Fortinet black logo

Handbook

DoS Protection Profile

DoS Protection Profile

From the DoS Protection > DoS Protection Profile sub-menu, you can configure a DoS Protection profile that references the DoS policies that are to be enforced.

Before you begin:
  • You must have Read-Write permission for Security settings.

After you have configured DoS Protection profile, you can select them in Server Load Balance > Virtual Server > Security > DoS Protection Profile.

To configure a DoS Protection Profile:
  1. Go to DoS Protection > DoS Protection Profile.
  2. Click Create New to display the configuration editor.
  3. Complete the configuration.

    Name

    Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

    After you initially save the configuration, you cannot edit the name.

    HTTP Access Limit

    HTTP Access Limit policy. Limit the request number per second from an IP.

    HTTP Connection Flood

    HTTP Connection Flood policy. Limit the number of connections from a client, which is marked by a cookie.

    HTTP Request Flood

    HTTP Request Flood policy. Limit the request number per second from a client, which is marked by a cookie.

    TCP Slow Data Flood Protection

    After the TCP connection is established (the three-way handshake is completed), if FortiADC sends data to the client but the client returns a zero window (a zero window appears when, for example, the client does not take the data out of the TCP receive queue of the client OS when the data sent by the FortiADC fills up the queue), FortiADC will stop sending data. In this case, FortiADC can actively abort TCP connections and release related resources to avoid occupying its resources for a long time.

    TCP Connection Access Flood Protection

    A TCP connection flood attempts to prevent legitimate requests from being established by flooding the server with requests for new connections. By setting a threshold limit for TCP requests, FortiADC can detect and take action to protect against a TCP connection flood.

    DNS Query Flood Protection

    The DNS Query Flood Protection policy can limit the number of DNS request per second to mitigate against DNS query flood attacks that aim to overwhelm DNS servers with high volumes of illegitimate DNS queries.

    DNS Reverse Flood Protection

    The DNS Reverse Flood Protection policy can limit the number of ANY type DNS requests per second to mitigate against DNS reverse flood attacks that aim to overwhelm network resources with high volumes of DNS responses.

  4. Save the configuration.

DoS Protection Profile

From the DoS Protection > DoS Protection Profile sub-menu, you can configure a DoS Protection profile that references the DoS policies that are to be enforced.

Before you begin:
  • You must have Read-Write permission for Security settings.

After you have configured DoS Protection profile, you can select them in Server Load Balance > Virtual Server > Security > DoS Protection Profile.

To configure a DoS Protection Profile:
  1. Go to DoS Protection > DoS Protection Profile.
  2. Click Create New to display the configuration editor.
  3. Complete the configuration.

    Name

    Configuration name. Valid characters are A-Z, a-z, 0-9, _, and -. No spaces.

    After you initially save the configuration, you cannot edit the name.

    HTTP Access Limit

    HTTP Access Limit policy. Limit the request number per second from an IP.

    HTTP Connection Flood

    HTTP Connection Flood policy. Limit the number of connections from a client, which is marked by a cookie.

    HTTP Request Flood

    HTTP Request Flood policy. Limit the request number per second from a client, which is marked by a cookie.

    TCP Slow Data Flood Protection

    After the TCP connection is established (the three-way handshake is completed), if FortiADC sends data to the client but the client returns a zero window (a zero window appears when, for example, the client does not take the data out of the TCP receive queue of the client OS when the data sent by the FortiADC fills up the queue), FortiADC will stop sending data. In this case, FortiADC can actively abort TCP connections and release related resources to avoid occupying its resources for a long time.

    TCP Connection Access Flood Protection

    A TCP connection flood attempts to prevent legitimate requests from being established by flooding the server with requests for new connections. By setting a threshold limit for TCP requests, FortiADC can detect and take action to protect against a TCP connection flood.

    DNS Query Flood Protection

    The DNS Query Flood Protection policy can limit the number of DNS request per second to mitigate against DNS query flood attacks that aim to overwhelm DNS servers with high volumes of illegitimate DNS queries.

    DNS Reverse Flood Protection

    The DNS Reverse Flood Protection policy can limit the number of ANY type DNS requests per second to mitigate against DNS reverse flood attacks that aim to overwhelm network resources with high volumes of DNS responses.

  4. Save the configuration.