, User Agents

    If you wish to add an individual entry for any of these parameters, the label must NOT match the System Recommended label (sys_reco_vX_Y). Otherwise, any meaningful label. Follow field entry guidelines. Generally non-unicode characters with no spaces allowed.

    Entries for these parameters are hashed by the system and cannot be 'un-hashed' so are difficult to interpret. For this reason, is it not recommended that you attempt to change any HTTP parameter ranges. If these parameters are causing issues, either manually change the thresholds only or re-run Traffic Statistics and System Recommendations to create new ranges and Thresholds.
    Adding TCP or UDP Port Ranges

    After the System Recommendations are created, there will only be one range for TCP and UDP “high” (>9999) ports labeled as “sys_reco_v10000_65535”.

    If you use specific and/or want to exclude specific high ports, you must enter these manually. You cannot have overlapping port ranges. To add a port or range, first delete the existing range.

    For example, if you want to allow Port 4500 for high traffic and leave all others as default:

    1. Delete the port range “sys_reco_v10000_65535”.
    2. Add port '4500':

      Name: IPSEC

      Port Start: 4500

      Port End: 4500

      Inbound Threshold: as required to system max of 16,777,215

      Outbound Threshold: as required to system max of 16,777,215

    3. Replace deleted range with two ranges:

      Add Range

      Name: Default10000_4499

      Port Start: 10000

      Port End: 4499

      Inbound Threshold: 500

      Outbound Threshold: 500

      Add Range

      Name: DefaultAbove4500

      Port Start: 4501

      Port End: 65535

      Inbound Threshold: 500

      Outbound Threshold: 500

    Note the following:

    • Name labels can be alphanumeric plus “-“ and “_” only, 35 characters maximum.
    • It is not necessary to follow the system label syntax of “sys_reco_vXXX_YYYYY” for ports or protocols. You must follow this for all other thresholds.
    • Sorting is not supported for values under 'Threshold' column. If you expect to enter many manual ranges, plan ahead to add them in Start Port order. The entry order of Thresholds has no impact on the system but it is easier to read in numerical order.
    Adjusting minimum thresholds by percentage

    You can arbitrarily adjust SPP thresholds by percentage. This is useful when you expect a spike in legitimate traffic (for example, because of a news story or an advertising campaign). You can adjust the thresholds by as much as 300%.

    Before you begin:

    • Go to Protection Profiles > Thresholds > Thresholds and note the settings so that you can later verify the adjustment procedure or subsequently reset the thresholds to the values before the adjustment procedure.
    • You must have Read-Write permission for Protection Profile settings

    To adjust minimum thresholds by percentage:

    1. Go to Service Protection > Service Protection Policy > {SPP Rule} > Thresholds > Percent Adjust.
    2. Specify a percentage in the text box. The range of adjustment is from -100% to (+)300%

      For example:

      • 100 pps Threshold + 20% adjustment = 120 pps
      • 100 pps Threshold - 17% adjustment = -83 pps (Be careful while raising and lowering thresholds this way.)
      • 100 pps Threshold + 120% adjustment = 220 pps
      • 100 pps Threshold - 20% adjustment = 80 pps
      • 100 pps Threshold - 100% adjustment = 0 pps
    3. Save the configuration.
    4. Go to Protection Profiles > Thresholds > Thresholds and verify that the adjustment has been applied.
    To configure using the CLI:

    config ddos spp rule

    edit <spp_name>

    set threshold-percent-adjust <integer>

    next

    end

    Note: <integer> value can be in range -100 to 300

    Previous
    Next