FortiDDoS protects from both known and zero day attacks with very low latency. It’s easy to deploy and manage, and includes comprehensive reporting and analysis tools.
Article Id 192873
This article explains why FortiDDoS may continue to forward SYN packets under a SYN flood attack even though the threshold for SYN packets has been set.

FortiDDoS v4.1 and later

The SYN mitigation happens only when the ALL the following criteria/settings are set:
  • SYN validation needs to be enabled in TCP session feature control (SPP settings).  By default it is disabled (for the learning period to happen)
  • SYN mitigation direction checkbox is checked (by default Inbound is checked)
  • SYN flood has been detected, it means that one of the following thresholds has been crossed: SYN, SYN per source or SYN per destination
  • SPP is in prevention mode
When the SYN flood mitigation happens, all SYN packets are dropped unless they are from sources that are in the LIP table.  Every SYN packet that does not come from a source in LIP table are challenged by the SYN mitigation method.  As soon as a legitimate client passes the SYN mitigation method challenge (SYN cookie – the default; ACK cookie or SYN re-transmission) the source IP is added to the LIP table.