difference between tcp_port_scan and tcp_src_session

Forum|Forum|9 years ago
August 26, 2016
1 reply
8127 views

We're blocking good traffic because we set up the tcp_port_scan filter. The traffic is coming in on http/https. What is the Fortinet definition of the word "scan"?

IBM defines it as "probing each port for a response.", whereas Fortinet defines a tcp_port_scan as an excessive 'rate of TCP packet from an IP address...'. Wouldn't excessive traffic be monitored by tcp_src_session?

Thanks!

SteveDDoS_FTNT

Staff

These look like FortiGate CLI instructions. You might get more responses on that Forum.

Generally tcp_src_sessions is looking at the number of connections a particular source is starting/maintaining.

You are correct that normally a "scan" is a probe (vertical for ports, horizontal for IP addresses) but in this case FortiGate uses this to indicate a pps rate per TCP port. Port rate limiting is usually a last-resort situation and these should be set pretty high.

snailcheesyAuthor

New Member

Thanks for conforming the strange labeling Steve. I'll ramp up the numbers on those blocks.

I don't see a CLI forum. What's it called?

SteveDDoS_FTNT

Staff

Sorry, I was not referring to a CLI forum but to the FortiGate Forums. FortiDDoS (this forum) is a completely different product line for DDoS mitigation only. The CLI commands you are using come from FortiGate, not FortiDDoS. I am not a FortiGate expert and expect you would get better responses from the people who monitor the FortiGate forums.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded