Create a new DoS policy
This section describes how to create denial of service (DoS) policies.
See DoS policy in the FortiOS Administration Guide for more information.
On the Policy & Objects pane, from the Tools menu, select Display Options, and then select the IPv4 DoS Policy and IPv6 DoS Policy checkboxes to display these options. |
To create a new DoS policy:
- If using ADOMs, ensure that you are in the correct ADOM.
- Go to Policy & Objects > Policy Packages.
- In the tree menu for the policy package, click IPv4 DoS Policy or IPv6 DoS Policy.
- Click Create New.
- Enter the following information:
Option
Description
Name
Enter a unique name for the policy. Each policy must have a unique name.
Incoming Interface
Click the field then select interfaces.
Click the remove icon to remove interfaces.
Source Address
Select source addresses, address groups, virtual IPs, and virtual IP groups.
Destination Address
Select destination addresses, address groups, virtual IPs, and virtual IP groups.
Service
Select services and service groups.
L3/L4 Anomalies
Configure the anomalies:
Logging: Enable or disable logging for the anomaly. Anomalous traffic will be logged when the action is Block or Monitor.
Action: Select the action to take when the threshold is reached:
Disable: Do not scan for the anomaly.
Block: Block the anomalous traffic.
Monitor: Allow the anomalous traffic but record a log message if logging is enabled.
Threshold: Setthe number of detected instances per minute that triggers the anomaly action.
Quarantine: Select which system quarantine to use for blocked anomalous traffic.
See below for descriptions of each anomaly type.
Advanced Options > comments
Add a description of the policy, such as its purpose, or the changes that have been made to it. A comment added here will overwrite the comment added in the above Comments field.
Change Note
Add a description of the changes being made to the policy. This field is required.
L3 Anomalies
Anomaly
Description
Default Threshold
ip_src_session
If the number of concurrent IP connections from one source IP address exceeds the configured threshold value, the action is executed.
5000 concurrent sessions.
ip_dst_session
If the number of concurrent IP connections to one destination IP address exceeds the configured threshold value, the action is executed.
5000 concurrent sessions.
L4 Anomalies
Anomaly
Description
Default Threshold
tcp_syn_flood
If the SYN packet rate of new TCP connections, including retransmission, to one destination IP address exceeds the configured threshold value, the action is executed.
An additional Proxy action is available for this anomaly type. The anomalous traffic will be buffered and scanned when the complete file is downloaded.
The Proxy action is only available on these platforms: FGC_3000D, FGC_3100D, FGC_3200D, FGC3700D, FGC3700DX, FGC_5001D, FGT_1500D, FGT_3000D, FGT_3100D, FGT_3200D, FGT3700D, FGT3700DX, and FGT_5001D.
2000 packets per second.
tcp_port_scan
If the SYN packet rate of new TCP connections, including retransmission, from one source IP address exceeds the configured threshold value, the action is executed.
1000 packets per second.
tcp_src_session
If the number of concurrent TCP connections from one source IP address exceeds the configured threshold value, the action is executed.
5000 concurrent sessions.
tcp_dst_session
If the number of concurrent TCP connections to one destination IP address exceeds the configured threshold value, the action is executed.
5000 concurrent sessions.
udp_flood
If the UDP traffic to one destination IP address exceeds the configured threshold value, the action is executed.
2000 packets per second.
udp_scan
If the UDP sessions setup rate originating from one source IP address exceeds the configured threshold value, the action is executed.
2000 sessions per second.
udp_src_session
If the number of concurrent UDP connections from one source IP address exceeds the configured threshold value, the action is executed.
5000 concurrent sessions.
udp_dst_session
If the number of concurrent UDP connections to one destination IP address exceeds the configured threshold value, the action is executed.
5000 concurrent sessions.
icmp_flood
If the number of ICMP packets sent to one destination IP address exceeds the configured threshold value, the action is executed.
250 packets per second.
icmp_sweep
If the ICMP sessions setup rate originating from one source IP address exceeds the configured threshold value, the action is executed.
100 sessions per second.
icmp_src_session
If the number of concurrent ICMP connections from one source IP address exceeds the configured threshold value, the action is executed.
300 concurrent sessions.
icmp_dst_session
If the number of concurrent ICMP connections to one destination IP address exceeds the configured threshold value, the action is executed.
1000 concurrent sessions.
sctp_flood
If the number of SCTP packets sent to one destination IP address exceeds the configured threshold value, the action is executed.
2000 packets per second.
sctp_scan
If the number of SCTP sessions originating from one source IP address exceeds the configured threshold value, the action is executed.
1000 packets per second.
sctp_src_session
If the number of concurrent SCTP connections from one source IP address exceeds the configured threshold value, the action is executed.
5000 concurrent sessions.
sctp_dst_session
If the number of concurrent SCTP connections to one destination IP address exceeds the configured threshold value, the action is executed.
5000 concurrent sessions.
- Click OK to create the policy. You can select to enable or disable the policy in the right-click menu. When disabled, a disabled icon will be displayed in the Seq.# column to the left of the number. By default, policies will be added to the bottom of the list, but above the implicit policy.