Thresholds View
Before you begin:
- You must have an expert understanding of packet rates and other Layer 3, Layer 4, and Layer 7 parameters that you want to set manually. Refer to Understanding FortiDDoS rate limiting thresholds .
- You must have Read-Write permission for Protection Profile settings.
To configure threshold settings:
1. Go to Service Protection > Service Protection Policy > {SPP Rule} > Thresholds.
2. Select the type of Threshold from the drop-down list.
3. Double-click the row for the threshold you want to edit or click Create New.
4. Set thresholds for inbound and outbound traffic for the settings described in the table below.
5. Save the configuration.
|
Threshold |
Guidelines |
Graph |
|---|---|---|
|
Scalars |
||
|
SYN |
Packet/second rate of SYN packets received. Threshold for a SYN Flood event. When total SYNs to the SPP exceeds the threshold, the SYN flood mitigation mode tests are applied to all new connection requests from IP addresses that are not already in the legitimate IP address table. Prerequisite: A TCP Profile with following settings should be linked: SYN Flood Mitigation => Enabled TCP Session Feature Control : SYN Validation => Enabled |
Drop Monitor: Flood Drops > Layer 4 Traffic Monitor: Layer 3/4/7 > Layer 4 > SYN
|
|
New Connections |
Connection/second rate of new connections. Threshold for zombie floods (when attackers hijack legitimate IP addresses to launch DDoS attacks). When it detects a zombie flood, FortiDDoS blocks all new connection requests for the configured blocking period. In order to be effective, the new-connections threshold should always be higher than the syn threshold. We recommend that you use the FortiDDoS generated threshold unless you have a specific reason to change it. Prerequisite: A TCP Profile with following settings should be linked to generate SYN Flood scenario: SYN Flood Mitigation => Enabled TCP Session Feature Control : SYN Validation => Enabled |
Drop Monitor: Flood Drops > Layer 4 Traffic Monitor: Layer 3/4/7 > Layer 4 > Other
|
|
SYN Per Source |
Packet/second rate of SYN packets from any one source. No single source in an SPP is allowed to exceed this threshold. Threshold for a SYN Flood from Source event. The system applies the blocking period for identified sources. Only SYNs from identified source will be blocked |
Drop Monitor: Flood Drops > Layer 4 Traffic Monitor: Layer 3/4/7 > Layer 4 > SYN
|
|
Most Active Source |
Packet/second rate for the most active source. A source that sends packets at a rate that surpasses this threshold is considered a threat. Threshold for a source flood. No single source in an SPP is allowed to exceed this threshold, and the system applies the blocking period for identified sources. All traffic from identified source will be blocked |
Drop Monitor: Flood Drops > Layer 3 Traffic Monitor: Layer 3/4/7 > Layer 3 > Sources |
|
Concurrent Connections Per Source |
Count of TCP connections from a single source. The TCP connection counter is incremented when a connection moves to the established state and decremented when a session is timed out or closes. This threshold is used to identify suspicious source IP behavior. An inordinate number of connections is a symptom of both slow and fast TCP connection attacks. The system applies the blocking period for identified sources for SYN (session initiation). If the aggressive aging high-concurrent-connection-per-source option is enabled, the system also sends a TCP RST to the server to reset the connection. |
Drop Monitor: Flood Drops > Layer 4 Traffic Monitor: Layer 3/4/7 > Layer 4 > Other |
|
SYN Per Destination |
Packet/second rate for SYN packets to a single destination. When the per-destination limits are exceeded for a particular destination, the SYN flood mitigation mode tests are applied to all new connection requests to that particular destination. Traffic to other destinations is not subject to the tests. The system applies the blocking period for identified sources. Prerequisite: A TCP Profile with following settings should be linked to generate SYN Flood scenario: SYN Flood Mitigation => Enabled TCP Session Feature Control : SYN Validation => Enabled |
Drop Monitor: Flood Drops > Layer 4 Traffic Monitor: Layer 3/4/7 > Layer 4 > SYN |
|
HTTP Method Per Source |
Packet/second rate for Method packets (GET, HEAD, OPTION, POST, etc) from a single Source. When the per-source limits are exceeded for a particular source, the system applies the blocking period for identified sources sending HTTP traffic. The connection to the server may also be RST if Protection Profiles > SPP Settings > TCP Tab: Aggressive Aging TCP Connections Feature Control: Layer 7 Flood is enabled. |
Drop Monitor: Flood Drops > Layer 7 Traffic Monitor: Layer 3/4/7 > Layer 7 > HTTP |
|
Most Active Destination |
Packet/second rate for the most active destination. A destination that is sent packets at this rate is considered under attack. Threshold for a destination flood. |
Drop Monitor: Flood Drops > Layer 3 Traffic Monitor: Layer 3/4/7 > Layer 3 > Destinations |
|
OTH Fragment |
Packet/second rate of fragmented packets received for Protocols Except TCP and UDP. Although the IP specification allows IP fragmentation, excessive fragmented packets can cause some systems to hang or crash. |
Drop Monitor: Flood Drops > Layer 3 Traffic Monitor: Layer 3/4/7 > Layer 3 > Other |
|
UDP Fragment |
Packet/second rate of UDP fragmented packets received. Although the IP specification allows IP fragmentation, excessive fragmented packets can cause some systems to hang or crash. |
Drop Monitor: Flood Drops > Layer 3 Traffic Monitor: Layer 3/4/7 > Layer 3 > Other |
|
TCP Fragment |
Packet/second rate of TCP fragmented packets received. Although the IP specification allows IP fragmentation, excessive fragmented packets can cause some systems to hang or crash. |
Drop Monitor: Flood Drops > Layer 3 Traffic Monitor: Layer 3/4/7 > Layer 3 > Other |
|
DNS Query UDP |
Queries/second. Threshold for a DNS Query Flood event for traffic over UDP. Prerequisite: A DNS Profile should be linked to SPP rule |
Drop Monitor: Flood Drops > Layer 7 Traffic Monitor: Layer 3/4/7 > Layer 7 > DNS |
|
DNS Query TCP |
Queries/second. Threshold for a DNS Query Flood event for traffic over TCP. Prerequisite: A DNS Profile should be linked to SPP rule |
Drop Monitor: Flood Drops > Layer 7 Traffic Monitor: Layer 3/4/7 > Layer 7 > DNS |
|
DNS Question Count UDP |
Question count/second. Threshold for a DNS Question Flood over UDP event. Prerequisite: A DNS Profile should be linked to SPP rule |
Drop Monitor: Flood Drops > Layer 7 Traffic Monitor: Layer 3/4/7 > Layer 7 > DNS |
|
DNS MX Count UDP |
Question count/second. Threshold for a DNS Question Flood over TCP event. Prerequisite: A DNS Profile should be linked to SPP rule |
Drop Monitor: Flood Drops > Layer 7 Traffic Monitor: Layer 3/4/7 > Layer 7 > DNS |
|
DNS MX Count UDP |
Packet/second rate of DNS queries for MX records (QTYPE=15). Threshold for a DNS MX Flood over UDP event. Prerequisite: A DNS Profile should be linked to SPP rule |
Drop Monitor: Flood Drops > Layer 7 Traffic Monitor: Layer 3/4/7 > Layer 7 > DNS |
|
DNS MX Count TCP |
Packet/second rate of DNS queries for MX records (QTYPE=15). Threshold for a DNS MX Flood over TCP event. Prerequisite: A DNS Profile should be linked to SPP rule |
Drop Monitor: Flood Drops > Layer 7 Traffic Monitor: Layer 3/4/7 > Layer 7 > DNS |
|
DNS ALLUDP |
Packet/second rate of DNS queries for all DNS records (QTYPE=255). Threshold for a DNS ALL Flood over UDP event. Prerequisite: A DNS Profile should be linked to SPP rule |
Drop Monitor: Flood Drops > Layer 7 Traffic Monitor: Layer 3/4/7 > Layer 7 > DNS |
|
DNS ALLTCP |
Packet/second rate of DNS queries for all DNS records (QTYPE=255). Threshold for a DNS ALL Flood over TCP event. Prerequisite: A DNS Profile should be linked to SPP rule |
Drop Monitor: Flood Drops > Layer 7 Traffic Monitor: Layer 3/4/7 > Layer 7 > DNS |
|
DNS Zone Transfer TCP |
Packet/second rate of DNS zone transfer (AXFR) queries (QTYPE=252). Threshold for a DNS Zone Transfer Flood event. Prerequisite: A DNS Profile should be linked to SPP rule |
Drop Monitor: Flood Drops > Layer 7 Traffic Monitor: Layer 3/4/7 > Layer 7 > DNS |
|
DNS Fragment UDP |
Packet/second rate of fragmented packets received. Threshold for a DNS Fragment Flood over UDP event. Prerequisite: A DNS Profile should be linked to SPP rule |
Drop Monitor: Flood Drops > Layer 7 Traffic Monitor: Layer 3/4/7 > Layer 7 > DNS |
|
DNS Fragment TCP |
Packet/second rate of fragmented packets received. Threshold for a DNS Fragment Flood over TCP event. Prerequisite: A DNS Profile should be linked to SPP rule |
Drop Monitor: Flood Drops > Layer 7 Traffic Monitor: Layer 3/4/7 > Layer 7 > DNS |
|
DNS Query Per Source |
Packet/second rate of normal DNS queries from any one source. No single source in an SPP is allowed to exceed this threshold. Threshold for a DNS Query Per Source flood event. The system applies the blocking period for identified sources. Prerequisite: A DNS Profile should be linked to SPP rule with DNS Source blocking feature set to Enable |
Drop Monitor: Flood Drops > Layer 7 Traffic Monitor: Layer 3/4/7 > Layer 7 > DNS |
|
DNS Packet Track Per Source |
Packet/second rate of a source that demonstrates suspicious activity, a score based on heuristics that
Threshold for a DNS Suspicious Sources flood event. The system applies the blocking period for identified sources. Prerequisite: A DNS Profile should be linked to SPP rule with DNS Source blocking feature set to Enable |
Drop Monitor: Flood Drops > Layer 7 Traffic Monitor: Layer 3/4/7 > Layer 7 > DNS |
|
NTP Request |
Rate Limit of NTP Requests to or from the SPP
|
Drop Monitor: Flood Drops > Layer 7 Traffic Monitor: Layer 3/4/7 > Layer 7 > NTP |
|
NTP Response |
Rate Limit of NTP Responses to or from the SPP.
Usage: This Threshold can be set for any environment but if FortiDDoS sees both Requests and Responses (symmetric traffic or both asymmetric links pass through FortiDDoS) the Unsolicited Response Anomaly feature above will respond to NTP Response Floods faster than this Thresholds. These is no harm in using both. If FortiDDoS is in Asymmetric Mode, use this Threshold and DISABLE the NTP Unsolicited Response Anomaly.
Note: NTP Response attacks are common. Always set a Response Threshold or use NTP Unsolicited Response (NRM) Anomaly. |
Drop Monitor: Flood Drops > Layer 7 Traffic Monitor: Layer 3/4/7 > Layer 7 > NTP |
|
NTP Broadcast |
Rate Limit of NTP Broadcast packets to or from the SPP. Usage:.You should never see NTP Broadcast packets on public networks. If, during Learning/Detection Mode, you see these in either direction, examine the protected IPs involved to see if they are originating, terminating or spoofed. Unless you know you are broadcasting for some reason, this Thresholds can be set to zero. |
Drop Monitor: Flood Drops > Layer 7 Traffic Monitor: Layer 3/4/7 > Layer 7 > NTP |
|
NTP Response Per Destination |
Rate Limit of NTP Responses per individual Destination. Usage: This Threshold can be set for any environment. This threshold will normally be less than or equal to the “Response Threshold” above. If FortiDDoS sees both Requests and Responses (symmetric traffic or both asymmetric links pass through FortiDDoS) the Unsolicited Response Anomaly feature above will respond to NTP Response per Destination Floods faster than this Thresholds. These is no harm in using both. If FortiDDoS is in Asymmetric Mode, use this Threshold and DISABLE the NTP Unsolicited Response anomaly. |
Drop Monitor: Flood Drops > Layer 7 Traffic Monitor: Layer 3/4/7 > Layer 7 > NTP |
|
DTLS Client Hello Per Source |
Rate limit of DTLS Client Hello messages sent per Source. |
Drop Monitor: Flood Drops > Layer 7 Traffic Monitor: Layer 3/4/7 > Layer 7 > DTLS |
|
DTLS Server Hello Per Source |
Rate limit of DTLS Server Hello messages sent per Source. |
Drop Monitor: Flood Drops > Layer 7 Traffic Monitor: Layer 3/4/7 > Layer 7 > DTLS |
|
DTLS Server Hello Per Destination |
Rate limit of DTLS Server Hello messages sent per Destination. |
Drop Monitor: Flood Drops > Layer 7 Traffic Monitor: Layer 3/4/7 > Layer 7 > DTLS |
|
Scalar Drop for Asymmetric Mode only with Asymmetric Mode Allow Inbound Synack enabled |
||
|
SYN/ACK in Asym Mode |
Rate limit of inbound SYN/ACKs when in Asymmetric Mode Note: This Threshold must be set manually. Please observe Traffic Monitor > Layer 3/4/7 > Layer 4 > SYN: SYN-ACK graph to determine peak traffic rate and multiple 2x for Threshold. |
Drop Monitor: Flood Drops > Layer 4 Traffic Monitor: Layer 3/4/7 > Layer 4 > SYN |
|
SYN/ACK per Destination in Asym Mode |
Rate limit of inbound SYN/ACKs per Destination when in Asymmetric Mode Note: This Threshold must be set manually. Please observe Traffic Monitor > Layer 3/4/7 > Layer 4 > SYN: SYN-ACK per Destination graph to determine peak traffic rate and multiple 2x for Threshold. |
Drop Monitor: Flood Drops > Layer 4 Traffic Monitor: Layer 3/4/7 > Layer 4 > SYN |
|
DNSSEC Response UDP Asym |
Asymmetric Mode SPP aggregate rate limit Threshold for inbound DNSSEC UDP Response packets (from UDP port 53 with Resource Record 41 (Option) fields. In Asymmetric Mode, DQRM and DNSSEC Message Type Match or DNSSEC Require Response After Query cannot be used and this Threshold offers protection. When using this Threshold, Enable Service Protection > DNS Profile (used with the applicable SPP) > DNS Message IP Fragment Try Best. This feature parses fragmented Response packet to determine if they are DNSSEC. This is a manual Threshold and must be set by the user. In Asymmetric Mode, go to Monitor: TRAFFIC MONITOR > Layer 3/4/7 > Select SPP > Layer 7 and scroll to DNSSEC graph. This graph will only appear if system is in Asymmetric Mode. Observe the PEAK traffic of the UDP Asymmetric Response Ingress Max Packet Rate/Sec over a reasonable period of time (1-Week to 1-Month). Multiply the PEAK rate by 2 and use this rate as the Inbound Threshold for this Scalar. No Outbound Threshold is available. |
Drop Monitor: Flood Drops > Layer 4 Traffic Monitor: Layer 3/4/7 > Layer 4 > SYN |
|
DNSSEC Response UDP Asym Source |
Asymmetric Mode per Source IP rate limit Threshold for inbound DNSSEC UDP Response per Source packets (from UDP port 53 with Resource Record 41 (Option) fields. In Asymmetric Mode, DQRM and DNSSEC Message Type Match or DNSSEC Require Response After Query cannot be used and this Threshold offers protection. When using this Threshold, enable Service Protection > DNS Profile (used with the applicable SPP) > DNS Message IP Fragment Try Best. This feature parses fragmented Response packet to determine if they are DNSSEC. This is a manual Threshold and must be set by the user. In Asymmetric Mode, go to Monitor: TRAFFIC MONITOR > Layer 3/4/7 > Select SPP > Layer 7 and scroll to DNSSEC graph. This graph will only appear if system is in Asymmetric Mode. Observe the PEAK traffic of the UDP Asymmetric Response per Source Ingress Max Packet Rate/Sec over a reasonable period of time (1-Week to 1-Month). Multiply the PEAK rate by 2 and use this rate as the Inbound Threshold for this Scalar. No Outbound Threshold is available. |
Drop Monitor: Flood Drops > Layer 4 Traffic Monitor: Layer 3/4/7 > Layer 4 > SYN |
|
DNSSEC Response UDP Asym Destination |
Asymmetric Mode per Source IP rate limit Threshold for inbound DNSSEC UDP Response per Destination packets (from UDP port 53 with Resource Record 41 (Option) fields. In Asymmetric Mode, DQRM and DNSSEC Message Type Match or DNSSEC Require Response After Query cannot be used and this Threshold offers protection. When using this Threshold, enable Service Protection > DNS Profile (used with the applicable SPP) > DNS Message IP Fragment Try Best. This feature parses fragmented Response packet to determine if they are DNSSEC. This is a manual Threshold and must be set by the user. In Asymmetric Mode, go to Monitor: TRAFFIC MONITOR > Layer 3/4/7 > Select SPP > Layer 7 and scroll to DNSSEC graph. This graph will only appear if system is in Asymmetric Mode. Observe the PEAK traffic of the UDP Asymmetric Response per Destination Ingress Max Packet Rate/Sec over a reasonable period of time (1-Week to 1-Month). Multiply the PEAK rate by 2 and enter this rate as the Inbound Threshold for this Scalar. No Outbound Threshold is available. |
Drop Monitor: Flood Drops > Layer 4 Traffic Monitor: Layer 3/4/7 > Layer 4 > SYN |
|
HTTP Methods |
||
|
HTTP/1.1 uses the following set of common methods:
|
Packet/second rate for the specified HTTP method. Threshold for an HTTP method flood attack. When the maximum rate is reached, the system drops packets matching the parameter. If the aggressive aging layer7-flood option is enabled, the system also sends a TCP RST to the server to reset the connection. |
Drop Monitor: Flood Drops > Layer 7 Traffic Monitor: Layer 3/4/7 > Layer 7 > HTTP
|
|
Protocols |
||
|
Protocol Start / End |
Packet/second rate for the specified protocol (0-255). Threshold for a Protocol Flood event. When you specify a threshold for protocols, enter a range, even if you are specifying a threshold for a single protocol. For example, to set a threshold for protocol 6, enter 6 for both Protocol Start and Protocol End. |
Drop Monitor: Flood Drops > Layer 3 Traffic Monitor: Layer 3/4/7 > Layer 3 > Protocols |
|
TCP Ports |
||
|
Port Start / End |
Packet/second rate for the specified TCP port (0-65535). Threshold for a Port Flood event. Monitoring the packet rate for ports is helpful to prevent floods against a specific application such as HTML, FTP, SMTP or SQL. TCP accommodates 64K (65,536) ports, most of which may never be used by a particular server. Conversely, a server might see most or all of its traffic on a small group of TCP ports. For this reason, globally assigning a single threshold to all ports generally does not provide useful protection. However, you can globally set a (usually low) TCP Port Threshold for all TCP ports and then manually configure a higher threshold for the ports your protected network is using. When you specify a threshold for ports, you enter a range, even if you are specifying a threshold for a single port. For example, to set a threshold for port 8080, enter 8080 for both Port Start and Port End. |
Drop Monitor: Flood Drops > Layer 4 Traffic Monitor: Layer 3/4/7 > Layer 4 > TCP Ports |
|
UDP Ports |
||
|
Port Start / End |
Packet/second rate for the specified UDP port (0-65535). Threshold for a Port Flood event. When you specify a threshold for ports, you enter a range, even if you are specifying a threshold for a single port. For example, to set a threshold for port 53, enter 53 for both Port Start and Port End. |
Drop Monitor: Flood Drops > Layer 4 Traffic Monitor: Layer 3/4/7 > Layer 4 > UDP Ports |
|
ICMP Types/Codes |
||
|
ICMP Type/Code Start/End |
Packet/second rate for the specified ICMP type/code range (0:0-255:255). The ICMP header includes an 8-bit type field, followed by an 8-bit code field. Threshold for an ICMP Type/Code Flood event. A popular use for ICMP is the “Echo groping” message (type 8) and its corresponding reply (type 0), which are often useful tools to test connectivity and response time. In some cases, this message and reply can also be used as an attack weapon to effectively disable a target system’s network software. Take care when you set the ICMP type 0 and type 8 thresholds to ensure the desired functionality is preserved. |
Drop Monitor: Flood Drops > Layer 4 Traffic Monitor: Layer 3/4/7 > Layer 4 > Other |
|
HTTP Headers |
||
|
URL |
Packet/second rate for packets with the specified URL match. When the maximum rate is reached, the system drops packets matching the parameter. If the aggressive aging layer7-flood option is enabled, the system also sends a TCP RST to the server to reset the connection. Specify the URL for a specific website. Botnets make it easy to launch attacks on specific URLs. When such an attack happens, FortiDDoS can isolate the URL and limit just the traffic that is associated with it, while all other traffic is unaffected. The URL is found in the website’s HTTP GET or POST operations. For example, the URL for http://www.website.com/index.html is /index.html. When you specify a threshold for a URL, the system generates a corresponding hash index value. FortiDDoS displays the hash index value in the list of URL thresholds. Make note of it. You can use the hash value to select this URL elsewhere in the web UI. To view statistics associated with the threshold, go to Monitor > Specific Graphs > URLs, and then for Please enter URL/Hash index, enter either the original URL you specified or the hash index value. The valid range of hash index values for URLs is 0-64k per SPP. You can use the special prefix sys_reco_v to create hash index ranges that aggregate URLs that you are interested in only as an aggregate. For example, assume your team wants to pay close attention to a five websites, and all others can be treated essentially the same. With the first five, your configuration is specific, so you know the website URL and the corresponding hash index, and you can use FortiDDoS to track it specifically. The system does not track the others with specificity, but you can track, as an aggregate, whether those sites experience rising and falling rates, including attacks. Create entries for the five priority websites and note their hash index numbers. Let’s assume the hash index numbers are 1, 20, 21, 39, 40.
Note: You cannot carve out a small block out of a large block. If you want to use hash index values that are already in use, you must delete the existing range and then create two ranges. |
Drop Monitor: Flood Drops > Layer 7 Traffic Monitor: Layer 3/4/7 > Layer 7 > HTTP
|
|
Host, Referer, Cookie, User-Agent headers |
Packet/second rate for packets with the specified header matches. When the maximum rate is reached, the system drops packets matching the parameter. If the aggressive aging layer7-flood option is enabled, the system also sends a TCP RST to the server to reset idle connections. A connection is deemed idle if it has not sent traffic in the last 2 minutes. Specify HTTP header values. With the advent of botnets, it is easy to launch attacks using scripts. Most of the scripts use the same code. The chances that they all use the same Host, Referer, Cookie, or User-Agent header fields is very high. When such an attack happens, FortiDDoS can easily isolate the four headers among many and limit traffic associated with that specific header, while all other traffic is unaffected. As with URL hash indexes, you can use the sys_reco_v prefix to define hash index ranges that aggregate header values you are not specifically interested in.
The valid range of hash index values is 0-511 for each setting for each SPP: Host, Referer, Cookie, User-Agent |
Drop Monitor: Flood Drops > Layer 7 Traffic Monitor: Layer 3/4/7 > Layer 7 > HTTP
|
|
DNS Response Codes |
||
|
Rcode start-Rcode end |
Packet/second rate for the specified DNS Response code (0-15). Threshold for DNS Response code Flood event. |
Drop Monitor: Flood Drops > Layer 7 Traffic Monitor: Layer 3/4/7 > Layer 7 > DNS |
To configure using the CLI:
config ddos spp rule
edit <spp_name>
config scalar-threshold
edit <threshold_name>
set scalar-type {syn |syn-per-src | most-active-source | concurrent-connections-per-source | most-active-destination | method-per-source | oth-fragment | udp-fragment | tcp-fragment | new-connections | syn-per-dst | dns-query-udp | dns-query-tcp | dns-question-count-udp | dns-question-count-tcp | dns-mx-count-udp | dns-mx-count-tcp | dns-all-udp | dns-all-tcp | dns-zone-xfer-tcp | dns-fragment-udp | dns-fragment-tcp | dns-query-per-src | dns-packet-track-per-src | ntp-req | ntp-resp | ntp-bcast | ntp-resp-per-dst}
set inbound-threshold <integer>
set outbound-threshold <integer>
next
end
config protocol-threshold
edit <threshold_name>
set protocol-start <protocol_int>
set protocol-end <protocol_int>
set inbound-threshold <integer>
set outbound-threshold <integer>
next
end
config http-method-threshold
edit <threshold_name>
set method { get |head| options | trace | post | put | delete | connect }
set inbound-threshold <integer>
set outbound-threshold <integer>
next
end
config tcp-port-threshold
edit <threshold_name>
set port-start <port_int>
set port-end <port_int>
set inbound-threshold <integer>
set outbound-threshold <integer>
next
end
config udp-port-threshold
edit <threshold_name>
set port-start <port_int>
set port-end <port_int>
set inbound-threshold <integer>
set outbound-threshold <integer>
next
end
config icmp-type-code-threshold
edit <threshold_name>
set icmp-type-start <type_int>
set icmp-code-start <code_int>
set icmp-type-end <type_int>
set icmp-code-end <code_int>
set inbound-threshold <integer>
set outbound-threshold <integer>
next
end
config http-url-threshold
edit <threshold_name>
set url <url_string>
set inbound-threshold <integer>
set outbound-threshold <integer>
next
end
config http-host-threshold
edit <threshold_name>
set host <host_string>
set inbound-threshold <integer>
set outbound-threshold <integer>
next
end
config http-referer-threshold
edit <threshold_name>
set referer <referer_string>
set inbound-threshold <integer>
set outbound-threshold <integer>
next
end
config http-cookie-threshold
edit <threshold_name>
set cookie <cookie_string>
set inbound-threshold <integer>
set outbound-threshold <integer>
next
end
config http-user-agent-threshold
edit <threshold_name>
set user-agent <user-agent_string>
set inbound-threshold <integer>
set outbound-threshold <integer>
next
end
config dns-rcode-threshold
edit <threshold_name>
set rcode-start <rcode_int>
set rcode-end <rcode_int>
set inbound-threshold <integer>
set outbound-threshold <integer>
next
end
next
end
