Fortinet white logo
Fortinet white logo

Handbook

Proxy IP

Proxy IP

This section includes the following topics:

Proxy IP Detection

FortiDDoS can take account of the possibility that a source IP address might be a proxy IP address, and adjust the threshold triggers accordingly. If a source IP address is determined to be a proxy IP address, the system adjusts thresholds for Most Active Source, SYN per source, Concurrent Connections per source, HTTP Method per source and DNS query per source by a multiplier that you specify.

You can configure either or both of the following methods to determine whether source IP address is a proxy IP address:

  • Concurrent connection count—Used when there are many users behind a web proxy or NAT device like an enterprise firewall.
  • HTTP headers—Used when there are many users behind a Content Delivery Network (CDN), such as Akamai.

Before you begin:

• You must have Read-Write permission for Global Settings.

To configure proxy IP settings:
  1. Go to Global Protection > Proxy IP > Proxy IP Detection.
  2. Complete the configuration as described in the table below.
  3. Save the configuration.

Proxy IP configuration

Settings

Guidelines

Detect proxy IP by number of connections

Enable/Disable

Concurrent connections per source

Every 5 minutes, the system records the IP addresses of sources with more than this number of concurrent connections to test whether those sources might be using a proxy IP address. The default is 100 concurrent connections.

Proxy IP Percent present

Threshold that determines whether the source IP address is regarded as a proxy IP address. For example, the default is 30. After the observation period, the IPs whose numbers of concurrent connections have been 30% of the time above 100 are identified as proxy IPs.

Observation period

  • Past Week—Uses data from the past week to determine whether a source IP address is a proxy IP address.
  • Past Month—Uses data from the past month.

Header Status

Enable/Disable

Header Type

Select HTTP headers that indicate a proxy address might be in use:

  • true-client-IP
  • x-forwarded-for (selecting this option also enables parsing of x-true-client-ip and x-real-ip headers)

Proxy IP threshold factor

Specify a multiplier when the source IP address is identified as a proxy IP address. For example, if you specify 32, and the Most Active Source threshold is 1000, then the Most Active Source threshold applied to proxy IP addresses is 32 * 1000 or 32,000.

The default is 128. The maximum is 32,768.

Note: The Proxy IP Threshold Factor is set and displayed differently in the GUI and CLI. The actual Threshold Factor is set by the slider on the GUI and shown in orange (default 128). If set from the CLI, the factor must be set as an exponent of 2. For example, if you want to set the factor as '1024', you must enter '10' (2^10=1024). If you check the threshold factor via CLI, it shows the exponent value '10' whereas the GUI shows '1024'.

Download List

Enable/disable downloading proxy log.

Tooltip

To configure using the CLI:

config ddos global proxy-ip-setting

set auto_status {enable | disable}

set percent <integer>

set period {past-week | past-month}

set header_status {enable | disable}

set header_type {true-client-ip X-Forwarded-For}

set traffic_coefficient <integer>

end

Proxy IP List

FortiDDoS allows you to manually assign a source IP address as proxy IP address through the GUI or CLI. If a source IP is assigned as proxy IP, the system adjusts the thresholds for Most Active Source, SYN per source, Concurrent Connections per source, HTTP Method per source and DNS query per source by a multiplier that you specify.

To configure proxy IP settings:

  1. Go to Global Protection > Proxy IP > Proxy IP List.
  2. Click Add.
  3. Complete the configuration as described in the following table.
  4. Save the configuration.

Settings

Guidelines

Name

Proxy IP policy name

Source Type

Address IPv4

Source Address IPv4

Proxy IP policy address

Proxy IP Action

Select from the following options:

  • force-disable: To disable automatically detected proxies ensuring that these IPs do not get the elevated treatment for thresholds.
  • force-enable: To force enable certain IPs as proxies ensuring that these IPs get elevated treatment even if it is not detected so by the automatic scheme.

Tooltip

To configure using the CLI:

config ddos global proxy-policy

edit <name>

set source-type addr4

set proxy-IP-address <datasource>

set action <force-enable/ force-disable>

next

end

Best practices

The following recommended best practices:

  • Do not set the bypass bridge Tap Mode manually. Set it up as the action on failure for the bypass bridge Inline Mode and then force a failure of the out-of-path segment by turning on FortiDDoS Tap Mode.
  • In a FortiDDoS Tap Mode deployment, you can set SPPs in Detection Mode or Prevention Mode. Set it to whichever mode you want enabled when you toggle off Tap Mode and put FortiDDoS inline.

Proxy IP

Proxy IP

This section includes the following topics:

Proxy IP Detection

FortiDDoS can take account of the possibility that a source IP address might be a proxy IP address, and adjust the threshold triggers accordingly. If a source IP address is determined to be a proxy IP address, the system adjusts thresholds for Most Active Source, SYN per source, Concurrent Connections per source, HTTP Method per source and DNS query per source by a multiplier that you specify.

You can configure either or both of the following methods to determine whether source IP address is a proxy IP address:

  • Concurrent connection count—Used when there are many users behind a web proxy or NAT device like an enterprise firewall.
  • HTTP headers—Used when there are many users behind a Content Delivery Network (CDN), such as Akamai.

Before you begin:

• You must have Read-Write permission for Global Settings.

To configure proxy IP settings:
  1. Go to Global Protection > Proxy IP > Proxy IP Detection.
  2. Complete the configuration as described in the table below.
  3. Save the configuration.

Proxy IP configuration

Settings

Guidelines

Detect proxy IP by number of connections

Enable/Disable

Concurrent connections per source

Every 5 minutes, the system records the IP addresses of sources with more than this number of concurrent connections to test whether those sources might be using a proxy IP address. The default is 100 concurrent connections.

Proxy IP Percent present

Threshold that determines whether the source IP address is regarded as a proxy IP address. For example, the default is 30. After the observation period, the IPs whose numbers of concurrent connections have been 30% of the time above 100 are identified as proxy IPs.

Observation period

  • Past Week—Uses data from the past week to determine whether a source IP address is a proxy IP address.
  • Past Month—Uses data from the past month.

Header Status

Enable/Disable

Header Type

Select HTTP headers that indicate a proxy address might be in use:

  • true-client-IP
  • x-forwarded-for (selecting this option also enables parsing of x-true-client-ip and x-real-ip headers)

Proxy IP threshold factor

Specify a multiplier when the source IP address is identified as a proxy IP address. For example, if you specify 32, and the Most Active Source threshold is 1000, then the Most Active Source threshold applied to proxy IP addresses is 32 * 1000 or 32,000.

The default is 128. The maximum is 32,768.

Note: The Proxy IP Threshold Factor is set and displayed differently in the GUI and CLI. The actual Threshold Factor is set by the slider on the GUI and shown in orange (default 128). If set from the CLI, the factor must be set as an exponent of 2. For example, if you want to set the factor as '1024', you must enter '10' (2^10=1024). If you check the threshold factor via CLI, it shows the exponent value '10' whereas the GUI shows '1024'.

Download List

Enable/disable downloading proxy log.

Tooltip

To configure using the CLI:

config ddos global proxy-ip-setting

set auto_status {enable | disable}

set percent <integer>

set period {past-week | past-month}

set header_status {enable | disable}

set header_type {true-client-ip X-Forwarded-For}

set traffic_coefficient <integer>

end

Proxy IP List

FortiDDoS allows you to manually assign a source IP address as proxy IP address through the GUI or CLI. If a source IP is assigned as proxy IP, the system adjusts the thresholds for Most Active Source, SYN per source, Concurrent Connections per source, HTTP Method per source and DNS query per source by a multiplier that you specify.

To configure proxy IP settings:

  1. Go to Global Protection > Proxy IP > Proxy IP List.
  2. Click Add.
  3. Complete the configuration as described in the following table.
  4. Save the configuration.

Settings

Guidelines

Name

Proxy IP policy name

Source Type

Address IPv4

Source Address IPv4

Proxy IP policy address

Proxy IP Action

Select from the following options:

  • force-disable: To disable automatically detected proxies ensuring that these IPs do not get the elevated treatment for thresholds.
  • force-enable: To force enable certain IPs as proxies ensuring that these IPs get elevated treatment even if it is not detected so by the automatic scheme.

Tooltip

To configure using the CLI:

config ddos global proxy-policy

edit <name>

set source-type addr4

set proxy-IP-address <datasource>

set action <force-enable/ force-disable>

next

end

Best practices

The following recommended best practices:

  • Do not set the bypass bridge Tap Mode manually. Set it up as the action on failure for the bypass bridge Inline Mode and then force a failure of the out-of-path segment by turning on FortiDDoS Tap Mode.
  • In a FortiDDoS Tap Mode deployment, you can set SPPs in Detection Mode or Prevention Mode. Set it to whichever mode you want enabled when you toggle off Tap Mode and put FortiDDoS inline.