Global Settings : Configuring SPP policy settings : SPP basics
 
SPP basics
A Service Protection Profile (SPP) is a class for the counters and thresholds that protect a particular subnet. When the FortiDDoS system receives traffic, the SPP policy assigns the packets to an SPP based on source or destination IP address. The system monitors and maintains Layer 3, Layer 4, and Layer 7 data for each SPP.
You can configure 7 SPPs and 511 SPP policy rules.
When possible, consider creating two SPPs for each subnet you intend to protect: a primary SPP and an alternate SPP to be used when the packet rate to the primary SPP becomes high. You can enable an SPP switching policy to switch from the primary profile to the alternate profile when the packet rate reaches the maximum packet rate for the primary profile.
If desired, you can use one SPP for many rules. For example, you can create a protection profile named SPP-1 and apply it to two policy rules: Rule 1 protecting subnet 192.168.1.0/24 and Rule 2 protecting subnet 192.168.2.0/24.
SPP configuration overview
The SPP configuration objects are associated. Configure them in the order listed.
Basic steps
1. Configure multiple SPP IDs.
2. (Optional) Enable the SPP switching policy feature if you want to enable it in policy rules.
3. Configure the SPP policy that associates SPP IDs with the subnet address/mask.
 
The FortiDDoS system maintains traffic history for each SPP. It uses this data to generate recommended thresholds, dynamically adjust thresholds, and generate traffic statistics.
If you change the SPP policy configuration or the resources it monitors, the data can become skewed. For example, if you remove a subnet from the profile, or change the servers that are deployed in the subnet, or change the services offered by those servers, the traffic history becomes less relevant.
Fortinet strongly recommends that you reset the traffic history for a profile before you make any significant changes to its configuration. Go to Protection Profiles > Factory Reset > Factory Reset.
If you do not reset traffic statistics, changes to an SPP policy can result in counter-intuitive data accumulated in the longer reporting periods (year, month). For example, if a subnet belonged to the default SPP-0 before you assigned it to SPP-1, a report filtered by SPP-1 includes the SPP-0 traffic history for that subnet.
 
 
Best Practice: Provision a separate SPP for UDP
Unlike TCP traffic, the system does not track the state of UDP and DNS traffic. This means that for UDP traffic, FortiDDoS does not differentiate requests from responses. We recommend you provision a separate SPP for UDP traffic so that it is easier to administer during attacks. You might need to tune thresholds more frequently. If you configure user-defined thresholds, it is recommended to start with outbound UDP port thresholds that are reasonably high values. If you use thresholds for UDP ports that are too low, the system might block harmless UDP traffic.
The only mitigation mechanisms for UDP attacks are source tracking and rate limiting. The source tracking feature detects attacks from a single source or a limited number of sources. However, if the attack is distributed, the rate limiting feature limits all UDP traffic in the SPP, including legitimate traffic. It cannot limit only the UDP traffic that is associated with the attack.
Alternatively, to avoid issues with DNS in FortiDDoS deployments, consider using DNS forwarders.