Technical Tip: FortiDDoS SPP policy switching threshold
Description
This article describes that there is no recommendation to set the SPP switching threshold, it all depends uniquely on the traffic that passes through the SPP.
In current v4.1, there is no precise way of finding the exact measurement of traffic that is flowing through the SPP.
In a future release of v4.2, a graph will be added that calculates the total traffic flowing through each SPP which will help to judge what thresholds should be placed in this threshold field.
In current v4.1, there is no precise way of finding the exact measurement of traffic that is flowing through the SPP.
In a future release of v4.2, a graph will be added that calculates the total traffic flowing through each SPP which will help to judge what thresholds should be placed in this threshold field.
Scope
FortiDDoS.
Solution
Setting SPP Policy Switching Thresholds:
SPP Policy Thresholds are the sum of the inbound + outbound packet traffic to that SPP Policy (subnet).
- Calculate the sum of the Inbound + Outbound SPP packet traffic for the protocols used in that SPP:
- Do not show protocols 6 or 17 in Thresholds to deduce them.
For the in-use protocols either:
- Look at the last/longest Traffic Statistics report that was run for the SPP (the Protocols Statistics page) or look at the Protocol graphs for that SPP.
For Statistics:
- Sum the Inbound + Outbound packet rates for all Protocols used (will show on the Protocol Statistics page).
For Graphs(Monitor Graphs):
- Look at a long graph period (week or month) and record the max numbers for inbound, tand hen outbound for all Protocols in use.
- Multiply the packet rate from above by 3. This follows the normal system recommendation for Layer 3 Threshold settings. This rate becomes the SPP Policy Switching Threshold.
That rate should be set as the Switching Threshold for all SPP Policies (subnets) in that SPP. The system will measure packet rates to each subnet and only alert on the specific subnet that exceeds the Switching Threshold.
To have more fine-grained control of the alert and traffic statistics for a particular subnet, configure that single subnet in a separate SPP so that the SPP rates and subnet rates match.