Fortinet black logo

Handbook

6.5.0
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1

Configuring Service Protection Policies

Configuring Service Protection Policies

To create a Service Protection Policy:

  1. Go to Service Protection > Service Protection Policy

  2. Click Create

    • You can Name and save this for later configuration (recommended) or proceed to Service Protection Policy Feature Settings below

    • Max 35 characters — if more are entered, the name length will be automatically truncated to 35

    • Allowed characters include a-Z, 0-9, and four special characters: - _ . @

Note:

  • Creating a new SPP rule may be disallowed if the system reaches the maximum limit of SPP rules per platform.
  • After adding an SPP rule and Protection Subnets, it may take up to 12 minutes for traffic and drop data to appear in logs and graphs.

Model

SPP Limits
VM04*

4

VM08*, 200F

8

VM16*, 1500F, 2000F, 3000F

16

*VMs may be limited if SRIOV NICs are not used

New SPPs are enabled by default. You may set the SPP Status to disabled but disabled SPPs do not monitor any traffic, even if the SPP has configured Protection Subnets. All traffic is directed to the SPP with the next longest prefix or to the default SPP. Instead of disabling an SPP, put the SPP in Detection mode (also default) where no traffic is dropped.

New SPPs, such as "spp01" above have no Protection Profiles assigned. When Protection Profiles are configured and assigned, they will show on the SPP list to aid in understanding which Profile is used with which SPP, as shown for WEB_SERVICES and FTP_SERVICES. SPP Profile settings are in the later section SPP Profiles Overview.

Tooltip

To configure using the CLI:

config ddos spp rule

edit <spp_name>

next

end
To edit SPP rule:

Double click the SPP Rule entry and modify the existing configuration.

This action may not be allowed if the SPP Rule Reset Action is in progress

Tooltip

To configure using the CLI:

config ddos spp rule

edit <spp_name>

next

end
To reset SPP rule:

Click the Reset button for each SPP rule entry.

This action is used to reset all Configuration and Traffic data associated with the SPP Rule.

SPP RRD Reset operation from CLI is not allowed while SPP Reset operation is in progress.

Tooltip

To configure using the CLI:

execute spp-factory-reset spp <spp_name>
To delete SPP rule:

Check the boxes next to the SPP rules you want to delete and then click the Delete button.

This action is not applicable to the default SPP Rule.

Tooltip

To configure using the CLI:

config ddos spp rule

delete <spp_name>

next

end

Navigating between Service Protection Policies

When editing any Service Protection Policy rule, a drop-down menu is available to change SPPs. If you have made changes on the current page, the system will confirm if you want to save those changes before switching SPPs.

Previous
Next

Configuring Service Protection Policies

To create a Service Protection Policy:

  1. Go to Service Protection > Service Protection Policy

  2. Click Create

    • You can Name and save this for later configuration (recommended) or proceed to Service Protection Policy Feature Settings below

    • Max 35 characters — if more are entered, the name length will be automatically truncated to 35

    • Allowed characters include a-Z, 0-9, and four special characters: - _ . @

Note:

  • Creating a new SPP rule may be disallowed if the system reaches the maximum limit of SPP rules per platform.
  • After adding an SPP rule and Protection Subnets, it may take up to 12 minutes for traffic and drop data to appear in logs and graphs.

Model

SPP Limits
VM04*

4

VM08*, 200F

8

VM16*, 1500F, 2000F, 3000F

16

*VMs may be limited if SRIOV NICs are not used

New SPPs are enabled by default. You may set the SPP Status to disabled but disabled SPPs do not monitor any traffic, even if the SPP has configured Protection Subnets. All traffic is directed to the SPP with the next longest prefix or to the default SPP. Instead of disabling an SPP, put the SPP in Detection mode (also default) where no traffic is dropped.

New SPPs, such as "spp01" above have no Protection Profiles assigned. When Protection Profiles are configured and assigned, they will show on the SPP list to aid in understanding which Profile is used with which SPP, as shown for WEB_SERVICES and FTP_SERVICES. SPP Profile settings are in the later section SPP Profiles Overview.

Tooltip

To configure using the CLI:

config ddos spp rule

edit <spp_name>

next

end
To edit SPP rule:

Double click the SPP Rule entry and modify the existing configuration.

This action may not be allowed if the SPP Rule Reset Action is in progress

Tooltip

To configure using the CLI:

config ddos spp rule

edit <spp_name>

next

end
To reset SPP rule:

Click the Reset button for each SPP rule entry.

This action is used to reset all Configuration and Traffic data associated with the SPP Rule.

SPP RRD Reset operation from CLI is not allowed while SPP Reset operation is in progress.

Tooltip

To configure using the CLI:

execute spp-factory-reset spp <spp_name>
To delete SPP rule:

Check the boxes next to the SPP rules you want to delete and then click the Delete button.

This action is not applicable to the default SPP Rule.

Tooltip

To configure using the CLI:

config ddos spp rule

delete <spp_name>

next

end

Navigating between Service Protection Policies

When editing any Service Protection Policy rule, a drop-down menu is available to change SPPs. If you have made changes on the current page, the system will confirm if you want to save those changes before switching SPPs.

Previous
Next