firewall : DoS-policy, DoS-policy6
 
DoS-policy, DoS-policy6
Use these commands to configure Denial of Service (DoS) policies: Dos-policy applies to IPv4 traffic, Dos-policy6 applies to IPv6 traffic.
FortiGate Intrusion Protection uses Denial of Service (DoS) sensors to identify network traffic anomalies that do not fit known or preset traffic patterns. Four statistical anomaly types for the TCP, UDP, and ICMP protocols can be identified.
Flooding
If the number of sessions targeting a single destination in one second is over a threshold, the destination is experiencing flooding.
Scan
If the number of sessions from a single source in one second is over a threshold, the source is scanning.
Source session limit
If the number of concurrent sessions from a single source is over a threshold, the source session limit is reached.
Destination session limit
If the number of concurrent sessions to a single destination is over a threshold, the destination session limit is reached.
Enable or disable logging for each anomaly, and select the action taken in response to detecting an anomaly. Configure the anomaly thresholds to detect traffic patterns that could represent an attack.
 
It is important to estimate the normal and expected traffic on the network before changing the default anomaly thresholds. Setting the thresholds too low could cause false positives, and setting the thresholds too high could allow some attacks.
The list of anomalies can be updated only when the FortiGate firmware image is upgraded.
Syntax
config firewall DoS-policy
edit <dospolicy_id_int>
set client-reputation {enable | disable}
set dstaddr <name_str>
set interface <name_str>
set service <name_str>
set srcaddr <name_str>
set status {enable | disable}
config anomaly
edit <anomaly_str>
set action {block | pass}
set log {enable | disable}
set quarantine {attacker | none}
set status {enable | disable}
set threshold <threshold_int>
end
end
 
Variable
Description
Default
client-reputation {enable | disable}
Enable or disable the client reputation feature in this policy.
disable
dstaddr <name_str>
Enter one or more destination firewall addresses.
No default.
interface <name_str>
Set the interface.
No default.
service <name_str>
Enter one or more services to which the policy applies.
No default.
srcaddr <name_str>
Enter one or more source firewall addresses.
No default.
status {enable | disable}
Enable or disable the specified anomaly in the current DoS sensor.
disable
config anomaly fields
<anomaly_str>
Enter the name of the anomaly you want to configure. Display a list of the available anomaly types by entering ‘?’.
No default.
action {block | pass}
Pass or block traffic in which the specified anomaly is detected.
pass
log {enable | disable}
Enable or disable logging of the specified anomaly in the current DoS sensor.
disable
quarantine {attacker | none}
To prevent the attacker from continuing to attack the FortiGate unit, you can quarantine the attacker to the banned user list in one of three ways.
Enter attacker to block all traffic sent from the attacker’s IP address. The attacker’s IP address is also added to the banned user list. The target’s address is not affected.
Enter none to disable the adding of addresses to the quarantine but the current DoS sensor.
none
status {enable | disable}
Enable or disable the specified anomaly in the current DoS sensor.
disable
threshold <threshold_int>
Enter the number of times the specified anomaly must be detected in network traffic before the action is triggered.
Range 1 to 2 147 483 647.
varies by anomaly