FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jmoya
Staff
Staff
Article Id 194729
Description
This article provides some guidelines as to how to tune up DDoS policies to avoid false positives or block extra traffic.

Solution
The first thing to understand to apply DDoS policies is that these policies do not rely on stateful properties of the firewall, so a traffic like the following will be handled no matter if it is incoming or outgoing to the FortiGate.

# di sniff pack Vlan_11 'port 80 and tcp[tcpflags] == tcp-syn' 1 25
interfaces=[Vlan_11]
filters=[port 80 and tcp[tcpflags] == tcp-syn]
0.876904 10.95.13.204.24088 -> 10.95.136.204.80: syn 3585436935
0.894848 10.95.4.223.7273 -> 10.95.128.117.80: syn 2436279189
0.947586 10.95.10.90.5871 -> 10.95.132.100.80: syn 1124757321
0.972220 10.95.5.29.26781 -> 10.95.128.217.80: syn 2500978264

With this in mind, you must use the DDoS policy with the following recommendations:

If you want to protect your own servers from DoS attacks from the Internet:

- Be sure to configure only your own servers as destination of the traffic. You have to use 'Address' objects, not VIPs.
- Set the services you provide in your server. This is HTTP, HTTPS, SMTP, etc.
- Configure only the anomalies which will match the services of your server(s). For example, if your server provides SMTP access only, use the following anomalies:

          + tcp_syn_flood, or
          + tcp_src_session, or
          + ip_src_session

And configure them to a 'normal' usage policy. This is, from certain client, it will be normal 'x' number of sessions from a single source. For example:

config firewall DoS-policy
    edit 1
        set interface "wan1"
        set srcaddr "all"
        set dstaddr "200.201.202.1"
        set service "SMTP"
            config anomaly
                edit "tcp_src_session"
                    set status enable
                    set action block
                    set quarantine attacker
                    set quarantine-expiry 10
                    set quarantine-log enable
                    set threshold 100
                next
            end
    next
end

Keep in mind that every service has its own characteristics of what is considered 'normal'.

If you use (in this case) tcp_dst_session or ip_dst_session, you would be limiting the number of concurrent sessions your server will handle (purpose of Denial of Service).

If you want to protect your FortiGate from the effects of a worm in your local network, you could use the following recommendations:

    - Set your local networks as sources (do not use 'all')
    - You could use destination as 'all' and service 'any'
    - Configure the anomalies your workstations shouldn't do:

          + tcp_syn_flood
          + tcp_dst_session
          + ip_dst_session
          + tcp_port_scan

In the case of udp and some tcp_src anomalies, you have to consider that some of that traffic could be sourced by torrent or Skype software.

Contributors