Policy & Objects : Managing policies : DoS Policy
 
DoS Policy
The DoS Policy tab allows you to create, edit, delete, and clone DoS policies. The following information is displayed for these policies: Seq.# (sequence number), Interface (incoming interface), Source (source address), Destination (destination address), Service, and Install On (installation targets).
 
Select Display Options in the Policy & Objects tab, and toggle the DoS Policy switch to display this option in the Policy Package tab bar.
To create a DoS policy:
1. Select the ADOM from the drop-down list in the toolbar.
2. Select the policy package where you are creating the new DoS policy from the tree menu.
3. Select DoS Policy NAT in the policy toolbar.
4. Right-click on the sequence number of a current policy, or in an empty area of the content pane and select Create New from the pop-up menu.
The Create New Policy dialog box opens.
Figure 208: New DoS Policy
5. Configure the following settings:
Incoming Interface
Select the incoming interface from the drop-down list.
Source Address
Select the source address from the drop-down list. You can select to create a new address or address group in the Source Address dialog box.
Destination Address
Select the destination address from the drop-down list. You can create a new address or address group in the Add Destination Address dialog box.
Service
Select the service from the drop-down list. You can create a new service or service group in the Add Service dialog box.
tcp_syn_flood
Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.
tcp_port_scan
Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.
tcp_src_session
Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.
tcp_dst_session
Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.
udp_flood
Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.
udp_scan
Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.
udp_src_session
Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.
udp_dst_session
Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.
icmp_flood
Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.
icmp_sweep
Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.
icmp_src_session
Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.
icmp_dst_session
Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.
ip_src_session
Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.
ip_dst_session
Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.
scttp_flood
Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.
sctp_scan
Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.
sctp_src_session
Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.
sctp_dst_session
Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.
6. Select OK to save the setting.
Edit the policy service:
1. Select DoS Policy in the policy toolbar.
2. Select the policy in the table and right-click the Service column and select Edit in the menu.
The Edit Service dialog box is displayed.
Figure 209: Edit Service
3. Configure the following settings:
Name
Edit the service name as required.
Comments
Enter an optional comment.
Color
Select the icon to select an custom icon to display next to the service name.
Protocol
Select the protocol from the drop-down list. Select one of the following: TCP/UDP/SCTP, ICMP, ICMP6, or IP.
IP/FQDN
Enter the IP or FQDN.
Note: This menu item is available when Protocol is set to TCP/UDP/SCTP. You can then define the protocol, source port and destination port in the table.
Type
Enter the type in the text field.
Note: This menu item is available when Protocol is set to ICMP and ICMP6.
Code
Enter the code in the text field.
Note: This menu item is available when Protocol is set to ICMP and ICMP6.
Protocol Number
Enter the protocol number in the text field.
Note: This menu item is available when Protocol is set to IP.
Advanced Options
For more information on advanced option, see the FortiOS 5.0 CLI Reference.
 
check-reset-range
Configure ICMP error message verification.
disable — The FortiGate unit does not validate ICMP error messages.
strict — If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B) | TCP(C,D) header, then if FortiOS can locate the A:C->B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range then the ICMP packet is dropped. If is enabled the FortiGate unit logs that the ICMP packet was dropped. Strict checking also affects how the anti-replay option checks packets.
default — Use the global setting defined in system global.
Note: This field is available when protocol is TCP/UDP/SCTP.
Note: This field is not available if explicit-proxy is enabled.
 
session-ttl
Enter the default session timeout in seconds. The valid range is from 300 - 604 800 seconds. Enter 0 to use either the per-policy session-ttl or per-VDOM session-ttl, as applicable.
Note: This is available when protocol is TCP/UDP/SCTP
 
tcp-halfclose-timer
Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent a FIN packet but the other has not responded. The valid range is from 1 to 86400 seconds.
Enter 0 to use the global setting defined in system global.
Note: This is available when protocol is TCP/UDP/SCTP.
 
tcp-halfopen-timer
Enter how many seconds the FortiGate unit should wait to close a session after one peer has sent an open session packet but the other has not responded. The valid range is from 1 to 86400 seconds.
Enter 0 to use the global setting defined in system global.
Note: This is available when protocol is TCP/UDP/SCTP.
 
tcp-timewait-timer
Set the length of the TCP TIME-WAIT state in seconds. As described in RFC 793, the “TIME-WAIT state represents waiting for enough time to pass to be sure the remote TCP received the acknowledgment of its connection termination request”.
Reducing the time of the TIME-WAIT state means the FortiGate unit can close terminated sessions faster which means more new sessions can be opened before the session limit is reached.
The valid range is 0 to 300 seconds. A value of 0 sets the TCP TIME-WAIT to 0 seconds.
Enter 0 to use the global setting defined in system global.
Note: This is available when protocol is TCP/UDP/SCTP.
 
udp-idle-timer
Enter the number of seconds before an idle UDP connection times out. The valid range is from 1 to 86400 seconds.
Enter 0 to use the global setting defined in system global.
Note: This is available when protocol is TCP/UDP/SCTP.
4. Select OK to save the service. The custom service will be added to Objects > Firewall Objects > Service.
To edit the installation target:
1. Select NAT64 Policy in the policy toolbar.
2. Select the policy in the table and right-click the Install On column and select Add Object(s) in the menu.
The Add Install On dialog box is displayed.
Figure 210: Add Install On
3. Select the installation targets from the list and select OK. To edit the installation targets, select the Installation tab in the Policy Package tab bar and select Edit Targets in the toolbar.