Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiManager 7.2.7 Administration Guide
    7.2.7
    7.6.1
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0
    6.2.13
    6.2.12
    6.2.11
    6.2.10
    6.2.9
    6.2.8
    6.2.7
    6.2.6
    6.2.6
    6.2.5
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.0.12
    6.0.11
    6.0.10
    6.0.9
    6.0.8
    6.0.7
    6.0.6
    6.0.5
    6.0.4
    6.0.3
    6.0.2
    6.0.1
    6.0.0
    5.6.11
    5.6.10
    5.6.9
    5.6.8
    5.6.7
    5.6.6
    5.6.5
    5.6.4
    5.6.3
    5.6.2
    5.6.1
    5.6.0
    5.4.7
    5.4.6
    5.4.5
    5.4.4
    5.4.3
    5.4.2
    5.4.1
    5.4.0
    5.2.10
    5.2.7
    5.2.6
    5.2.4
    5.2.3
    5.2.2
    5.2.1
    5.2.0
    5.0.12
    5.0.11
    5.0.10
    5.0.9
    5.0.8
    5.0.7
    5.0.6
    5.0.5
    5.0.4
    5.0.3
    5.0.2
    4.3.8
    4.3.7
    4.3.6
    4.3.5
    4.3.4
    4.3.3
    4.3.2
    4.3.1
    4.3.0
    4.2.9
    4.2.8
    4.2.7
    4.2.6
    4.2.5
    4.2.4
    4.2.3
    4.2.2
    4.2.1
    4.2.0
    4.1.0
    4.0.3
    4.0.2
    4.0.1
    4.0.0

    Create a new DoS policy

    Create a new DoS policy

    This section describes how to create denial of service (DoS) policies.

    See DoS policy in the FortiOS Administration Guide for more information.

    Note

    You must enable the visibility of this feature in Policy & Objects before it can be configured. To toggle feature visibility, go to Policy & Objects > Tools > Feature Visibility, and add or remove a checkmark for the corresponding feature.
    To create a new DoS policy:
    1. If using ADOMs, ensure that you are in the correct ADOM.
    2. Go to Policy & Objects > Policy Packages.
    3. In the tree menu for the policy package, click IPv4 DoS Policy or IPv6 DoS Policy.
    4. Click Create New.
    5. Enter the following information:

      Option

      Description

      Name

      Enter a unique name for the policy. Each policy must have a unique name.

      Incoming Interface

      Click the field then select interfaces.

      Click the remove icon to remove interfaces.

      Source Address

      Select source addresses, address groups, virtual IPs, and virtual IP groups.

      Destination Address

      Select destination addresses, address groups, virtual IPs, and virtual IP groups.

      Service

      Select services and service groups.

      L3/L4 Anomalies

      Configure the anomalies:

      • Logging: Enable or disable logging for the anomaly. Anomalous traffic will be logged when the action is Block or Monitor.

      • Action: Select the action to take when the threshold is reached:

        • Disable: Do not scan for the anomaly.

        • Block: Block the anomalous traffic.

        • Monitor: Allow the anomalous traffic but record a log message if logging is enabled.

      • Threshold: Setthe number of detected instances per minute that triggers the anomaly action.

      • Quarantine: Select which system quarantine to use for blocked anomalous traffic.

      See below for descriptions of each anomaly type.

      Advanced Options > comments

      Add a description of the policy, such as its purpose, or the changes that have been made to it. A comment added here will overwrite the comment added in the above Comments field.

      Change Note

      Add a description of the changes being made to the policy. This field is required.

      L3 Anomalies

      Anomaly

      Description

      Default Threshold

      ip_src_session

      If the number of concurrent IP connections from one source IP address exceeds the configured threshold value, the action is executed.

      5000 concurrent sessions.

      ip_dst_session

      If the number of concurrent IP connections to one destination IP address exceeds the configured threshold value, the action is executed.

      5000 concurrent sessions.

      L4 Anomalies

      Anomaly

      Description

      Default Threshold

      tcp_syn_flood

      If the SYN packet rate of new TCP connections, including retransmission, to one destination IP address exceeds the configured threshold value, the action is executed.

      An additional Proxy action is available for this anomaly type. The anomalous traffic will be buffered and scanned when the complete file is downloaded.

      The Proxy action is only available on these platforms: FGC_3000D, FGC_3100D, FGC_3200D, FGC3700D, FGC3700DX, FGC_5001D, FGT_1500D, FGT_3000D, FGT_3100D, FGT_3200D, FGT3700D, FGT3700DX, and FGT_5001D.

      2000 packets per second.

      tcp_port_scan

      If the SYN packet rate of new TCP connections, including retransmission, from one source IP address exceeds the configured threshold value, the action is executed.

      1000 packets per second.

      tcp_src_session

      If the number of concurrent TCP connections from one source IP address exceeds the configured threshold value, the action is executed.

      5000 concurrent sessions.

      tcp_dst_session

      If the number of concurrent TCP connections to one destination IP address exceeds the configured threshold value, the action is executed.

      5000 concurrent sessions.

      udp_flood

      If the UDP traffic to one destination IP address exceeds the configured threshold value, the action is executed.

      2000 packets per second.

      udp_scan

      If the UDP sessions setup rate originating from one source IP address exceeds the configured threshold value, the action is executed.

      2000 sessions per second.

      udp_src_session

      If the number of concurrent UDP connections from one source IP address exceeds the configured threshold value, the action is executed.

      5000 concurrent sessions.

      udp_dst_session

      If the number of concurrent UDP connections to one destination IP address exceeds the configured threshold value, the action is executed.

      5000 concurrent sessions.

      icmp_flood

      If the number of ICMP packets sent to one destination IP address exceeds the configured threshold value, the action is executed.

      250 packets per second.

      icmp_sweep

      If the ICMP sessions setup rate originating from one source IP address exceeds the configured threshold value, the action is executed.

      100 sessions per second.

      icmp_src_session

      If the number of concurrent ICMP connections from one source IP address exceeds the configured threshold value, the action is executed.

      300 concurrent sessions.

      icmp_dst_session

      If the number of concurrent ICMP connections to one destination IP address exceeds the configured threshold value, the action is executed.

      1000 concurrent sessions.

      sctp_flood

      If the number of SCTP packets sent to one destination IP address exceeds the configured threshold value, the action is executed.

      2000 packets per second.

      sctp_scan

      If the number of SCTP sessions originating from one source IP address exceeds the configured threshold value, the action is executed.

      1000 packets per second.

      sctp_src_session

      If the number of concurrent SCTP connections from one source IP address exceeds the configured threshold value, the action is executed.

      5000 concurrent sessions.

      sctp_dst_session

      If the number of concurrent SCTP connections to one destination IP address exceeds the configured threshold value, the action is executed.

      5000 concurrent sessions.

    6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
    Previous
    Next

    Create a new DoS policy

    Create a new DoS policy

    This section describes how to create denial of service (DoS) policies.

    See DoS policy in the FortiOS Administration Guide for more information.

    Note

    You must enable the visibility of this feature in Policy & Objects before it can be configured. To toggle feature visibility, go to Policy & Objects > Tools > Feature Visibility, and add or remove a checkmark for the corresponding feature.
    To create a new DoS policy:
    1. If using ADOMs, ensure that you are in the correct ADOM.
    2. Go to Policy & Objects > Policy Packages.
    3. In the tree menu for the policy package, click IPv4 DoS Policy or IPv6 DoS Policy.
    4. Click Create New.
    5. Enter the following information:

      Option

      Description

      Name

      Enter a unique name for the policy. Each policy must have a unique name.

      Incoming Interface

      Click the field then select interfaces.

      Click the remove icon to remove interfaces.

      Source Address

      Select source addresses, address groups, virtual IPs, and virtual IP groups.

      Destination Address

      Select destination addresses, address groups, virtual IPs, and virtual IP groups.

      Service

      Select services and service groups.

      L3/L4 Anomalies

      Configure the anomalies:

      • Logging: Enable or disable logging for the anomaly. Anomalous traffic will be logged when the action is Block or Monitor.

      • Action: Select the action to take when the threshold is reached:

        • Disable: Do not scan for the anomaly.

        • Block: Block the anomalous traffic.

        • Monitor: Allow the anomalous traffic but record a log message if logging is enabled.

      • Threshold: Setthe number of detected instances per minute that triggers the anomaly action.

      • Quarantine: Select which system quarantine to use for blocked anomalous traffic.

      See below for descriptions of each anomaly type.

      Advanced Options > comments

      Add a description of the policy, such as its purpose, or the changes that have been made to it. A comment added here will overwrite the comment added in the above Comments field.

      Change Note

      Add a description of the changes being made to the policy. This field is required.

      L3 Anomalies

      Anomaly

      Description

      Default Threshold

      ip_src_session

      If the number of concurrent IP connections from one source IP address exceeds the configured threshold value, the action is executed.

      5000 concurrent sessions.

      ip_dst_session

      If the number of concurrent IP connections to one destination IP address exceeds the configured threshold value, the action is executed.

      5000 concurrent sessions.

      L4 Anomalies

      Anomaly

      Description

      Default Threshold

      tcp_syn_flood

      If the SYN packet rate of new TCP connections, including retransmission, to one destination IP address exceeds the configured threshold value, the action is executed.

      An additional Proxy action is available for this anomaly type. The anomalous traffic will be buffered and scanned when the complete file is downloaded.

      The Proxy action is only available on these platforms: FGC_3000D, FGC_3100D, FGC_3200D, FGC3700D, FGC3700DX, FGC_5001D, FGT_1500D, FGT_3000D, FGT_3100D, FGT_3200D, FGT3700D, FGT3700DX, and FGT_5001D.

      2000 packets per second.

      tcp_port_scan

      If the SYN packet rate of new TCP connections, including retransmission, from one source IP address exceeds the configured threshold value, the action is executed.

      1000 packets per second.

      tcp_src_session

      If the number of concurrent TCP connections from one source IP address exceeds the configured threshold value, the action is executed.

      5000 concurrent sessions.

      tcp_dst_session

      If the number of concurrent TCP connections to one destination IP address exceeds the configured threshold value, the action is executed.

      5000 concurrent sessions.

      udp_flood

      If the UDP traffic to one destination IP address exceeds the configured threshold value, the action is executed.

      2000 packets per second.

      udp_scan

      If the UDP sessions setup rate originating from one source IP address exceeds the configured threshold value, the action is executed.

      2000 sessions per second.

      udp_src_session

      If the number of concurrent UDP connections from one source IP address exceeds the configured threshold value, the action is executed.

      5000 concurrent sessions.

      udp_dst_session

      If the number of concurrent UDP connections to one destination IP address exceeds the configured threshold value, the action is executed.

      5000 concurrent sessions.

      icmp_flood

      If the number of ICMP packets sent to one destination IP address exceeds the configured threshold value, the action is executed.

      250 packets per second.

      icmp_sweep

      If the ICMP sessions setup rate originating from one source IP address exceeds the configured threshold value, the action is executed.

      100 sessions per second.

      icmp_src_session

      If the number of concurrent ICMP connections from one source IP address exceeds the configured threshold value, the action is executed.

      300 concurrent sessions.

      icmp_dst_session

      If the number of concurrent ICMP connections to one destination IP address exceeds the configured threshold value, the action is executed.

      1000 concurrent sessions.

      sctp_flood

      If the number of SCTP packets sent to one destination IP address exceeds the configured threshold value, the action is executed.

      2000 packets per second.

      sctp_scan

      If the number of SCTP sessions originating from one source IP address exceeds the configured threshold value, the action is executed.

      1000 packets per second.

      sctp_src_session

      If the number of concurrent SCTP connections from one source IP address exceeds the configured threshold value, the action is executed.

      5000 concurrent sessions.

      sctp_dst_session

      If the number of concurrent SCTP connections to one destination IP address exceeds the configured threshold value, the action is executed.

      5000 concurrent sessions.

    6. Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.
    Previous
    Next