DescriptionThe following is an example showing how to enable Denial of Service (DoS) sensors in FortiGate FortiOS 4.0. This example enables a configuration for TCP Destination Session, called tcp_dst_session DoS sensor.
A DoS sensor can be enabled as an independent option in the Intrusion Protection menu.
Solution1. Go to UTM > Intrusion Protection > DoS Sensor and select Create New or edit existing sensors. Selecting the check-box under Status enables all anomalies contained within the sensor, and their configured thresholds/actions. NOTE: Once selected, DoS sensor is enabled independent of a protection profile.
2. Edit a Default group or select Add New. Edit All_Default > DoS Sensor TCP dst session.
Once an Anomaly is selected, a threshold can be set if desired to be different then Default values shown. The threshold setting determines how many sessions/packets displaying the anomalous behavior are required to trigger the anomaly action.
Action is also selected and for this example, is set to Block. Threshold is when a server is well known to have limited connections. In decreasing the default threshold, it tells FortiOS that only 100 sessions will be allowed at one time.
Another practical DoS Anomaly that can be used is ICMP Source or Destination (icmp_src_session and icmp_dst_session). This would protect assets from being overwhelmed with PING tests.