FortiOS 5.6 Online Help Link FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link

Home > Online Help

> Chapter 9 - Firewall > Firewall Policies > IPv4 DoS Policy

IPv4 DoS Policy

To configure a IPv4 DoS Policy in the GUI

  1. Goto Policy & Objects > IPv4 DoS Policy

The right side window will display a table of the existing IPv4 DoS Policies.

  • To edit an existing policy, double click on the policy you wish to edit
  • To create a new policy, select the Create New icon in the top left side of the right window.
  1. Set the Incoming Interface parameter by using the drop down menu to select a single interface.
  2. Set the Source Address parameter by selecting the field with the "+" next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
  3. Set the Destination Address parameter by selecting the field with the "+" next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.
  4. Set the Services parameter by selecting the field with the "+" next to the field label. Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option.For more information on services, check the Firewall Objects section called Services and TCP ports
  5. Set the parameters for the various traffic anomalies.

All of the anomalies that profiles have been created for are in 2 tables. These tables break up the anomaly profiles into L3 Anomalies and L4 Anomalies. All of the anomalies have the following parameters that can be set on a per anomaly or per column basis.

  • Status - enable or disable the indicated profile
  • Logging - enable or disable logging of the indicated profile being triggered
  • Action - whether to Pass or Block traffic when the threshold is reached
  • Threshold - the number of anomalous packets detected before triggering the action.

The listing of anomaly profiles includes:

L3 Anomalies

  • ip_src_session
  • ip_dst_session

L4 Anomalies

  • tcp_syn_flood
  • tcp_port_scan
  • tcp_src_session
  • tcp_dst_session
  • udp_flood
  • udp_scan
  • udp_src_session
  • udp_dst_session
  • icmp_flood
  • icmp_sweep
  • icmp_src_session
  • sctp_flood
  • sctp_scan
  • sctp_src_session
  • sctp_dst_session
  1. Toggle whether or not to Enable this policy.The default is enabled.
  2. Select the OK button to save the policy.

 

 

Example

The company wishes to protect against Denial of Service attach. They have chosen some where they wish to block the attacks of the incidence goes above a certain threshold and for some others they are just trying to get a baseline of activity for those types of attacks so they are letting the traffic pass through without action.

  • The interface to the Internet is on WAN1
  • There is no requirement to specify which addresses are being protected or protected from.
  • The protection is to extend to all services.
  • The TCP attacks are to be blocked
  • The UDP, ICMP, and IP attacks are to be recorded but not blocked.
  • The SCTP attack filters are disabled
  • The tcp_syn_flood attach’s threshold is to be changed from the default to 1000

Configuring the DoS Policy in the GUI

  1. Go to Policy & Objects > Policy > DoS.
  2. Create a new policy
  3. Fill out the fields with the following information:
Field Value
Incoming Interface wan1
Source Address all
Destination Addresses all
Service ALL
L3 Anomalies
Name Status Logging Action Threshold
ip_src_session enabled enabled Pass 5000
ip_dst_session enabled enabled Pass 5000

 

L4 Anomalies
Name Status Logging Action Threshold
tcp_syn_flood enabled enabled Block 1000
tcp_port_scan enabled enabled Block <default value>
tcp_src_session enabled enabled Block <default value>
tcp_dst_session enabled enabled Block <default value>
udp_flood enabled enabled Pass <default value>
udp_scan enabled enabled Pass <default value>
udp_src_session enabled enabled Pass <default value>
udp_dst_session enabled enabled Pass <default value>
icmp_flood enabled enabled Pass <default value>
icmp_sweep enabled enabled Pass <default value>
icmp_src_session enabled enabled Pass <default value>
icmp_dst_session enabled enabled Pass <default value>
sctp_flood not enabled not enabled Pass <default value>
sctp_scan not enabled not enabled Pass <default value>
sctp_src_session not enabled not enabled Pass <default value>
sctp_dst_session not enabled not enabled Pass <default value>
  1. Toggle the button next to Enable this policy to ON.
  2. Select OK.

Configuring the DoS Policy in the GUI

Using the CLI of your choice, enter the following commands:

config firewall DoS-policy

edit 0

set status enable

set interface wan1

set srcaddr all

set dstaddr all

set service ALL

config anomaly

edit "tcp_syn_flood"

set status enable

set log disable

set action block

set threshold 1000

next

edit "tcp_port_scan"

set status enable

set log disable

set action block

set threshold 1000

next

edit "tcp_src_session"

set status enable

set log disable

set action block

set threshold 5000

next

edit "tcp_dst_session"

set status enable

set log disable

set action block

set threshold 5000

next

edit "udp_flood"

set status enable

set log disable

set action pass

set threshold 2000

next

edit "udp_scan"

set status enable

set log disable

set action pass

set quarantine none

set threshold 2000

next

edit "udp_src_session"

set status enable

set log disable

set action pass

set threshold 5000

next

edit "udp_dst_session"

set status enable

set log disable

set action pass

set threshold 5000

next

edit "icmp_flood"

set status enable

set log disable

set action pass

set threshold 250

next

edit "icmp_sweep"

set status enable

set log disable

set action pass

set threshold 100

next

edit "icmp_src_session"

set status enable

set log disable

set action pass

set threshold 300

next

edit "icmp_dst_session"

set status enable

set log disable

set action pass

set threshold 1000

next

edit "ip_src_session"

set status disable

set log enable

set action pass

set threshold 5000

next

edit "ip_dst_session"

set status disable

set log enable

set action pass

set threshold 5000

next

edit "sctp_flood"

set status disable

set log disable

set action pass

set threshold 2000

next

edit "sctp_scan"

set status disable

set log disable

set action pass

set threshold 1000

next

edit "sctp_src_session"

set status disable

set log disable

set action pass

set threshold 5000

next

edit "sctp_dst_session"

set status disable

set log disable

set action pass

set threshold 5000

next

end

end

end

note icon In this example of the CLI, all of the relevant settings have been left in, but some of them are default settings and would not have to have been specifically set to work. For instance, if the action parameter is not set it automatically defaults to pass.