Protection Profiles : Managing thresholds : Using system recommended thresholds
 
Using system recommended thresholds
We recommend you use the system recommendation feature to set thresholds for most types of traffic. The system recommendation procedure sets the configured minimum threshold to a percentage of the generated baseline rates.
You use the Protection Profiles > Thresholds > System Recommendation page to set the multiplier for each OSI layer. The resulting configured minimum thresholds are populated on the Protection Profiles > Thresholds > Thresholds page. As you become a FortiDDoS expert, you can tune the thresholds on the Protection Profiles > Thresholds > Threshold page.
Table 28 explains how the system recommendation feature sets thresholds.
Table 28: How the system recommendation feature sets thresholds
Threshold Group
Notes
Scalar thresholds
Thresholds are set to either the observed maximum multiplied by the Layer 3 or Layer 4 percentage, or to the low traffic threshold, whichever is higher.
The system recommendation procedure does not set the threshold for the following scalar meters: New Connections, Most Active Destination, ACK Per Destination, RST Per Destination, FIN Per Destination, ESTAB Per Destination, Connection Per Destination.
Protocol thresholds
The system recommendation procedure does not set the threshold for TCP protocol (6) and UDP protocol (17).
TCP/UDP Port,
ICMP Type/Code
Packet rates vary across ports, SPPs, and traffic direction.
All contiguous TCP/UDP ports or ICMP type/codes that have the same inbound and outbound traffic rates are grouped into ranges.
We limit the number of ranges to 512 to optimize the internal configuration database.
The system recommendation procedure uses an algorithm to generate a set of ranges and packet rate thresholds for them. The algorithm is based on the following factors:
The recorded baseline traffic for ports or type/code from 0 to 64K.
If the traffic is below the low traffic value, the low traffic value is considered the baseline.
Otherwise, the recorded baseline rates are multiplied by the Layer 4 adjustment percentage.
The resulting rates are divided by 512 to determine a round-up factor.
Rates are rounded up to next multiple of round-up factor.
If the number of ranges is below 512, the thresholds are set.
Otherwise, the rates are rounded to the next multiple of round-up factor, and so on, until the number of ranges is below 512. Then, the thresholds are set.
The system recommendation procedure does not set the threshold for widely used TCP service ports 21-23, 25, 53, 80, 110, 139, 443 and 590; or TCP/UDP SIP ports 5060 and 5061. It does not set the threshold for user-configured HTTP service ports. The thresholds for these are set to high values.
HTTP Method
Thresholds are set to either the observed maximum multiplied by the Layer 7 percentage, or to the low traffic threshold, whichever is higher.
URL, Host, Cookie, Referer, User-Agent
The rate meters for URLs and HTTP headers are based on indexes.
Packet rates vary across these indexes, SPPs, and traffic direction, depending on the time the baseline is taken.
The “observed maximum” used by the system recommendation procedure is the packet rate for the 95th percentile of observed rates for all indexes (excluding indexes with zero traffic), unless the number of indexes is unusually low. If low, the highest rate for all indexes is used.
Thresholds are set to either the observed maximum multiplied by the Layer 7 percentage, or to the low traffic threshold, whichever is higher.
 
Before you begin:
You must have generated traffic statistics for a learning period. Ensure that the traffic statistics report that you generate for use with System Recommendation is for a period that is free of attacks and that it is long enough to be a representative period of activity. If necessary, reset statistics for the SPP before initiating the learning period.
You must have Read-Write permission for Protection Profile settings.
Note that the FortiDDoS hardware is accessed when you generate traffic statistics or set system recommended thresholds. Do not perform multiple operations simultaneously.
To adjust the system recommended thresholds:
1. Go to Protection Profiles > Thresholds > System Recommendation.
2. Select the SPP you want to configure from the drop-down list.
3. Complete the configuration as described in Table 29.
4. Save the configuration.
Table 29: Adjusting the system recommended thresholds
Settings
Guidelines
Layer <N> adjustment
Percentage—Multiply the generated rates by the specified percentage to compute the recommended thresholds.
Factory default— Use factory default values instead of the recommended values. The factory default values are high so that the appliance can be placed inline and not immediately drop traffic.
Layer <N> percentage
Multiply the generated maximum rates by the specified percentage to compute the recommended thresholds. For example, if the value is 100%, the threshold is equal to the generated maximum rate. If it is 300%, the threshold is three times the generated maximum rate.
The default adjustment for Layer 3 is 300. The default for Layer 4 is 200. The default for Layer 7 is 200. The valid range is 100 to 300.
Layer <N> low traffic threshold
Specify a minimum threshold to use instead of the recommended rate when the recommended rate is lower than this value. This setting is helpful when you think that the generated maximum rates are too low to be useful.
The default is 500.
For example, assume the generated maximum packet rate for inbound Layer 4 TCP packets is 2,000 and the outgoing rate is 3,000. The value of Layer 4 percentage is 300 (percent) and the value of Layer 4 low traffic threshold is 8,000.
In this example, the recommended threshold for inbound packets is 8,000 (2,000 * 300% = 6,000). However, because 6,000 is less than the low traffic threshold of 8,000, the system sets the threshold to 8,000.
In this example, the recommended threshold for outbound packets is 9,000 (3,000 * 300% = 9,000). Because 9,000 is greater than the low traffic threshold of 8,000, the system sets the threshold to 9,000.
 
 
To configure with the CLI, use a command sequence similar to the following:
config spp
edit <spp_name>
config ddos spp threshold-adjust
set threshold-adjustment-type system-recommendation
set threshold-system-recommended-report-period
{1-hour | 8-hours | 1-day | 1-week | 1-month | 1-year}
set threshold-system-recommended-layer-3 {layer3-percentage | layer3-factory-defaults}
set threshold-system-recommended-layer-3-percentage <percent>
set threshold-system-recommended-layer-3-low-traffic <integer>
set threshold-system-recommended-layer-4 {layer4-percentage | layer4-factory-defaults}
set threshold-system-recommended-layer-4-percentage <percent>
set threshold-system-recommended-layer-4-low-traffic <integer>
set threshold-system-recommended-layer-7 {layer7-percentage | layer7-factory-defaults}
set threshold-system-recommended-layer-7-percentage <percent>
set threshold-system-recommended-layer-7-low-traffic <integer>
end