Global Settings : Configuring proxy IP settings
 
Configuring proxy IP settings
FortiDDoS can take account of the possibility that a source IP address might be a proxy IP address, and adjust the threshold triggers accordingly. If a source IP address is determined to be a proxy IP address, the system adjusts thresholds for Most Active Source, SYN per source, and Concurrent Connections per Source by a multiplier that you specify.
You can configure the following methods to determine whether source IP address is a proxy IP address:
Concurrent connection count—Used when there are many users behind a web proxy or NAT device.
HTTP headers—Used when there are many users behind a Content Delivery Network (CDN), such as Akamai.
Before you begin:
You must have Read-Write permission for Global Settings.
To configure proxy IP settings:
1. Go to Global Settings > Proxy IP > Proxy IP.
2. Click Add to display the configuration editor.
3. Complete the configuration as described in Table 18.
4. Save the configuration.
Table 18: Proxy IP configuration
Settings
Guidelines
Proxy IP threshold factor
Specify a multiplier when the source IP address is identified as a proxy IP address. For example, if you specify 32, and the Most Active Source threshold is 1000, then the Most Active Source threshold applied to proxy IP addresses is 32 * 1000 or 32,000.
The default is 128. The maximum is 32,768.
Proxy IP list status
Displays the date and time when the list was last updated.
Detect proxy IP by number of connections
Concurrent connections per source
Every 5 minutes, the system records the IP addresses of sources with more than this number of concurrent connections to test whether those sources might be using a proxy IP address. The default is 100 concurrent connections.
Percent present
Threshold that determines whether the source IP address is regarded as a proxy IP address.
For example, the default is 30. After the observation period, the IPs whose numbers of concurrent connections have been 30% of the time above 100 are identified as proxy IPs.
Observation period
Past Week—Uses data from the past week to determine whether a source IP address is a proxy IP address.
Past Month—Uses data from the past month.
Generate proxy IP list
Select to generate the list of detected proxy IP addresses. This list is useful for identifying IP addresses that the system has treated as a proxy but are actually attackers. You can add these kinds of IP addresses to an ACL to block their traffic.
Detect proxy IP using headers
Proxy HTTP header type
Select HTTP headers that indicate a proxy address might be in use:
true-client-IP
x-forwarded-for (selecting this option also enables parsing of x-true-client-ip and x-real-ip headers)
Tip: Shift-click to select multiple items.
 
 
To configure with the CLI, use a command sequence similar to the following:
config ddos global proxy-ip-setting
set auto-proxy-ip-status {enable | disable}
set proxy-ip-percent-present <integer>
set proxy-ip-observation-period {past-week | past-month}
set header-proxy-ip-status {enable | disable}
set header-proxy-type {true-client-ip X-Forwarded-For}
set proxy-ip-threshold-factor <integer>
end