Fortinet black logo

Handbook

6.3.3
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1

Manual Threshold Setting

Manual Threshold Setting

Any Threshold can be manually adjusted using the edit button for the Threshold or range from the GUI and adjusting the Inbound and/or Outbound Thresholds. For most applications where outbound traffic is not relevant to DDoS mitigation, outbound thresholds should be set very high to avoid 'false-positives' on graphing. Some outbound drops can impact Inbound traffic even if the outbound direction is set in Detection Mode.

For example, outbound TCP 'floods' can result in the TCP session being removed from the session tables, resulting in inbound traffic for that session being dropped as 'Foreign Packets'. Outbound Thresholds should be tuned to ensure no drops are seen.

Threshold

Label

Order

Scalar

Any meaningful label. Follow the field entry guidelines. Generally, non-unicode characters with no spaces are allowed.

Not Important

Protocols

Any meaningful label. Follow the field entry guidelines. Generally, non-unicode characters with no spaces are allowed.

The order is not important but Protocol number ranges cannot overlap. For example, if there is a range of Protocol 18-255 set and you want to add a specific Threshold for Protocol 47 (GRE), you need to delete the 18-155 range and create 3 new ranges: 18-46, 47-47, and 48-255. These can be created in any order but numerical order makes it easier for future users to understand.

HTTP Methods

N/A

Each HTTP Method should have system-generated Thresholds. These can be modified but no Method can be added and none should be removed.

TCP and UDP Ports

Must NOT match the System recommended label (sys_reco_vX_Y). Otherwise, any meaningful label.

Follow field entry guidelines. Generally non-unicode characters with no spaces are allowed.

Order is not important but port number ranges cannot overlap.

For example, if there is a range of Ports 10000-65535 set and you want to add a specific Threshold for Port 11211, you need to delete the 10000-65535 range and create 3 new ranges: 10000-11210, 11211-11211, 11212-65535. These can be created in any order but numerical order makes it easier for future users to understand.

ICMP Types Codes

Must NOT match the System recommended label (sys_reco_vX_Y). Otherwise, any meaningful label.

Follow field entry guidelines. Generally non-unicode characters with no spaces are allowed.

Order not important but Type/Code ranges cannot overlap. There are 65535 possible ICMP Types and Codes, so modifying this manually should not be done by non-experts.

Please contact Fortinet TAC for help with this, if needed.

URLs, Hosts, Referers, Cookies, User Agents

If you wish to add an individual entry for any of these parameters, the label must NOT match the System Recommended label (sys_reco_vX_Y). Otherwise, any meaningful label. Follow field entry guidelines. Generally non-unicode characters with no spaces allowed.

Entries for these parameters are hashed by the system and cannot be 'un-hashed' so are difficult to interpret. For this reason, is it not recommended that you attempt to change any HTTP parameter ranges. If these parameters are causing issues, either manually change the thresholds only or re-run Traffic Statistics and System Recommendations to create new ranges and Thresholds.
Adding TCP or UDP Port Ranges

After the System Recommendations are created, there will only be one range for TCP and UDP “high” (>9999) ports labeled as “sys_reco_v10000_65535”.

If you use specific and/or want to exclude specific high ports, you must enter these manually. You cannot have overlapping port ranges. To add a port or range, first delete the existing range.

For example, if you want to allow Port 4500 for high traffic and leave all others as default:

  1. Delete the port range “sys_reco_v10000_65535”.
  2. Add port '4500':

    Name: IPSEC

    Port Start: 4500

    Port End: 4500

    Inbound Threshold: as required to system max of 16,777,215

    Outbound Threshold: as required to system max of 16,777,215

  3. Replace deleted range with two ranges:

    Add Range

    Name: Default10000_4499

    Port Start: 10000

    Port End: 4499

    Inbound Threshold: 500

    Outbound Threshold: 500

    Add Range

    Name: DefaultAbove4500

    Port Start: 4501

    Port End: 65535

    Inbound Threshold: 500

    Outbound Threshold: 500

Note the following:

  • Name labels can be alphanumeric plus “-“ and “_” only, 35 characters maximum.
  • It is not necessary to follow the system label syntax of “sys_reco_vXXX_YYYYY” for ports or protocols. You must follow this for all other thresholds.
  • Sorting is not supported for values under 'Threshold' column. If you expect to enter many manual ranges, plan ahead to add them in Start Port order. The entry order of Thresholds has no impact on the system but it is easier to read in numerical order.
Adjusting minimum thresholds by percentage

You can arbitrarily adjust SPP thresholds by percentage. This is useful when you expect a spike in legitimate traffic (for example, because of a news story or an advertising campaign). You can adjust the thresholds by as much as 300%.

Before you begin:

  • Go to Protection Profiles > Thresholds > Thresholds and note the settings so that you can later verify the adjustment procedure or subsequently reset the thresholds to the values before the adjustment procedure.
  • You must have Read-Write permission for Protection Profile settings

To adjust minimum thresholds by percentage:

  1. Go to Service Protection > Service Protection Policy > {SPP Rule} > Thresholds > Percent Adjust.
  2. Specify a percentage in the text box. The range of adjustment is from -100% to (+)300%

    For example:

    • 100 pps Threshold + 20% adjustment = 120 pps
    • 100 pps Threshold - 17% adjustment = -83 pps (Be careful while raising and lowering thresholds this way.)
    • 100 pps Threshold + 120% adjustment = 220 pps
    • 100 pps Threshold - 20% adjustment = 80 pps
    • 100 pps Threshold - 100% adjustment = 0 pps
  3. Save the configuration.
  4. Go to Protection Profiles > Thresholds > Thresholds and verify that the adjustment has been applied.
To configure using the CLI:

config ddos spp rule

edit <spp_name>

set threshold-percent-adjust <integer>

next

end

Note: <integer> value can be in range -100 to 300

Previous
Next

Manual Threshold Setting

Any Threshold can be manually adjusted using the edit button for the Threshold or range from the GUI and adjusting the Inbound and/or Outbound Thresholds. For most applications where outbound traffic is not relevant to DDoS mitigation, outbound thresholds should be set very high to avoid 'false-positives' on graphing. Some outbound drops can impact Inbound traffic even if the outbound direction is set in Detection Mode.

For example, outbound TCP 'floods' can result in the TCP session being removed from the session tables, resulting in inbound traffic for that session being dropped as 'Foreign Packets'. Outbound Thresholds should be tuned to ensure no drops are seen.

Threshold

Label

Order

Scalar

Any meaningful label. Follow the field entry guidelines. Generally, non-unicode characters with no spaces are allowed.

Not Important

Protocols

Any meaningful label. Follow the field entry guidelines. Generally, non-unicode characters with no spaces are allowed.

The order is not important but Protocol number ranges cannot overlap. For example, if there is a range of Protocol 18-255 set and you want to add a specific Threshold for Protocol 47 (GRE), you need to delete the 18-155 range and create 3 new ranges: 18-46, 47-47, and 48-255. These can be created in any order but numerical order makes it easier for future users to understand.

HTTP Methods

N/A

Each HTTP Method should have system-generated Thresholds. These can be modified but no Method can be added and none should be removed.

TCP and UDP Ports

Must NOT match the System recommended label (sys_reco_vX_Y). Otherwise, any meaningful label.

Follow field entry guidelines. Generally non-unicode characters with no spaces are allowed.

Order is not important but port number ranges cannot overlap.

For example, if there is a range of Ports 10000-65535 set and you want to add a specific Threshold for Port 11211, you need to delete the 10000-65535 range and create 3 new ranges: 10000-11210, 11211-11211, 11212-65535. These can be created in any order but numerical order makes it easier for future users to understand.

ICMP Types Codes

Must NOT match the System recommended label (sys_reco_vX_Y). Otherwise, any meaningful label.

Follow field entry guidelines. Generally non-unicode characters with no spaces are allowed.

Order not important but Type/Code ranges cannot overlap. There are 65535 possible ICMP Types and Codes, so modifying this manually should not be done by non-experts.

Please contact Fortinet TAC for help with this, if needed.

URLs, Hosts, Referers, Cookies, User Agents

If you wish to add an individual entry for any of these parameters, the label must NOT match the System Recommended label (sys_reco_vX_Y). Otherwise, any meaningful label. Follow field entry guidelines. Generally non-unicode characters with no spaces allowed.

Entries for these parameters are hashed by the system and cannot be 'un-hashed' so are difficult to interpret. For this reason, is it not recommended that you attempt to change any HTTP parameter ranges. If these parameters are causing issues, either manually change the thresholds only or re-run Traffic Statistics and System Recommendations to create new ranges and Thresholds.
Adding TCP or UDP Port Ranges

After the System Recommendations are created, there will only be one range for TCP and UDP “high” (>9999) ports labeled as “sys_reco_v10000_65535”.

If you use specific and/or want to exclude specific high ports, you must enter these manually. You cannot have overlapping port ranges. To add a port or range, first delete the existing range.

For example, if you want to allow Port 4500 for high traffic and leave all others as default:

  1. Delete the port range “sys_reco_v10000_65535”.
  2. Add port '4500':

    Name: IPSEC

    Port Start: 4500

    Port End: 4500

    Inbound Threshold: as required to system max of 16,777,215

    Outbound Threshold: as required to system max of 16,777,215

  3. Replace deleted range with two ranges:

    Add Range

    Name: Default10000_4499

    Port Start: 10000

    Port End: 4499

    Inbound Threshold: 500

    Outbound Threshold: 500

    Add Range

    Name: DefaultAbove4500

    Port Start: 4501

    Port End: 65535

    Inbound Threshold: 500

    Outbound Threshold: 500

Note the following:

  • Name labels can be alphanumeric plus “-“ and “_” only, 35 characters maximum.
  • It is not necessary to follow the system label syntax of “sys_reco_vXXX_YYYYY” for ports or protocols. You must follow this for all other thresholds.
  • Sorting is not supported for values under 'Threshold' column. If you expect to enter many manual ranges, plan ahead to add them in Start Port order. The entry order of Thresholds has no impact on the system but it is easier to read in numerical order.
Adjusting minimum thresholds by percentage

You can arbitrarily adjust SPP thresholds by percentage. This is useful when you expect a spike in legitimate traffic (for example, because of a news story or an advertising campaign). You can adjust the thresholds by as much as 300%.

Before you begin:

  • Go to Protection Profiles > Thresholds > Thresholds and note the settings so that you can later verify the adjustment procedure or subsequently reset the thresholds to the values before the adjustment procedure.
  • You must have Read-Write permission for Protection Profile settings

To adjust minimum thresholds by percentage:

  1. Go to Service Protection > Service Protection Policy > {SPP Rule} > Thresholds > Percent Adjust.
  2. Specify a percentage in the text box. The range of adjustment is from -100% to (+)300%

    For example:

    • 100 pps Threshold + 20% adjustment = 120 pps
    • 100 pps Threshold - 17% adjustment = -83 pps (Be careful while raising and lowering thresholds this way.)
    • 100 pps Threshold + 120% adjustment = 220 pps
    • 100 pps Threshold - 20% adjustment = 80 pps
    • 100 pps Threshold - 100% adjustment = 0 pps
  3. Save the configuration.
  4. Go to Protection Profiles > Thresholds > Thresholds and verify that the adjustment has been applied.
To configure using the CLI:

config ddos spp rule

edit <spp_name>

set threshold-percent-adjust <integer>

next

end

Note: <integer> value can be in range -100 to 300

Previous
Next