Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY 8.0.0
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 8.0.0 Administration Guide
    8.0.0
    8.0.0
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.12
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    DoS protection

    DoS protection

    FortiOS includes built‑in protection mechanisms in the Node.js–based web service to help secure the administrative GUI from denial‑of‑service (DoS) attacks. These mechanisms mitigate common attack patterns such as Slowloris and brute‑force request flooding. DoS protection is provided through the following components:

    • a request monitoring engine

    • an HTTP rate‑limiting system

    Both components apply to all Node.js web service interfaces, including HTTP, HTTPS, and HTTP/2.

    By enforcing request‑handling timeouts and limiting excessive connection attempts, FortiOS improves the resilience of the GUI service, preventing malicious clients from consuming resources and ensuring that administrators can maintain access during periods of high load or attempted attacks.

    HTTP request monitoring

    The request monitor tracks all incoming HTTP connections and enforces configurable timeout thresholds for receiving complete HTTP headers and bodies. Connections that do not complete within the configured timeframe are discarded.

    This mechanism prevents Slowloris-style attacks, where a client attempts to exhaust server resources by sending headers or body data extremely slowly.

    CLI configuration:

    Use the following commands to configure header and body timeout values:

    config system global 
    set admin-http-request-header-timeout <integer>
    set admin-http-request-body-timeout <integer>
    set admin-http-unauthenticated-request-body-timeout <integer>
end

    Option

    Description

    admin-http-request-header-timeout <integer>

    HTTP request header timeout, in milliseconds (0 will disable the timeout, default = 200).

    admin-http-request-body-timeout <integer>

    Authenticated HTTP request body timeout, in milliseconds (0 will disable the timeout, default = 1800000).

    admin-http-unauthenticated-request-body-timeout <integer>

    Unauthenticated HTTP request body timeout, in milliseconds, before authentication (0 will disable the timeout, default = 1000).

    HTTP rate limiting

    The HTTP rate limiter controls how many connections and requests a client IP can send to the GUI over time. Each client receives a token pool that regenerates gradually. Requests consume tokens. If a client exhausts its token pool, further requests are rejected until tokens recover. Rate‑limiting applies to both authenticated and unauthenticated clients but can be configured to exempt authenticated administrators.

    This mechanism helps control brute‑force behavior and reduces the load caused by automated attacks.

    CLI configuration:

    Use the following commands to configure rate limiting and exemption:

    config system global 
    set admin-http-rate-limit-max-requests <integer>
    set admin-http-rate-limit-exempt-auth {enable | disable}   
end

    Option

    Description

    admin-http-rate-limit-max-requests <integer>

    Maximum number of HTTP requests that are allowed to be made in a second by a single client (0 will disable the rate limiting, default = 100).

    admin-http-rate-limit-exempt-auth {enable | disable}

    Enable/disable exemption of authenticated administrator sessions from rate limiting. (default = disable).

    Troubleshooting

    FortiOS provides several diagnostic commands to inspect request monitor and rate limiter status.

    View Node.js HTTP service status:

    Displays status, configured timeouts, and rate limiter tokens.

    #  diagnose web-svc server http state
Service: Request Monitor
   status              : enabled
   lastMonitored       : Wed, 18 Mar 2026 16:55:11 GMT
   headerTimeout       : 200ms
   bodyTimeout         : 1800000ms
   unauthBodyTimeout   : 1000ms
Service: HTTP Rate Limiter
   status              : enabled
   lastMonitored       : Wed, 18 Mar 2026 16:55:11 GMT
   maxTokens           : 5000
   exemptAuthed        : disabled
    View active HTTP connections:

    Displays the list of currently active HTTP requests and their associated timeout information. Requests are removed from the list automatically when they either time out or complete successfully. This command is available only to super_admin users.

    #  diagnose web-svc server http client-connection
IP | Type | Creation | Timeout
   172.19.43.22 | 0 | Wed, 18 Mar 2026 16:55:11 GMT | Wed, 18 Mar 2026 16:55:11 GMT
    View HTTP rate limiter token state:

    Displays the list of tracked client IP addresses along with their token levels and current rate‑limiter status. Clients that have full tokens and no violations are automatically removed from the list. This command is available only to super_admin users.

    # diagnose web-svc server http rate-limit details
 IP                   | Tokens | Blocked | Bursting | Violations | Last Refill                             
 172.16.200.254       | 5000   | NO      | NO       | 0          | Wed, 18 Mar 2026 16:55:41 GMT
    Clear rate limiter state:

    Clears the specified IP address from the rate‑limiter database, resetting all rate‑limit state for that client. If no IP address is provided, the command clears the entire rate‑limiter database.

    # diagnose web-svc server http rate-limit clear <ip>
    Previous
    Next

    DoS protection

    DoS protection

    FortiOS includes built‑in protection mechanisms in the Node.js–based web service to help secure the administrative GUI from denial‑of‑service (DoS) attacks. These mechanisms mitigate common attack patterns such as Slowloris and brute‑force request flooding. DoS protection is provided through the following components:

    • a request monitoring engine

    • an HTTP rate‑limiting system

    Both components apply to all Node.js web service interfaces, including HTTP, HTTPS, and HTTP/2.

    By enforcing request‑handling timeouts and limiting excessive connection attempts, FortiOS improves the resilience of the GUI service, preventing malicious clients from consuming resources and ensuring that administrators can maintain access during periods of high load or attempted attacks.

    HTTP request monitoring

    The request monitor tracks all incoming HTTP connections and enforces configurable timeout thresholds for receiving complete HTTP headers and bodies. Connections that do not complete within the configured timeframe are discarded.

    This mechanism prevents Slowloris-style attacks, where a client attempts to exhaust server resources by sending headers or body data extremely slowly.

    CLI configuration:

    Use the following commands to configure header and body timeout values:

    config system global 
    set admin-http-request-header-timeout <integer>
    set admin-http-request-body-timeout <integer>
    set admin-http-unauthenticated-request-body-timeout <integer>
end

    Option

    Description

    admin-http-request-header-timeout <integer>

    HTTP request header timeout, in milliseconds (0 will disable the timeout, default = 200).

    admin-http-request-body-timeout <integer>

    Authenticated HTTP request body timeout, in milliseconds (0 will disable the timeout, default = 1800000).

    admin-http-unauthenticated-request-body-timeout <integer>

    Unauthenticated HTTP request body timeout, in milliseconds, before authentication (0 will disable the timeout, default = 1000).

    HTTP rate limiting

    The HTTP rate limiter controls how many connections and requests a client IP can send to the GUI over time. Each client receives a token pool that regenerates gradually. Requests consume tokens. If a client exhausts its token pool, further requests are rejected until tokens recover. Rate‑limiting applies to both authenticated and unauthenticated clients but can be configured to exempt authenticated administrators.

    This mechanism helps control brute‑force behavior and reduces the load caused by automated attacks.

    CLI configuration:

    Use the following commands to configure rate limiting and exemption:

    config system global 
    set admin-http-rate-limit-max-requests <integer>
    set admin-http-rate-limit-exempt-auth {enable | disable}   
end

    Option

    Description

    admin-http-rate-limit-max-requests <integer>

    Maximum number of HTTP requests that are allowed to be made in a second by a single client (0 will disable the rate limiting, default = 100).

    admin-http-rate-limit-exempt-auth {enable | disable}

    Enable/disable exemption of authenticated administrator sessions from rate limiting. (default = disable).

    Troubleshooting

    FortiOS provides several diagnostic commands to inspect request monitor and rate limiter status.

    View Node.js HTTP service status:

    Displays status, configured timeouts, and rate limiter tokens.

    #  diagnose web-svc server http state
Service: Request Monitor
   status              : enabled
   lastMonitored       : Wed, 18 Mar 2026 16:55:11 GMT
   headerTimeout       : 200ms
   bodyTimeout         : 1800000ms
   unauthBodyTimeout   : 1000ms
Service: HTTP Rate Limiter
   status              : enabled
   lastMonitored       : Wed, 18 Mar 2026 16:55:11 GMT
   maxTokens           : 5000
   exemptAuthed        : disabled
    View active HTTP connections:

    Displays the list of currently active HTTP requests and their associated timeout information. Requests are removed from the list automatically when they either time out or complete successfully. This command is available only to super_admin users.

    #  diagnose web-svc server http client-connection
IP | Type | Creation | Timeout
   172.19.43.22 | 0 | Wed, 18 Mar 2026 16:55:11 GMT | Wed, 18 Mar 2026 16:55:11 GMT
    View HTTP rate limiter token state:

    Displays the list of tracked client IP addresses along with their token levels and current rate‑limiter status. Clients that have full tokens and no violations are automatically removed from the list. This command is available only to super_admin users.

    # diagnose web-svc server http rate-limit details
 IP                   | Tokens | Blocked | Bursting | Violations | Last Refill                             
 172.16.200.254       | 5000   | NO      | NO       | 0          | Wed, 18 Mar 2026 16:55:41 GMT
    Clear rate limiter state:

    Clears the specified IP address from the rate‑limiter database, resetting all rate‑limit state for that client. If no IP address is provided, the command clears the entire rate‑limiter database.

    # diagnose web-svc server http rate-limit clear <ip>
    Previous
    Next