Example: DoS policy
The company wishes to protect against Denial of Service attach. They have chosen some where they wish to block the attacks of the incidence goes above a certain threshold and for some others they are just trying to get a baseline of activity for those types of attacks so they are letting the traffic pass through without action.
- The interface to the Internet is on WAN1
- There is no requirement to specify which addresses are being protected or protected from.
- The protection is to extend to all services.
- The TCP attacks are to be blocked
- The UDP, ICMP, and IP attacks are to be recorded but not blocked.
- The tcp_syn_flood attach’s threshold is to be changed from the default to 1000
- Go to Policy & Objects > Policy > DoS.
- Create a new policy
- Fill out the fields with the following information:
| Incoming Interface | wan1 |
| Source Address | all |
| Destination Addresses | all |
| Service | ALL |
Anomalies
| Name | Status | Logging | Action | Threshold |
|---|---|---|---|---|
| tcp_syn_flood | enabled | enabled | Block | 1000 |
| tcp_port_scan | enabled | enabled | Block | <default value> |
| tcp_src_session | enabled | enabled | Block | <default value> |
| tcp_dst_session | enabled | enabled | Block | <default value> |
| udp_flood | enabled | enabled | Pass | <default value> |
| udp_scan | enabled | enabled | Pass | <default value> |
| udp_src_session | enabled | enabled | Pass | <default value> |
| udp_dst_session | enabled | enabled | Pass | <default value> |
| icmp_flood | enabled | enabled | Pass | <default value> |
| icmp_sweep | enabled | enabled | Pass | <default value> |
| icmp_src_session | enabled | enabled | Pass | <default value> |
| icmp_dst_session | enabled | enabled | Pass | <default value> |
| ip_src_session | enabled | enabled | Pass | <default value> |
| ip_dst_session | enabled | enabled | Pass | <default value> |
| sctp_flood | not enabled | not enabled | Pass | <default value> |
| sctp_scan | not enabled | not enabled | Pass | <default value> |
| sctp_src_session | not enabled | not enabled | Pass | <default value> |
| sctp_dst_session | not enabled | not enabled | Pass | <default value> |
- Toggle the button next to Enable this policy to ON.
- Select OK.
- Enter the following CLI command:
config firewall DoS-policy
edit 0
set status enable
set interface ''
config anomaly
edit "tcp_syn_flood"
set status enable
set log enable
set action block
set threshold 1000
next
edit "tcp_port_scan"
set status enable
set log enable
set action block
next
edit "tcp_src_session"
set status enable
set log enable
set action block
next
edit "tcp_dst_session"
set status enable
set log enable
set action block
next
edit "udp_flood"
set status enable
set log enable
next
edit "udp_scan"
set status disable
set status enable
set log enable
next
edit "udp_src_session"
set status enable
set log enable
next
edit "udp_dst_session"
set status enable
set log enable
next
edit "icmp_flood"
set status enable
set log enable
next
edit "icmp_sweep"
set status enable
set log enable
next
edit "icmp_src_session"
set status enable
set log enable
next
edit "icmp_dst_session"
set status enable
set log enable
next
edit "ip_src_session"
set status enable
set log enable
next
edit "ip_dst_session"
set status enable
set log enable
next
end
next
end
Copyright © 2018 Fortinet, Inc. All Rights Reserved. | Terms of Service | Privacy Policy
