config system : config system dos-prevention
config system dos-prevention
Use this command to enable basic denial of service (DoS) prevention to combat SYN floods.
When enabled, FortiADC uses the SYN cookie method to track half-open connections. The system maintains a DoS mitigation table for each configured IPv4 virtual server. It times out half-open connections so that they do not deplete system resources.
Note: The DoS feature is not supported for IPv6 traffic or for Layer 4 virtual servers with the Direct Routing packet forwarding mode. Before you begin:
You must have read-write permission for system settings.
config system dos-prevention
set syncookie <enable|disable>
set max_half_open <integer>
Enable/disable denial-of-service prevention.
Specify a maximum number of half open sockets. The default is 1 (10 connections). The valid range is 1 to 80,000.
FortiADC-VM # get system dos-prevention
syncookie : disable
max_half_open : 1
FortiADC-VM # config system dos-prevention
FortiADC-VM (dos-prevention) # set syncookie enable
FortiADC-VM (dos-prevention) # set max_half_open 100
FortiADC-VM (dos-prevention) # end
FortiADC-VM # get system dos-prevention
syncookie : enable
max_half_open : 100