Fortinet black logo

Handbook

6.3.3
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1

Settings

Settings

Setting

Description
Out of Memory Mode

Tables in FortiDDoS models are sized to exceed high flood conditions. In the very unlikely event that Memory tables such as Source, Destination, and Session tables fill under flood, the system provides an option to drop packets that exceed the capacity of the tables or to bypass those packets with no mitigation.

Select either of the following options:

  • Drop — This is the preferred option since the tables will only fill under severe flood (or misconfigured systems).

  • Bypass — This is the default option.
SSL Hardware Mode

Enable/disable the SSL Hardware Mode. The default option is enable.

FortiDDoS models FDD-1500F and FDD-2000F can use an embedded hardware module to assist with SSL inspection.

With the SSL Hardware Mode enabled, depending on the SSL certificates, FortiDDoS will:

  • Decrypt traffic to inspect for HTTP rate and anomaly parameters such as Method Floods and HTTP Anomalies.

  • Drop over-threshold and anomalous packets.

  • Re-encrypt forwarded packets to the server.

Note: Attempting to inspect SSL packets on the model FDD-200F or VM04/08/16 can have significant impact on system performance and is not recommended. Enabling Hardware Mode on these models has no effect.

To configure using the CLI: 

config ddos global settings
   set out-of-memory-mode {Bypass|Drop}
   set ssl-hardware-mode {enable|disable}  Note: This command is not available on 200F or VM models.
end
Previous
Next

Settings

Setting

Description
Out of Memory Mode

Tables in FortiDDoS models are sized to exceed high flood conditions. In the very unlikely event that Memory tables such as Source, Destination, and Session tables fill under flood, the system provides an option to drop packets that exceed the capacity of the tables or to bypass those packets with no mitigation.

Select either of the following options:

  • Drop — This is the preferred option since the tables will only fill under severe flood (or misconfigured systems).

  • Bypass — This is the default option.
SSL Hardware Mode

Enable/disable the SSL Hardware Mode. The default option is enable.

FortiDDoS models FDD-1500F and FDD-2000F can use an embedded hardware module to assist with SSL inspection.

With the SSL Hardware Mode enabled, depending on the SSL certificates, FortiDDoS will:

  • Decrypt traffic to inspect for HTTP rate and anomaly parameters such as Method Floods and HTTP Anomalies.

  • Drop over-threshold and anomalous packets.

  • Re-encrypt forwarded packets to the server.

Note: Attempting to inspect SSL packets on the model FDD-200F or VM04/08/16 can have significant impact on system performance and is not recommended. Enabling Hardware Mode on these models has no effect.

To configure using the CLI: 

config ddos global settings
   set out-of-memory-mode {Bypass|Drop}
   set ssl-hardware-mode {enable|disable}  Note: This command is not available on 200F or VM models.
end
Previous
Next