Fortinet black logo

CLI Reference

firewall {DoS-policy | DoS-policy6}

firewall {DoS-policy | DoS-policy6}

Use these commands to configure Denial of Service (DoS) policies: Dos-policy applies to IPv4 traffic, Dos-policy6 applies to IPv6 traffic. FortiGate Intrusion Protection uses Denial of Service (DoS) sensors to identify network traffic anomalies that do not fit known or preset traffic patterns. Four statistical anomaly types for the TCP, UDP, and ICMP protocols can be identified.

Flooding If the number of sessions targeting a single destination in one second is over a threshold, the destination is experiencing flooding.
Scan If the number of sessions from a single source in one second is over a threshold, the source is scanning.
Source session limit If the number of concurrent sessions from a single source is over a threshold, the source session limit is reached.
Destination session limit If the number of concurrent sessions to a single destination is over a threshold, the destination session limit is reached.

Enable or disable logging for each anomaly, and select the action taken in response to detecting an anomaly. Configure the anomaly thresholds to detect traffic patterns that could represent an attack.

Note

It is important to estimate the normal and expected traffic on the network before changing the default anomaly thresholds. Setting the thresholds too low could cause false positives, and setting the thresholds too high could allow some attacks.

The list of anomalies can be updated only when the FortiGate firmware image is upgraded.

config firewall DoS-policy
    edit {policyid}
    # Configure IPv4 DoS policies.
        set policyid {integer}   Policy ID. range[0-9999]
        set status {enable | disable}   Enable/disable this policy.
        set comments {string}   Comment. size[1023]
        set interface {string}   Incoming interface name from available interfaces. size[35] - datasource(s): system.zone.name,system.interface.name
        config srcaddr
            edit {name}
            # Source address name from available addresses.
                set name {string}   Service name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        config dstaddr
            edit {name}
            # Destination address name from available addresses.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        config service
            edit {name}
            # Service object from available options.
                set name {string}   Service name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        config anomaly
            edit {name}
            # Anomaly name.
                set name {string}   Anomaly name. size[63]
                set status {disable | enable}   Enable/disable this anomaly.
                set log {enable | disable}   Enable/disable anomaly logging.
                set action {pass | block | proxy}   Action taken when the threshold is reached.
                        pass   Allow traffic but record a log message if logging is enabled.
                        block  Block traffic if this anomaly is found.
                        proxy  Use a proxy to control the traffic flow.
                set quarantine {none | attacker}   Quarantine method.
                        none      Quarantine is disabled.
                        attacker  Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
                set quarantine-expiry {string}   Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker.
                set quarantine-log {disable | enable}   Enable/disable quarantine logging.
                set threshold {integer}   Anomaly threshold. Number of detected instances per minute that triggers the anomaly action. range[1-2147483647]
                set threshold(default) {integer}   Number of detected instances per minute which triggers action (1 - 2147483647, default = 1000). Note that each anomaly has a different threshold value assigned to it. range[0-4294967295]
            next
    next
end
config firewall DoS-policy6
    edit {policyid}
    # Configure IPv6 DoS policies.
        set policyid {integer}   Policy ID. range[0-9999]
        set status {enable | disable}   Enable/disable this policy.
        set comments {string}   Comment. size[1023]
        set interface {string}   Incoming interface name from available interfaces. size[35] - datasource(s): system.zone.name,system.interface.name
        config srcaddr
            edit {name}
            # Source address name from available addresses.
                set name {string}   Service name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        config dstaddr
            edit {name}
            # Destination address name from available addresses.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        config service
            edit {name}
            # Service object from available options.
                set name {string}   Service name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        config anomaly
            edit {name}
            # Anomaly name.
                set name {string}   Anomaly name. size[63]
                set status {disable | enable}   Enable/disable this anomaly.
                set log {enable | disable}   Enable/disable anomaly logging.
                set action {pass | block | proxy}   Action taken when the threshold is reached.
                        pass   Allow traffic but record a log message if logging is enabled.
                        block  Block traffic if this anomaly is found.
                        proxy  Use a proxy to control the traffic flow.
                set quarantine {none | attacker}   Quarantine method.
                        none      Quarantine is disabled.
                        attacker  Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
                set quarantine-expiry {string}   Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker.
                set quarantine-log {disable | enable}   Enable/disable quarantine logging.
                set threshold {integer}   Anomaly threshold. Number of detected instances per minute that triggers the anomaly action. range[1-2147483647]
                set threshold(default) {integer}   Number of detected instances per minute which triggers action (1 - 2147483647, default = 1000). Note that each anomaly has a different threshold value assigned to it. range[0-4294967295]
            next
    next
end

Additional information

The following section is for those options that require additional explanation.

firewall {DoS-policy | DoS-policy6}

Use these commands to configure Denial of Service (DoS) policies: Dos-policy applies to IPv4 traffic, Dos-policy6 applies to IPv6 traffic. FortiGate Intrusion Protection uses Denial of Service (DoS) sensors to identify network traffic anomalies that do not fit known or preset traffic patterns. Four statistical anomaly types for the TCP, UDP, and ICMP protocols can be identified.

Flooding If the number of sessions targeting a single destination in one second is over a threshold, the destination is experiencing flooding.
Scan If the number of sessions from a single source in one second is over a threshold, the source is scanning.
Source session limit If the number of concurrent sessions from a single source is over a threshold, the source session limit is reached.
Destination session limit If the number of concurrent sessions to a single destination is over a threshold, the destination session limit is reached.

Enable or disable logging for each anomaly, and select the action taken in response to detecting an anomaly. Configure the anomaly thresholds to detect traffic patterns that could represent an attack.

Note

It is important to estimate the normal and expected traffic on the network before changing the default anomaly thresholds. Setting the thresholds too low could cause false positives, and setting the thresholds too high could allow some attacks.

The list of anomalies can be updated only when the FortiGate firmware image is upgraded.

config firewall DoS-policy
    edit {policyid}
    # Configure IPv4 DoS policies.
        set policyid {integer}   Policy ID. range[0-9999]
        set status {enable | disable}   Enable/disable this policy.
        set comments {string}   Comment. size[1023]
        set interface {string}   Incoming interface name from available interfaces. size[35] - datasource(s): system.zone.name,system.interface.name
        config srcaddr
            edit {name}
            # Source address name from available addresses.
                set name {string}   Service name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        config dstaddr
            edit {name}
            # Destination address name from available addresses.
                set name {string}   Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name
            next
        config service
            edit {name}
            # Service object from available options.
                set name {string}   Service name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        config anomaly
            edit {name}
            # Anomaly name.
                set name {string}   Anomaly name. size[63]
                set status {disable | enable}   Enable/disable this anomaly.
                set log {enable | disable}   Enable/disable anomaly logging.
                set action {pass | block | proxy}   Action taken when the threshold is reached.
                        pass   Allow traffic but record a log message if logging is enabled.
                        block  Block traffic if this anomaly is found.
                        proxy  Use a proxy to control the traffic flow.
                set quarantine {none | attacker}   Quarantine method.
                        none      Quarantine is disabled.
                        attacker  Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
                set quarantine-expiry {string}   Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker.
                set quarantine-log {disable | enable}   Enable/disable quarantine logging.
                set threshold {integer}   Anomaly threshold. Number of detected instances per minute that triggers the anomaly action. range[1-2147483647]
                set threshold(default) {integer}   Number of detected instances per minute which triggers action (1 - 2147483647, default = 1000). Note that each anomaly has a different threshold value assigned to it. range[0-4294967295]
            next
    next
end
config firewall DoS-policy6
    edit {policyid}
    # Configure IPv6 DoS policies.
        set policyid {integer}   Policy ID. range[0-9999]
        set status {enable | disable}   Enable/disable this policy.
        set comments {string}   Comment. size[1023]
        set interface {string}   Incoming interface name from available interfaces. size[35] - datasource(s): system.zone.name,system.interface.name
        config srcaddr
            edit {name}
            # Source address name from available addresses.
                set name {string}   Service name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        config dstaddr
            edit {name}
            # Destination address name from available addresses.
                set name {string}   Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name
            next
        config service
            edit {name}
            # Service object from available options.
                set name {string}   Service name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name
            next
        config anomaly
            edit {name}
            # Anomaly name.
                set name {string}   Anomaly name. size[63]
                set status {disable | enable}   Enable/disable this anomaly.
                set log {enable | disable}   Enable/disable anomaly logging.
                set action {pass | block | proxy}   Action taken when the threshold is reached.
                        pass   Allow traffic but record a log message if logging is enabled.
                        block  Block traffic if this anomaly is found.
                        proxy  Use a proxy to control the traffic flow.
                set quarantine {none | attacker}   Quarantine method.
                        none      Quarantine is disabled.
                        attacker  Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected.
                set quarantine-expiry {string}   Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker.
                set quarantine-log {disable | enable}   Enable/disable quarantine logging.
                set threshold {integer}   Anomaly threshold. Number of detected instances per minute that triggers the anomaly action. range[1-2147483647]
                set threshold(default) {integer}   Number of detected instances per minute which triggers action (1 - 2147483647, default = 1000). Note that each anomaly has a different threshold value assigned to it. range[0-4294967295]
            next
    next
end

Additional information

The following section is for those options that require additional explanation.