Fortinet white logo
Fortinet white logo

Handbook

6.0.0

IPv4 DoS policy

IPv4 DoS policy

To configure a IPv4 DoS policy in the GUI

  1. Go to Policy & Objects > IPv4 DoS Policy

    The right side window will display a table of the existing IPv4 DoS Policies.

    • To edit an existing policy, double click on the policy you wish to edit
    • To create a new policy, select the Create New icon in the top left side of the right window.
  2. Set the Incoming Interface parameter by using the drop down menu to select a single interface.
  3. Set the Source Address parameter by selecting the field with the "+" next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
  4. Set the Destination Address parameter by selecting the field with the "+" next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.
  5. Set the Services parameter by selecting the field with the "+" next to the field label. Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option. For more information on services, see Services and TCP ports.
  6. Set the parameters for the various traffic anomalies.

    All of the anomalies that profiles have been created for are in 2 tables. These tables break up the anomaly profiles into L3 Anomalies and L4 Anomalies. All of the anomalies have the following parameters that can be set on a per anomaly or per column basis.

    • Status - enable or disable the indicated profile
    • Logging - enable or disable logging of the indicated profile being triggered
    • Action - whether to Pass or Block traffic when the threshold is reached
    • Threshold - the number of anomalous packets detected before triggering the action.

    The listing of anomaly profiles includes:

    L3 Anomalies

    • ip_src_session
    • ip_dst_session

    L4 Anomalies

    • tcp_syn_flood
    • tcp_port_scan
    • tcp_src_session
    • tcp_dst_session
    • udp_flood
    • udp_scan
    • udp_src_session
    • udp_dst_session
    • icmp_flood
    • icmp_sweep
    • icmp_src_session
    • sctp_flood
    • sctp_scan
    • sctp_src_session
    • sctp_dst_session
  7. Toggle whether or not to Enable this policy.The default is enabled.
  8. Select the OK button to save the policy.

Example

The company wishes to protect against Denial of Service attach. They have chosen some where they wish to block the attacks of the incidence goes above a certain threshold and for some others they are just trying to get a baseline of activity for those types of attacks so they are letting the traffic pass through without action.

  • The interface to the Internet is on WAN1
  • There is no requirement to specify which addresses are being protected or protected from.
  • The protection is to extend to all services.
  • The TCP attacks are to be blocked
  • The UDP, ICMP, and IP attacks are to be recorded but not blocked.
  • The SCTP attack filters are disabled
  • The tcp_syn_flood attach’s threshold is to be changed from the default to 1000

Configuring the DoS policy in the GUI

  1. Go to Policy & Objects > Policy > DoS.
  2. Create a new policy
  3. Fill out the fields with the following information:
    FieldValue
    Incoming Interfacewan1
    Source Addressall
    Destination Addressesall
    ServiceALL
    L3 Anomalies
    NameStatusLoggingAction Threshold
    ip_src_session enabledenabledPass5000
    ip_dst_session enabledenabledPass5000
    L4 Anomalies
    NameStatusLoggingActionThreshold
    tcp_syn_flood enabled enabled Block 1000
    tcp_port_scan enabled enabled Block <default value>
    tcp_src_session enabled enabled Block <default value>
    tcp_dst_session enabled enabled Block <default value>
    udp_flood enabled enabled Pass <default value>
    udp_scan enabled enabled Pass <default value>
    udp_src_session enabled enabled Pass <default value>
    udp_dst_session enabled enabled Pass <default value>
    icmp_flood enabled enabled Pass <default value>
    icmp_sweep enabled enabled Pass <default value>
    icmp_src_session enabled enabled Pass <default value>
    icmp_dst_session enabled enabled Pass <default value>
    sctp_flood not enabled not enabled Pass <default value>
    sctp_scan not enabled not enabled Pass <default value>
    sctp_src_session not enabled not enabled Pass <default value>
    sctp_dst_session not enabled not enabled Pass <default value>
  4. Toggle the button next to Enable this policy to ON.
  5. Select OK.

Configuring the IPv4 DoS policy in the GUI

Using the CLI of your choice, enter the following commands:

config firewall DoS-policy

edit 0

set status enable

set interface wan1

set srcaddr all

set dstaddr all

set service ALL

config anomaly

edit "tcp_syn_flood"

set status enable

set log disable

set action block

set threshold 1000

next

edit "tcp_port_scan"

set status enable

set log disable

set action block

set threshold 1000

next

edit "tcp_src_session"

set status enable

set log disable

set action block

set threshold 5000

next

edit "tcp_dst_session"

set status enable

set log disable

set action block

set threshold 5000

next

edit "udp_flood"

set status enable

set log disable

set action pass

set threshold 2000

next

edit "udp_scan"

set status enable

set log disable

set action pass

set quarantine none

set threshold 2000

next

edit "udp_src_session"

set status enable

set log disable

set action pass

set threshold 5000

next

edit "udp_dst_session"

set status enable

set log disable

set action pass

set threshold 5000

next

edit "icmp_flood"

set status enable

set log disable

set action pass

set threshold 250

next

edit "icmp_sweep"

set status enable

set log disable

set action pass

set threshold 100

next

edit "icmp_src_session"

set status enable

set log disable

set action pass

set threshold 300

next

edit "icmp_dst_session"

set status enable

set log disable

set action pass

set threshold 1000

next

edit "ip_src_session"

set status disable

set log enable

set action pass

set threshold 5000

next

edit "ip_dst_session"

set status disable

set log enable

set action pass

set threshold 5000

next

edit "sctp_flood"

set status disable

set log disable

set action pass

set threshold 2000

next

edit "sctp_scan"

set status disable

set log disable

set action pass

set threshold 1000

next

edit "sctp_src_session"

set status disable

set log disable

set action pass

set threshold 5000

next

edit "sctp_dst_session"

set status disable

set log disable

set action pass

set threshold 5000

next

end

note icon In this example, all of the relevant settings have been left in, but some of them are default settings and would not have to have been specifically set to work. For instance, if the action parameter is not set it automatically defaults to pass.

IPv4 DoS policy

IPv4 DoS policy

To configure a IPv4 DoS policy in the GUI

  1. Go to Policy & Objects > IPv4 DoS Policy

    The right side window will display a table of the existing IPv4 DoS Policies.

    • To edit an existing policy, double click on the policy you wish to edit
    • To create a new policy, select the Create New icon in the top left side of the right window.
  2. Set the Incoming Interface parameter by using the drop down menu to select a single interface.
  3. Set the Source Address parameter by selecting the field with the "+" next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
  4. Set the Destination Address parameter by selecting the field with the "+" next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.
  5. Set the Services parameter by selecting the field with the "+" next to the field label. Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option. For more information on services, see Services and TCP ports.
  6. Set the parameters for the various traffic anomalies.

    All of the anomalies that profiles have been created for are in 2 tables. These tables break up the anomaly profiles into L3 Anomalies and L4 Anomalies. All of the anomalies have the following parameters that can be set on a per anomaly or per column basis.

    • Status - enable or disable the indicated profile
    • Logging - enable or disable logging of the indicated profile being triggered
    • Action - whether to Pass or Block traffic when the threshold is reached
    • Threshold - the number of anomalous packets detected before triggering the action.

    The listing of anomaly profiles includes:

    L3 Anomalies

    • ip_src_session
    • ip_dst_session

    L4 Anomalies

    • tcp_syn_flood
    • tcp_port_scan
    • tcp_src_session
    • tcp_dst_session
    • udp_flood
    • udp_scan
    • udp_src_session
    • udp_dst_session
    • icmp_flood
    • icmp_sweep
    • icmp_src_session
    • sctp_flood
    • sctp_scan
    • sctp_src_session
    • sctp_dst_session
  7. Toggle whether or not to Enable this policy.The default is enabled.
  8. Select the OK button to save the policy.

Example

The company wishes to protect against Denial of Service attach. They have chosen some where they wish to block the attacks of the incidence goes above a certain threshold and for some others they are just trying to get a baseline of activity for those types of attacks so they are letting the traffic pass through without action.

  • The interface to the Internet is on WAN1
  • There is no requirement to specify which addresses are being protected or protected from.
  • The protection is to extend to all services.
  • The TCP attacks are to be blocked
  • The UDP, ICMP, and IP attacks are to be recorded but not blocked.
  • The SCTP attack filters are disabled
  • The tcp_syn_flood attach’s threshold is to be changed from the default to 1000

Configuring the DoS policy in the GUI

  1. Go to Policy & Objects > Policy > DoS.
  2. Create a new policy
  3. Fill out the fields with the following information:
    FieldValue
    Incoming Interfacewan1
    Source Addressall
    Destination Addressesall
    ServiceALL
    L3 Anomalies
    NameStatusLoggingAction Threshold
    ip_src_session enabledenabledPass5000
    ip_dst_session enabledenabledPass5000
    L4 Anomalies
    NameStatusLoggingActionThreshold
    tcp_syn_flood enabled enabled Block 1000
    tcp_port_scan enabled enabled Block <default value>
    tcp_src_session enabled enabled Block <default value>
    tcp_dst_session enabled enabled Block <default value>
    udp_flood enabled enabled Pass <default value>
    udp_scan enabled enabled Pass <default value>
    udp_src_session enabled enabled Pass <default value>
    udp_dst_session enabled enabled Pass <default value>
    icmp_flood enabled enabled Pass <default value>
    icmp_sweep enabled enabled Pass <default value>
    icmp_src_session enabled enabled Pass <default value>
    icmp_dst_session enabled enabled Pass <default value>
    sctp_flood not enabled not enabled Pass <default value>
    sctp_scan not enabled not enabled Pass <default value>
    sctp_src_session not enabled not enabled Pass <default value>
    sctp_dst_session not enabled not enabled Pass <default value>
  4. Toggle the button next to Enable this policy to ON.
  5. Select OK.

Configuring the IPv4 DoS policy in the GUI

Using the CLI of your choice, enter the following commands:

config firewall DoS-policy

edit 0

set status enable

set interface wan1

set srcaddr all

set dstaddr all

set service ALL

config anomaly

edit "tcp_syn_flood"

set status enable

set log disable

set action block

set threshold 1000

next

edit "tcp_port_scan"

set status enable

set log disable

set action block

set threshold 1000

next

edit "tcp_src_session"

set status enable

set log disable

set action block

set threshold 5000

next

edit "tcp_dst_session"

set status enable

set log disable

set action block

set threshold 5000

next

edit "udp_flood"

set status enable

set log disable

set action pass

set threshold 2000

next

edit "udp_scan"

set status enable

set log disable

set action pass

set quarantine none

set threshold 2000

next

edit "udp_src_session"

set status enable

set log disable

set action pass

set threshold 5000

next

edit "udp_dst_session"

set status enable

set log disable

set action pass

set threshold 5000

next

edit "icmp_flood"

set status enable

set log disable

set action pass

set threshold 250

next

edit "icmp_sweep"

set status enable

set log disable

set action pass

set threshold 100

next

edit "icmp_src_session"

set status enable

set log disable

set action pass

set threshold 300

next

edit "icmp_dst_session"

set status enable

set log disable

set action pass

set threshold 1000

next

edit "ip_src_session"

set status disable

set log enable

set action pass

set threshold 5000

next

edit "ip_dst_session"

set status disable

set log enable

set action pass

set threshold 5000

next

edit "sctp_flood"

set status disable

set log disable

set action pass

set threshold 2000

next

edit "sctp_scan"

set status disable

set log disable

set action pass

set threshold 1000

next

edit "sctp_src_session"

set status disable

set log disable

set action pass

set threshold 5000

next

edit "sctp_dst_session"

set status disable

set log disable

set action pass

set threshold 5000

next

end

note icon In this example, all of the relevant settings have been left in, but some of them are default settings and would not have to have been specifically set to work. For instance, if the action parameter is not set it automatically defaults to pass.