Rate limiting : DoS prevention : Configuring application-layer DoS protection
 
Configuring application-layer DoS protection
The DoS Protection > Application submenu enables you to configure DoS protection at the network application layer.
For some DoS protection features, the FortiWeb appliance uses session management to track requests.
1. When a FortiWeb appliance receives the first request from any client, it adds a session cookie to the response from the web server in order to track the session. The client will include the cookie in subsequent requests.
2. If a client sends another request before the session timeout, FortiWeb examines the session cookie in the request.
If the cookie does not exist or its value has changed, the FortiWeb appliance drops the request.
If the same cookie exists, the request is treated as part of the same session. FortiWeb increments its count of connections and/or requests from the client. If the rate exceeds the limit, FortiWeb drops the extra connection or request.
See also
Limiting the total HTTP request rate from an IP
Limiting TCP connections per IP address by session cookie
Preventing an HTTP request flood