Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    6.6.0
    7.0.3
    7.0.1
    7.0.0
    6.6.3
    6.6.3
    6.6.1
    6.6.0
    6.5.1
    6.5.0
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.1

    Proxy IP

    Proxy IP

    This section includes the following topics:

    Proxy IP Detection

    FortiDDoS can take account of the possibility that a source IP address might be a proxy IP address, and adjust the threshold triggers accordingly. If a source IP address is determined to be a proxy IP address, the system adjusts thresholds for Most Active Source, SYN per source, Concurrent Connections per source, HTTP Method per source and DNS query per source by a multiplier that you specify.

    You can configure either or both of the following methods to determine whether source IP address is a proxy IP address:

    • Concurrent connection count—Used when there are many users behind a web proxy or NAT device like an enterprise firewall.
    • HTTP headers—Used when there are many users behind a Content Delivery Network (CDN), such as Akamai.

    Before you begin:

    • You must have Read-Write permission for Global Settings.

    To configure proxy IP settings:
    1. Go to Global Protection > Proxy IP > Proxy IP Detection.
    2. Complete the configuration as described in the table below.
    3. Save the configuration.

    Proxy IP configuration

    Settings

    Guidelines

    Detect proxy IP by number of connections

    Enable/Disable

    Concurrent connections per source

    Every 5 minutes, the system records the IP addresses of sources with more than this number of concurrent connections to test whether those sources might be using a proxy IP address. The default is 100 concurrent connections.

    Proxy IP Percent present

    Threshold that determines whether the source IP address is regarded as a proxy IP address. For example, the default is 30. After the observation period, the IPs whose numbers of concurrent connections have been 30% of the time above 100 are identified as proxy IPs.

    Observation period
    • Past Week—Uses data from the past week to determine whether a source IP address is a proxy IP address.
    • Past Month—Uses data from the past month.

    Header Status

    Enable/Disable

    Header Type

    Select HTTP headers that indicate a proxy address might be in use:

    • true-client-IP
    • x-forwarded-for (selecting this option also enables parsing of x-true-client-ip and x-real-ip headers)

    Proxy IP threshold factor

    Specify a multiplier when the source IP address is identified as a proxy IP address. For example, if you specify 32, and the Most Active Source threshold is 1000, then the Most Active Source threshold applied to proxy IP addresses is 32 * 1000 or 32,000.

    The default is 128. The maximum is 32,768.

    Note: The Proxy IP Threshold Factor is set and displayed differently in the GUI and CLI. The actual Threshold Factor is set by the slider on the GUI and shown in orange (default 128). If set from the CLI, the factor must be set as an exponent of 2. For example, if you want to set the factor as '1024', you must enter '10' (2^10=1024). If you check the threshold factor via CLI, it shows the exponent value '10' whereas the GUI shows '1024'.

    Download List

    Enable/disable downloading proxy log.

    Tooltip

    To configure using the CLI:

    config ddos global proxy-ip-setting

    set auto_status {enable | disable}

    set percent <integer>

    set period {past-week | past-month}

    set header_status {enable | disable}

    set header_type {true-client-ip X-Forwarded-For}

    set traffic_coefficient <integer>

    end

    Proxy IP List

    FortiDDoS allows you to manually assign a source IP address as proxy IP address through the GUI or CLI. If a source IP is assigned as proxy IP, the system adjusts the thresholds for Most Active Source, SYN per source, Concurrent Connections per source, HTTP Method per source and DNS query per source by a multiplier that you specify.

    To configure proxy IP settings:

    1. Go to Global Protection > Proxy IP > Proxy IP List.
    2. Click Add.
    3. Complete the configuration as described in the following table.
    4. Save the configuration.

    Settings

    Guidelines

    Name

    Proxy IP policy name

    Source Type

    Address IPv4

    Source Address IPv4

    Proxy IP policy address

    Proxy IP Action

    Select from the following options:

    • force-disable: To disable automatically detected proxies ensuring that these IPs do not get the elevated treatment for thresholds.
    • force-enable: To force enable certain IPs as proxies ensuring that these IPs get elevated treatment even if it is not detected so by the automatic scheme.

    Tooltip

    To configure using the CLI:

    config ddos global proxy-policy

    edit <name>

    set source-type addr4

    set proxy-IP-address <datasource>

    set action <force-enable/ force-disable>

    next

    end
    Best practices

    The following recommended best practices:

    • Do not set the bypass bridge Tap Mode manually. Set it up as the action on failure for the bypass bridge Inline Mode and then force a failure of the out-of-path segment by turning on FortiDDoS Tap Mode.
    • In a FortiDDoS Tap Mode deployment, you can set SPPs in Detection Mode or Prevention Mode. Set it to whichever mode you want enabled when you toggle off Tap Mode and put FortiDDoS inline.
    Previous
    Next

    Proxy IP

    Proxy IP

    This section includes the following topics:

    Proxy IP Detection

    FortiDDoS can take account of the possibility that a source IP address might be a proxy IP address, and adjust the threshold triggers accordingly. If a source IP address is determined to be a proxy IP address, the system adjusts thresholds for Most Active Source, SYN per source, Concurrent Connections per source, HTTP Method per source and DNS query per source by a multiplier that you specify.

    You can configure either or both of the following methods to determine whether source IP address is a proxy IP address:

    • Concurrent connection count—Used when there are many users behind a web proxy or NAT device like an enterprise firewall.
    • HTTP headers—Used when there are many users behind a Content Delivery Network (CDN), such as Akamai.

    Before you begin:

    • You must have Read-Write permission for Global Settings.

    To configure proxy IP settings:
    1. Go to Global Protection > Proxy IP > Proxy IP Detection.
    2. Complete the configuration as described in the table below.
    3. Save the configuration.

    Proxy IP configuration

    Settings

    Guidelines

    Detect proxy IP by number of connections

    Enable/Disable

    Concurrent connections per source

    Every 5 minutes, the system records the IP addresses of sources with more than this number of concurrent connections to test whether those sources might be using a proxy IP address. The default is 100 concurrent connections.

    Proxy IP Percent present

    Threshold that determines whether the source IP address is regarded as a proxy IP address. For example, the default is 30. After the observation period, the IPs whose numbers of concurrent connections have been 30% of the time above 100 are identified as proxy IPs.

    Observation period
    • Past Week—Uses data from the past week to determine whether a source IP address is a proxy IP address.
    • Past Month—Uses data from the past month.

    Header Status

    Enable/Disable

    Header Type

    Select HTTP headers that indicate a proxy address might be in use:

    • true-client-IP
    • x-forwarded-for (selecting this option also enables parsing of x-true-client-ip and x-real-ip headers)

    Proxy IP threshold factor

    Specify a multiplier when the source IP address is identified as a proxy IP address. For example, if you specify 32, and the Most Active Source threshold is 1000, then the Most Active Source threshold applied to proxy IP addresses is 32 * 1000 or 32,000.

    The default is 128. The maximum is 32,768.

    Note: The Proxy IP Threshold Factor is set and displayed differently in the GUI and CLI. The actual Threshold Factor is set by the slider on the GUI and shown in orange (default 128). If set from the CLI, the factor must be set as an exponent of 2. For example, if you want to set the factor as '1024', you must enter '10' (2^10=1024). If you check the threshold factor via CLI, it shows the exponent value '10' whereas the GUI shows '1024'.

    Download List

    Enable/disable downloading proxy log.

    Tooltip

    To configure using the CLI:

    config ddos global proxy-ip-setting

    set auto_status {enable | disable}

    set percent <integer>

    set period {past-week | past-month}

    set header_status {enable | disable}

    set header_type {true-client-ip X-Forwarded-For}

    set traffic_coefficient <integer>

    end

    Proxy IP List

    FortiDDoS allows you to manually assign a source IP address as proxy IP address through the GUI or CLI. If a source IP is assigned as proxy IP, the system adjusts the thresholds for Most Active Source, SYN per source, Concurrent Connections per source, HTTP Method per source and DNS query per source by a multiplier that you specify.

    To configure proxy IP settings:

    1. Go to Global Protection > Proxy IP > Proxy IP List.
    2. Click Add.
    3. Complete the configuration as described in the following table.
    4. Save the configuration.

    Settings

    Guidelines

    Name

    Proxy IP policy name

    Source Type

    Address IPv4

    Source Address IPv4

    Proxy IP policy address

    Proxy IP Action

    Select from the following options:

    • force-disable: To disable automatically detected proxies ensuring that these IPs do not get the elevated treatment for thresholds.
    • force-enable: To force enable certain IPs as proxies ensuring that these IPs get elevated treatment even if it is not detected so by the automatic scheme.

    Tooltip

    To configure using the CLI:

    config ddos global proxy-policy

    edit <name>

    set source-type addr4

    set proxy-IP-address <datasource>

    set action <force-enable/ force-disable>

    next

    end
    Best practices

    The following recommended best practices:

    • Do not set the bypass bridge Tap Mode manually. Set it up as the action on failure for the bypass bridge Inline Mode and then force a failure of the out-of-path segment by turning on FortiDDoS Tap Mode.
    • In a FortiDDoS Tap Mode deployment, you can set SPPs in Detection Mode or Prevention Mode. Set it to whichever mode you want enabled when you toggle off Tap Mode and put FortiDDoS inline.
    Previous
    Next