Fortinet black logo

Handbook

IPv6 DoS policy

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:87359
Download PDF

IPv6 DoS policy

To configure a IPv6 DoS policy in the GUI

  1. Go to Policy & Objects > IPv6 DoS Policy

    The right side window will display a table of the existing IPv6 DoS Policies.

    • To edit an existing policy, double click on the policy you wish to edit
    • To create a new policy, select the Create New icon in the top left side of the right window.
  2. Set the Incoming Interface parameter by using the drop down menu to select a single interface.
  3. Set the Source IPv6 Address parameter by selecting the field with the "+" next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
  4. Set the Destination IPv6 Address parameter by selecting the field with the "+" next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.
  5. Set the Services parameter by selecting the field with the "+" next to the field label. Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
  6. Set the parameters for the various traffic anomalies.

    All of the anomalies that profiles have been created for are in 2 tables. These tables break up the anomaly profiles into L3 Anomalies and L4 Anomalies. All of the anomalies have the following parameters that can be set on a per anomaly or per column basis.

    • Status - enable or disable the indicated profile
    • Logging - enable or disable logging of the indicated profile being triggered
    • Action - whether to Pass or Block traffic when the threshold is reached
    • Threshold - the number of anomalous packets detected before triggering the action.

    The listing of anomaly profiles includes:

    L3 Anomalies

    • ip_src_session
    • ip_dst_session

    L4 Anomalies

    • tcp_syn_flood
    • tcp_port_scan
    • tcp_src_session
    • tcp_dst_session
    • udp_flood
    • udp_scan
    • udp_src_session
    • udp_dst_session
    • icmp_flood
    • icmp_sweep
    • icmp_src_session
    • icmp_dst_session
    • sctp_flood
    • sctp_scan
  7. Toggle whether or not to Enable this policy.The default is enabled.
  8. Select the OK button to save the policy.

Configuring the IPv6 DoS policy in the GUI

The configuring of the IPv6 version of the DoS policy is the same as in the IPv4 version , with the exception of first command.

Using the CLI of your choice, enter the following commands:

config firewall DoS-policy6

The rest of the settings are the same as in IPv4 Dos Policy.

IPv6 DoS policy

To configure a IPv6 DoS policy in the GUI

  1. Go to Policy & Objects > IPv6 DoS Policy

    The right side window will display a table of the existing IPv6 DoS Policies.

    • To edit an existing policy, double click on the policy you wish to edit
    • To create a new policy, select the Create New icon in the top left side of the right window.
  2. Set the Incoming Interface parameter by using the drop down menu to select a single interface.
  3. Set the Source IPv6 Address parameter by selecting the field with the "+" next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
  4. Set the Destination IPv6 Address parameter by selecting the field with the "+" next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.
  5. Set the Services parameter by selecting the field with the "+" next to the field label. Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
  6. Set the parameters for the various traffic anomalies.

    All of the anomalies that profiles have been created for are in 2 tables. These tables break up the anomaly profiles into L3 Anomalies and L4 Anomalies. All of the anomalies have the following parameters that can be set on a per anomaly or per column basis.

    • Status - enable or disable the indicated profile
    • Logging - enable or disable logging of the indicated profile being triggered
    • Action - whether to Pass or Block traffic when the threshold is reached
    • Threshold - the number of anomalous packets detected before triggering the action.

    The listing of anomaly profiles includes:

    L3 Anomalies

    • ip_src_session
    • ip_dst_session

    L4 Anomalies

    • tcp_syn_flood
    • tcp_port_scan
    • tcp_src_session
    • tcp_dst_session
    • udp_flood
    • udp_scan
    • udp_src_session
    • udp_dst_session
    • icmp_flood
    • icmp_sweep
    • icmp_src_session
    • icmp_dst_session
    • sctp_flood
    • sctp_scan
  7. Toggle whether or not to Enable this policy.The default is enabled.
  8. Select the OK button to save the policy.

Configuring the IPv6 DoS policy in the GUI

The configuring of the IPv6 version of the DoS policy is the same as in the IPv4 version , with the exception of first command.

Using the CLI of your choice, enter the following commands:

config firewall DoS-policy6

The rest of the settings are the same as in IPv4 Dos Policy.