Fortinet white logo
Fortinet white logo

Handbook

Service Protection Policy Overview

Service Protection Policy Overview

Service Protection Policy is a critical feature and foundation behind FortiDDoS technology.

It allows users to:

  • Associate DDoS mitigation policies to subnets to be protected.
  • Configure thresholds automatically and manually, using FortiDDoS Traffic Statistics always-learning mechanism to prevent DDoS attacks.
  • Configure subnets with Cloud Signaling thresholds for use with Cloud DDoS Mitigation
  • Configure ACLs on different services
  • Link SPPs to protection Profiles with mitigation features for IP, ICMP, TCP, HTTP, SSL/TLS, NTP, DNS, and DTLS.
  • FortiDDoS Supports different numbers of SPPs per model
    FDD-VM044
    FDD-200F / FDD-VM088
    FDD-1500F / FDD-VM1616
    FDD-VM04/08/16 KVM with Virtio NICs 4

Before you begin:

  • You must have a good understanding of the features you want to enable. Refer to Key Concepts for more information.
  • You must have Read-Write permission for Protection Profile settings.
  • You must have a good understanding of your full public subnet and the the services associated with your subnets. For most Enterprise customers, create SPPs for services like this:
    • Important: Firewalls and other primarily outbound devices like Proxies, WiFi Gateways, etc. Multiple devices per SPP are OK, but do not mix non-Firewall devices in this SPP.
    • Web and other servers
    • Authoritative DNS server if you host one locally
    • Any other services that make sense to you to the maximum number of SPPs allowed.

    The more types of services placed in one SPP, the less granular mitigation is available. For example, most Firewalls using web filtering, encrypt DNS Queries to their cloud services (like FortiGuard). FortiDDoS cannot monitor encrypted DNS and many DNS features must be disabled or replaced in the firewall SPP. If web servers are included in the Firewall SPP, those servers have less protection from common Reflected DNS Response floods.

  • Every Service Protection Policy (SPP) Rule protects a separate set of subnets and has its own set of graphs and logs.
  • Every FortiDDoS system has a default SPP that captures traffic for any subnet not configured in another SPP. Ideally, the default SPP is left empty but it can be used for subnets if required. It cannot be renamed or deleted.
  • Protection Subnets (from a single IPv4 /32 or IPv6 /128) can be entered in any SPP in any order. Both IPv4 and IPv6 subnets can be in the same SPP. See Protection subnets for further information.

Service Protection Policy Overview

Service Protection Policy Overview

Service Protection Policy is a critical feature and foundation behind FortiDDoS technology.

It allows users to:

  • Associate DDoS mitigation policies to subnets to be protected.
  • Configure thresholds automatically and manually, using FortiDDoS Traffic Statistics always-learning mechanism to prevent DDoS attacks.
  • Configure subnets with Cloud Signaling thresholds for use with Cloud DDoS Mitigation
  • Configure ACLs on different services
  • Link SPPs to protection Profiles with mitigation features for IP, ICMP, TCP, HTTP, SSL/TLS, NTP, DNS, and DTLS.
  • FortiDDoS Supports different numbers of SPPs per model
    FDD-VM044
    FDD-200F / FDD-VM088
    FDD-1500F / FDD-VM1616
    FDD-VM04/08/16 KVM with Virtio NICs 4

Before you begin:

  • You must have a good understanding of the features you want to enable. Refer to Key Concepts for more information.
  • You must have Read-Write permission for Protection Profile settings.
  • You must have a good understanding of your full public subnet and the the services associated with your subnets. For most Enterprise customers, create SPPs for services like this:
    • Important: Firewalls and other primarily outbound devices like Proxies, WiFi Gateways, etc. Multiple devices per SPP are OK, but do not mix non-Firewall devices in this SPP.
    • Web and other servers
    • Authoritative DNS server if you host one locally
    • Any other services that make sense to you to the maximum number of SPPs allowed.

    The more types of services placed in one SPP, the less granular mitigation is available. For example, most Firewalls using web filtering, encrypt DNS Queries to their cloud services (like FortiGuard). FortiDDoS cannot monitor encrypted DNS and many DNS features must be disabled or replaced in the firewall SPP. If web servers are included in the Firewall SPP, those servers have less protection from common Reflected DNS Response floods.

  • Every Service Protection Policy (SPP) Rule protects a separate set of subnets and has its own set of graphs and logs.
  • Every FortiDDoS system has a default SPP that captures traffic for any subnet not configured in another SPP. Ideally, the default SPP is left empty but it can be used for subnets if required. It cannot be renamed or deleted.
  • Protection Subnets (from a single IPv4 /32 or IPv6 /128) can be entered in any SPP in any order. Both IPv4 and IPv6 subnets can be in the same SPP. See Protection subnets for further information.