Settings | Guidelines |
Name | Configuration name that describes the subnet. |
Subnet ID | A value between 1 and 511 that identifies the subnet. |
IP version | • IPv4 • IPv6 |
IP address/mask | IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ). For IPv6 addresses: • Ensure that the address has the same initial bits specified by the IPv6 prefix setting (Global Settings > Settings > Settings). The value of the IPv6 prefix length setting determines the number of initial bits. • Ensure that all SPP policy rules that specify subnets using IPv6 addresses use the same value for their initial bits (for example, all begin with 2001:DB8:12AB). • If you make any changes to the IPv6 prefix settings, you must delete any existing SPP policies and recreate them to correspond to the new prefix values. |
SPP profile | Select the profile. We recommend that you not associate subnets with the default SPP profile SPP-0. This practice ensures that all known traffic is included in non-default subnets and non-default SPPs. SPP-0 functions as a catch-all profile. Its traffic statistics include traffic that FortiDDoS assigns to it by default. |
Comments | Add comments describing the purpose of the SPP policy so that other administrators are aware of its intended use. |
SPP Switching | |
Enable SPP Switching | • Enable • Disable |
Alternate Service Protection Profile | Select the secondary SPP. If you simply want a notification that the traffic level has exceeded the SPP switching threshold without switching the SPP, select primary SPP. |
Threshold | Maximum packet rate (packets per second) for the primary profile. When traffic exceeds this rate, the system switches to the secondary SPP. The default is 0 (off). |
To configure with the CLI, use a command sequence similar to the following: config ddos global spp-policy edit <rule_name> set subnet-id <entry_index> set ip-version {IPv4 | IPv6} set ip <address_ip/mask> set spp <spp_name> set enable-alt-spp {enable | disable} set alt-spp <spp_name> set switching-threshold <rate> end To change the order of rules: config ddos global spp-policy move <entry_index> after <entry_index> end |