Global Settings : Configuring SPP policy settings : Configuring an SPP policy
 
Configuring an SPP policy
An SPP policy rule matches the source or destination IP address in packets received at a FortiDDoS interface to an SPP. The policy makes a determination as to which SPP the packets belong to. The packets then are added to that SPP’s counters, and the packets are subject to that SPP’s security thresholds.
The system matches traffic to rules in the SPP policy table from top to bottom. The first rule that matches is applied, so be sure to order rules for specific servers before rules for the subnet that contains the address. If no rules match, the packets belong to SPP-0.
The system uses SPP-0 to monitor and regulate the following types of packets:
Packets that do not match any policy rule.
Packets that have a corrupt IP header.
SPP-0 is a catch-all profile and its traffic statistics are affected by the traffic that FortiDDoS assigns to it by default. Therefore, we recommend that you do not associate protected subnets with SPP-0. This practice ensures that all known traffic is included in non-default subnets and non-default SPPs.
Before you begin:
You must have configured SPP IDs.
You must have enabled the SPP switching policy feature if you want to configure it for the SPP policy.
You must have Read-Write permission for Global Settings.
To configure an SPP policy:
1. Go to Global Settings > Service Protection Profiles > SPP Policy.
2. Click Add to display the configuration editor.
3. Complete the configuration as described in Table 15.
4. Save the configuration.
After you have saved the configuration, you can reorder the list. Click anywhere in the row to select it. Ctrl-Click to deselect it. Drag the table rows into the order you want them.
Table 15: SPP policy configuration
Settings
Guidelines
Name
Configuration name that describes the subnet.
Subnet ID
A value between 1 and 511 that identifies the subnet.
IP version
IPv4
IPv6
IP address/mask
IP address and CIDR-formatted subnet mask, separated by a forward slash ( / ).
For IPv6 addresses:
Ensure that the address has the same initial bits specified by the IPv6 prefix setting (Global Settings > Settings > Settings). The value of the IPv6 prefix length setting determines the number of initial bits.
Ensure that all SPP policy rules that specify subnets using IPv6 addresses use the same value for their initial bits (for example, all begin with 2001:DB8:12AB).
If you make any changes to the IPv6 prefix settings, you must delete any existing SPP policies and recreate them to correspond to the new prefix values.
SPP profile
Select the profile.
We recommend that you not associate subnets with the default SPP profile SPP-0. This practice ensures that all known traffic is included in non-default subnets and non-default SPPs.
SPP-0 functions as a catch-all profile. Its traffic statistics include traffic that FortiDDoS assigns to it by default.
Comments
Add comments describing the purpose of the SPP policy so that other administrators are aware of its intended use.
SPP Switching
Enable SPP Switching
Enable
Disable
Alternate Service Protection Profile
Select the secondary SPP.
If you simply want a notification that the traffic level has exceeded the SPP switching threshold without switching the SPP, select primary SPP.
Threshold
Maximum packet rate (packets per second) for the primary profile. When traffic exceeds this rate, the system switches to the secondary SPP.
The default is 0 (off).
 
 
To configure with the CLI, use a command sequence similar to the following:
config ddos global spp-policy
edit <rule_name>
set subnet-id <entry_index>
set ip-version {IPv4 | IPv6}
set ip <address_ip/mask>
set spp <spp_name>
set enable-alt-spp {enable | disable}
set alt-spp <spp_name>
set switching-threshold <rate>
end
To change the order of rules:
config ddos global spp-policy
move <entry_index> after <entry_index>
end