Fortinet black logo

CLI Reference

waf application-layer-dos-prevention

waf application-layer-dos-prevention

Use this command to create an HTTP-layer DoS protection policy. Once you create the policy, reference it in an inline protection profile that is used by a server policy.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf application-layer-dos-prevention

edit "<app-dos-policy_name>"

set enable-http-session-based-prevention {enable | disable}

set http-connection-flood-check-rule "<rule_name>"

set http-request-flood-prevention-rule "<rule_name>"

set enable-layer4-dos-prevention {enable | disable}

set layer4-access-limit-rule "<rule_name>"

set layer4-connection-flood-check-rule "<rule_name>"

set layer3-fragment-protection {enable | disable}

next

end

Variable Description Default

"<app-dos-policy_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

enable-http-session-based-prevention {enable | disable}

Enable to use DoS protection based on session cookies. Also configure http-connection-flood-check-rule "<rule_name>" and http-request-flood-prevention-rule "<rule_name>". disable

http-connection-flood-check-rule "<rule_name>"

Enter the name of an existing rule that sets the maximum number of HTTP requests per second to a specific URL. The maximum length is 63 characters.

To display a list of the existing rules, enter:

set http-connection-flood-check-rule ?

This setting applies only if enable-http-session-based-prevention {enable | disable} is enabled.

No default.

http-request-flood-prevention-rule "<rule_name>"

Enter the name of an existing rule that limits TCP connections from the same client. The maximum length is 63 characters.

To display a list of the existing rules, enter:

set http-request-flood-prevention-rule ?

This setting applies only if enable-http-session-based-prevention {enable | disable} is enabled.

No default.

enable-layer4-dos-prevention {enable | disable}

Enable to use DoS protection that is not based on session cookies. Also configure layer4-access-limit-rule "<rule_name>" and layer4-connection-flood-check-rule "<rule_name>". disable

layer4-access-limit-rule "<rule_name>"

Enter the name of a rule that limits the number of HTTP requests per second from any source IP address. The maximum length is 63 characters.

To display a list of the existing rules, enter:

set layer4-access-limit-rule ?

This setting applies only if enable-layer4-dos-prevention {enable | disable} is enabled.

No default.

layer4-connection-flood-check-rule "<rule_name>"

Enter the name of an existing rule that limits the number of TCP connections from the same source IP address. The maximum length is 63 characters.

To display a list of the existing rules, enter:

set layer4-connection-flood-check-rule ?

This setting applies only if enable-layer4-dos-prevention {enable | disable} is enabled.

No default.

layer3-fragment-protection {enable | disable}

Enable to prevent attacks of fragmented packets.

disable

Example

This example shows the settings for a DoS protection policy that protects a web portal using existing DoS prevention rules.

config waf application-layer-dos-prevention

edit "Web Portal DoS Policy"

set enable-http-session-based-prevention enable

set http-connection-flood-check-rule "Web Portal TCP Connect Limit"

set http-request-flood-prevention-rule "Web Portal HTTP Request Limit"

set enable-layer4-dos-prevention enable

set layer4-access-limit-rule "Web Portal HTTP Request Limit"

set layer4-connection-flood-check-rule "Web Portal Network Connect Limit"

next

end

Related topics

waf application-layer-dos-prevention

Use this command to create an HTTP-layer DoS protection policy. Once you create the policy, reference it in an inline protection profile that is used by a server policy.

To use this command, your administrator account’s access control profile must have either w or rw permission to the wafgrp area. For details, see Permissions.

Syntax

config waf application-layer-dos-prevention

edit "<app-dos-policy_name>"

set enable-http-session-based-prevention {enable | disable}

set http-connection-flood-check-rule "<rule_name>"

set http-request-flood-prevention-rule "<rule_name>"

set enable-layer4-dos-prevention {enable | disable}

set layer4-access-limit-rule "<rule_name>"

set layer4-connection-flood-check-rule "<rule_name>"

set layer3-fragment-protection {enable | disable}

next

end

Variable Description Default

"<app-dos-policy_name>"

Enter the name of a new or existing rule. The maximum length is 63 characters.

To display the list of existing rules, enter:

edit ?

No default.

enable-http-session-based-prevention {enable | disable}

Enable to use DoS protection based on session cookies. Also configure http-connection-flood-check-rule "<rule_name>" and http-request-flood-prevention-rule "<rule_name>". disable

http-connection-flood-check-rule "<rule_name>"

Enter the name of an existing rule that sets the maximum number of HTTP requests per second to a specific URL. The maximum length is 63 characters.

To display a list of the existing rules, enter:

set http-connection-flood-check-rule ?

This setting applies only if enable-http-session-based-prevention {enable | disable} is enabled.

No default.

http-request-flood-prevention-rule "<rule_name>"

Enter the name of an existing rule that limits TCP connections from the same client. The maximum length is 63 characters.

To display a list of the existing rules, enter:

set http-request-flood-prevention-rule ?

This setting applies only if enable-http-session-based-prevention {enable | disable} is enabled.

No default.

enable-layer4-dos-prevention {enable | disable}

Enable to use DoS protection that is not based on session cookies. Also configure layer4-access-limit-rule "<rule_name>" and layer4-connection-flood-check-rule "<rule_name>". disable

layer4-access-limit-rule "<rule_name>"

Enter the name of a rule that limits the number of HTTP requests per second from any source IP address. The maximum length is 63 characters.

To display a list of the existing rules, enter:

set layer4-access-limit-rule ?

This setting applies only if enable-layer4-dos-prevention {enable | disable} is enabled.

No default.

layer4-connection-flood-check-rule "<rule_name>"

Enter the name of an existing rule that limits the number of TCP connections from the same source IP address. The maximum length is 63 characters.

To display a list of the existing rules, enter:

set layer4-connection-flood-check-rule ?

This setting applies only if enable-layer4-dos-prevention {enable | disable} is enabled.

No default.

layer3-fragment-protection {enable | disable}

Enable to prevent attacks of fragmented packets.

disable

Example

This example shows the settings for a DoS protection policy that protects a web portal using existing DoS prevention rules.

config waf application-layer-dos-prevention

edit "Web Portal DoS Policy"

set enable-http-session-based-prevention enable

set http-connection-flood-check-rule "Web Portal TCP Connect Limit"

set http-request-flood-prevention-rule "Web Portal HTTP Request Limit"

set enable-layer4-dos-prevention enable

set layer4-access-limit-rule "Web Portal HTTP Request Limit"

set layer4-connection-flood-check-rule "Web Portal Network Connect Limit"

next

end

Related topics