Fortinet black logo

Administration Guide

Create a new DoS policy

Create a new DoS policy

This section describes how to create denial of service (DoS) policies.

See DoS policy in the FortiOS Administration Guide for more information.

Note

You must enable the visibility of this feature in Policy & Objects before it can be configured. To toggle feature visibility, go to Policy & Objects > Tools > Feature Visibility, and add or remove a checkmark for the corresponding feature.

To create a new DoS policy:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package, click IPv4 DoS Policy or IPv6 DoS Policy.
  4. Click Create New.
  5. Enter the following information:

    Option

    Description

    Name

    Enter a unique name for the policy. Each policy must have a unique name.

    Incoming Interface

    Click the field then select interfaces.

    Click the remove icon to remove interfaces.

    Source Address

    Select source addresses, address groups, virtual IPs, and virtual IP groups.

    Destination Address

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    Service

    Select services and service groups.

    L3/L4 Anomalies

    Configure the anomalies:

    • Logging: Enable or disable logging for the anomaly. Anomalous traffic will be logged when the action is Block or Monitor.

    • Action: Select the action to take when the threshold is reached:

      • Disable: Do not scan for the anomaly.

      • Block: Block the anomalous traffic.

      • Monitor: Allow the anomalous traffic but record a log message if logging is enabled.

    • Threshold: Setthe number of detected instances per minute that triggers the anomaly action.

    • Quarantine: Select which system quarantine to use for blocked anomalous traffic.

    See below for descriptions of each anomaly type.

    Advanced Options > comments

    Add a description of the policy, such as its purpose, or the changes that have been made to it. A comment added here will overwrite the comment added in the above Comments field.

    Change Note

    Add a description of the changes being made to the policy. This field is required.

    L3 Anomalies

    Anomaly

    Description

    Default Threshold

    ip_src_session

    If the number of concurrent IP connections from one source IP address exceeds the configured threshold value, the action is executed.

    5000 concurrent sessions.

    ip_dst_session

    If the number of concurrent IP connections to one destination IP address exceeds the configured threshold value, the action is executed.

    5000 concurrent sessions.

    L4 Anomalies

    Anomaly

    Description

    Default Threshold

    tcp_syn_flood

    If the SYN packet rate of new TCP connections, including retransmission, to one destination IP address exceeds the configured threshold value, the action is executed.

    An additional Proxy action is available for this anomaly type. The anomalous traffic will be buffered and scanned when the complete file is downloaded.

    The Proxy action is only available on these platforms: FGC_3000D, FGC_3100D, FGC_3200D, FGC3700D, FGC3700DX, FGC_5001D, FGT_1500D, FGT_3000D, FGT_3100D, FGT_3200D, FGT3700D, FGT3700DX, and FGT_5001D.

    2000 packets per second.

    tcp_port_scan

    If the SYN packet rate of new TCP connections, including retransmission, from one source IP address exceeds the configured threshold value, the action is executed.

    1000 packets per second.

    tcp_src_session

    If the number of concurrent TCP connections from one source IP address exceeds the configured threshold value, the action is executed.

    5000 concurrent sessions.

    tcp_dst_session

    If the number of concurrent TCP connections to one destination IP address exceeds the configured threshold value, the action is executed.

    5000 concurrent sessions.

    udp_flood

    If the UDP traffic to one destination IP address exceeds the configured threshold value, the action is executed.

    2000 packets per second.

    udp_scan

    If the UDP sessions setup rate originating from one source IP address exceeds the configured threshold value, the action is executed.

    2000 sessions per second.

    udp_src_session

    If the number of concurrent UDP connections from one source IP address exceeds the configured threshold value, the action is executed.

    5000 concurrent sessions.

    udp_dst_session

    If the number of concurrent UDP connections to one destination IP address exceeds the configured threshold value, the action is executed.

    5000 concurrent sessions.

    icmp_flood

    If the number of ICMP packets sent to one destination IP address exceeds the configured threshold value, the action is executed.

    250 packets per second.

    icmp_sweep

    If the ICMP sessions setup rate originating from one source IP address exceeds the configured threshold value, the action is executed.

    100 sessions per second.

    icmp_src_session

    If the number of concurrent ICMP connections from one source IP address exceeds the configured threshold value, the action is executed.

    300 concurrent sessions.

    icmp_dst_session

    If the number of concurrent ICMP connections to one destination IP address exceeds the configured threshold value, the action is executed.

    1000 concurrent sessions.

    sctp_flood

    If the number of SCTP packets sent to one destination IP address exceeds the configured threshold value, the action is executed.

    2000 packets per second.

    sctp_scan

    If the number of SCTP sessions originating from one source IP address exceeds the configured threshold value, the action is executed.

    1000 packets per second.

    sctp_src_session

    If the number of concurrent SCTP connections from one source IP address exceeds the configured threshold value, the action is executed.

    5000 concurrent sessions.

    sctp_dst_session

    If the number of concurrent SCTP connections to one destination IP address exceeds the configured threshold value, the action is executed.

    5000 concurrent sessions.

  6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.

Create a new DoS policy

This section describes how to create denial of service (DoS) policies.

See DoS policy in the FortiOS Administration Guide for more information.

Note

You must enable the visibility of this feature in Policy & Objects before it can be configured. To toggle feature visibility, go to Policy & Objects > Tools > Feature Visibility, and add or remove a checkmark for the corresponding feature.

To create a new DoS policy:
  1. If using ADOMs, ensure that you are in the correct ADOM.
  2. Go to Policy & Objects > Policy Packages.
  3. In the tree menu for the policy package, click IPv4 DoS Policy or IPv6 DoS Policy.
  4. Click Create New.
  5. Enter the following information:

    Option

    Description

    Name

    Enter a unique name for the policy. Each policy must have a unique name.

    Incoming Interface

    Click the field then select interfaces.

    Click the remove icon to remove interfaces.

    Source Address

    Select source addresses, address groups, virtual IPs, and virtual IP groups.

    Destination Address

    Select destination addresses, address groups, virtual IPs, and virtual IP groups.

    Service

    Select services and service groups.

    L3/L4 Anomalies

    Configure the anomalies:

    • Logging: Enable or disable logging for the anomaly. Anomalous traffic will be logged when the action is Block or Monitor.

    • Action: Select the action to take when the threshold is reached:

      • Disable: Do not scan for the anomaly.

      • Block: Block the anomalous traffic.

      • Monitor: Allow the anomalous traffic but record a log message if logging is enabled.

    • Threshold: Setthe number of detected instances per minute that triggers the anomaly action.

    • Quarantine: Select which system quarantine to use for blocked anomalous traffic.

    See below for descriptions of each anomaly type.

    Advanced Options > comments

    Add a description of the policy, such as its purpose, or the changes that have been made to it. A comment added here will overwrite the comment added in the above Comments field.

    Change Note

    Add a description of the changes being made to the policy. This field is required.

    L3 Anomalies

    Anomaly

    Description

    Default Threshold

    ip_src_session

    If the number of concurrent IP connections from one source IP address exceeds the configured threshold value, the action is executed.

    5000 concurrent sessions.

    ip_dst_session

    If the number of concurrent IP connections to one destination IP address exceeds the configured threshold value, the action is executed.

    5000 concurrent sessions.

    L4 Anomalies

    Anomaly

    Description

    Default Threshold

    tcp_syn_flood

    If the SYN packet rate of new TCP connections, including retransmission, to one destination IP address exceeds the configured threshold value, the action is executed.

    An additional Proxy action is available for this anomaly type. The anomalous traffic will be buffered and scanned when the complete file is downloaded.

    The Proxy action is only available on these platforms: FGC_3000D, FGC_3100D, FGC_3200D, FGC3700D, FGC3700DX, FGC_5001D, FGT_1500D, FGT_3000D, FGT_3100D, FGT_3200D, FGT3700D, FGT3700DX, and FGT_5001D.

    2000 packets per second.

    tcp_port_scan

    If the SYN packet rate of new TCP connections, including retransmission, from one source IP address exceeds the configured threshold value, the action is executed.

    1000 packets per second.

    tcp_src_session

    If the number of concurrent TCP connections from one source IP address exceeds the configured threshold value, the action is executed.

    5000 concurrent sessions.

    tcp_dst_session

    If the number of concurrent TCP connections to one destination IP address exceeds the configured threshold value, the action is executed.

    5000 concurrent sessions.

    udp_flood

    If the UDP traffic to one destination IP address exceeds the configured threshold value, the action is executed.

    2000 packets per second.

    udp_scan

    If the UDP sessions setup rate originating from one source IP address exceeds the configured threshold value, the action is executed.

    2000 sessions per second.

    udp_src_session

    If the number of concurrent UDP connections from one source IP address exceeds the configured threshold value, the action is executed.

    5000 concurrent sessions.

    udp_dst_session

    If the number of concurrent UDP connections to one destination IP address exceeds the configured threshold value, the action is executed.

    5000 concurrent sessions.

    icmp_flood

    If the number of ICMP packets sent to one destination IP address exceeds the configured threshold value, the action is executed.

    250 packets per second.

    icmp_sweep

    If the ICMP sessions setup rate originating from one source IP address exceeds the configured threshold value, the action is executed.

    100 sessions per second.

    icmp_src_session

    If the number of concurrent ICMP connections from one source IP address exceeds the configured threshold value, the action is executed.

    300 concurrent sessions.

    icmp_dst_session

    If the number of concurrent ICMP connections to one destination IP address exceeds the configured threshold value, the action is executed.

    1000 concurrent sessions.

    sctp_flood

    If the number of SCTP packets sent to one destination IP address exceeds the configured threshold value, the action is executed.

    2000 packets per second.

    sctp_scan

    If the number of SCTP sessions originating from one source IP address exceeds the configured threshold value, the action is executed.

    1000 packets per second.

    sctp_src_session

    If the number of concurrent SCTP connections from one source IP address exceeds the configured threshold value, the action is executed.

    5000 concurrent sessions.

    sctp_dst_session

    If the number of concurrent SCTP connections to one destination IP address exceeds the configured threshold value, the action is executed.

    5000 concurrent sessions.

  6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.