firewall {DoS-policy | DoS-policy6}
Use these commands to configure Denial of Service (DoS) policies: Dos-policy applies to IPv4 traffic, Dos-policy6 applies to IPv6 traffic. FortiGate Intrusion Protection uses Denial of Service (DoS) sensors to identify network traffic anomalies that do not fit known or preset traffic patterns. Four statistical anomaly types for the TCP, UDP, and ICMP protocols can be identified.
Flooding | If the number of sessions targeting a single destination in one second is over a threshold, the destination is experiencing flooding. |
Scan | If the number of sessions from a single source in one second is over a threshold, the source is scanning. |
Source session limit | If the number of concurrent sessions from a single source is over a threshold, the source session limit is reached. |
Destination session limit | If the number of concurrent sessions to a single destination is over a threshold, the destination session limit is reached. |
Enable or disable logging for each anomaly, and select the action taken in response to detecting an anomaly. Configure the anomaly thresholds to detect traffic patterns that could represent an attack.
It is important to estimate the normal and expected traffic on the network before changing the default anomaly thresholds. Setting the thresholds too low could cause false positives, and setting the thresholds too high could allow some attacks. |
The list of anomalies can be updated only when the FortiGate firmware image is upgraded.
config firewall DoS-policy edit {policyid} # Configure IPv4 DoS policies. set policyid {integer} Policy ID. range[0-9999] set status {enable | disable} Enable/disable this policy. set comments {string} Comment. size[1023] set interface {string} Incoming interface name from available interfaces. size[35] - datasource(s): system.zone.name,system.interface.name config srcaddr edit {name} # Source address name from available addresses. set name {string} Service name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name next config dstaddr edit {name} # Destination address name from available addresses. set name {string} Address name. size[64] - datasource(s): firewall.address.name,firewall.addrgrp.name next config service edit {name} # Service object from available options. set name {string} Service name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name next config anomaly edit {name} # Anomaly name. set name {string} Anomaly name. size[63] set status {disable | enable} Enable/disable this anomaly. set log {enable | disable} Enable/disable anomaly logging. set action {pass | block | proxy} Action taken when the threshold is reached. pass Allow traffic but record a log message if logging is enabled. block Block traffic if this anomaly is found. proxy Use a proxy to control the traffic flow. set quarantine {none | attacker} Quarantine method. none Quarantine is disabled. attacker Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected. set quarantine-expiry {string} Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker. set quarantine-log {disable | enable} Enable/disable quarantine logging. set threshold {integer} Anomaly threshold. Number of detected instances per minute that triggers the anomaly action. range[1-2147483647] set threshold(default) {integer} Number of detected instances per minute which triggers action (1 - 2147483647, default = 1000). Note that each anomaly has a different threshold value assigned to it. range[0-4294967295] next next end
config firewall DoS-policy6 edit {policyid} # Configure IPv6 DoS policies. set policyid {integer} Policy ID. range[0-9999] set status {enable | disable} Enable/disable this policy. set comments {string} Comment. size[1023] set interface {string} Incoming interface name from available interfaces. size[35] - datasource(s): system.zone.name,system.interface.name config srcaddr edit {name} # Source address name from available addresses. set name {string} Service name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name next config dstaddr edit {name} # Destination address name from available addresses. set name {string} Address name. size[64] - datasource(s): firewall.address6.name,firewall.addrgrp6.name next config service edit {name} # Service object from available options. set name {string} Service name. size[64] - datasource(s): firewall.service.custom.name,firewall.service.group.name next config anomaly edit {name} # Anomaly name. set name {string} Anomaly name. size[63] set status {disable | enable} Enable/disable this anomaly. set log {enable | disable} Enable/disable anomaly logging. set action {pass | block | proxy} Action taken when the threshold is reached. pass Allow traffic but record a log message if logging is enabled. block Block traffic if this anomaly is found. proxy Use a proxy to control the traffic flow. set quarantine {none | attacker} Quarantine method. none Quarantine is disabled. attacker Block all traffic sent from attacker's IP address. The attacker's IP address is also added to the banned user list. The target's address is not affected. set quarantine-expiry {string} Duration of quarantine. (Format ###d##h##m, minimum 1m, maximum 364d23h59m, default = 5m). Requires quarantine set to attacker. set quarantine-log {disable | enable} Enable/disable quarantine logging. set threshold {integer} Anomaly threshold. Number of detected instances per minute that triggers the anomaly action. range[1-2147483647] set threshold(default) {integer} Number of detected instances per minute which triggers action (1 - 2147483647, default = 1000). Note that each anomaly has a different threshold value assigned to it. range[0-4294967295] next next end
Additional information
The following section is for those options that require additional explanation.