How to block IP with too many sessions?

Forum|Forum|9 years ago
July 8, 2016
1 reply
5813 views

We have a email server that get over 10k hits of authentication failure error as the bots tries to login with random passwords everyday. The trend we notice on Fortigate is that these attacking source IPs will hit very high number of sessions. Is there a way to automate Fortigate to automatically block these source IPs from WAN1 to Port1 when their sessions reach a preset number?

Best answer by jhouvenaghel_FTNT

Did you try to use a Dos sensor with an anomaly like tcp_src_session or udp_src_session ?

jhouvenaghel_FTNTAnswer

Staff

Did you try to use a Dos sensor with an anomaly like tcp_src_session or udp_src_session ?

bhwongAuthor

New Member

The DOS Sensor seem to block the port instead of the source IP, affecting the services for everyone. It also require an active Fortiguard IPS subscription to function right?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded