Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
akileshc
Staff
Staff

Created on ‎07-04-2023 01:02 AM Edited on ‎09-09-2025 01:15 AM By Moderator

Article Id 262574

Technical Tip: Configure Denial of Service (DoS) protection with specific source country or geolocation

Description

This article describes that configuring Denial of Service (DoS) protection with a specific source country or geolocation allows blocking or restricting traffic originating from specific countries or geographical regions.

 

This can help mitigate DoS attacks by preventing malicious traffic from entering the network infrastructure, reducing the impact of attacks, improving overall network performance, enhancing security posture, and providing additional control over network traffic based on geographic criteria.
Scope FortiGate.
Solution

To create an address object, follow these steps:

  1. Navigate to Policy & Objects and select Addresses.
  2. Select the 'Create New' button or the '+' icon to create a new address object.
  3. Provide a name for the address object to identify it.
  4. Select the appropriate Type for the address object; In this case, it will be GEO (Geolocation).
  5. Specify the country or geographical region for the address object.
  6. Select the 'OK' or 'Save' button to create the address object.

 

Address_Geo.PNG

 

By creating an address object, it is possible to define a specific geolocation to be used in DoS policies for filtering and controlling traffic based on geographic criteria.

 

To configure a DoS policy in FortiGate, follow these steps:

  1. Log in to the FortiGate web-based management interface.
  2. Go to Policy & Objects and select IPv4 DoS Policy.
  3. Select the 'Create New' button or the '+' icon to create a new DoS policy.
  4. Provide a name for the policy to identify it.
  5. Select the address object configured with the geographical region as the Source Address (example: UAE_Traffic).
  6. Configure the DoS protection settings based on the requirements. Some common settings include:
  • Define the threshold values for various DoS attack types, such as SYN Flood, UDP Flood, ICMP Flood, etc.
  • Configure the action to be taken when an attack is detected, such as blocking the traffic or generating an alert.
  • Optionally, it is possible to specify additional settings, such as enabling the logging options for individual or all objects.

     7. Once the DoS policy settings are configured, select the 'OK' or 'Save' button to create the policy.

 

DDoS_Policy.PNG

 

To configure the DoS via the CLI, use the following example : 

 

config firewall DoS-policy

    edit 1

        set name "DoS_For_UAE_Traffic"

        set interface "port1"

        set srcaddr "UAE_Traffic"

        set dstaddr "all"

        set service "ALL"

            config anomaly

                edit "tcp_syn_flood"

                    set threshold 2000

                next

                edit "tcp_port_scan"

                    set threshold 1000

                next

                edit "tcp_src_session"

                    set threshold 5000

                next

                edit "tcp_dst_session"

                    set threshold 5000

                next

                edit "udp_flood"

                    set threshold 2000

                next

                edit "udp_scan"

                    set threshold 2000

                next

                edit "udp_src_session"

                    set threshold 5000

                next

                edit "udp_dst_session"

                    set threshold 5000

                next

                edit "icmp_flood"

                    set threshold 250

                next

                edit "icmp_sweep"

                    set threshold 100

                next

                edit "icmp_src_session"

                    set threshold 300

                next

                edit "icmp_dst_session"

                    set threshold 1000

                next

                edit "ip_src_session"

                    set threshold 5000

                next

                edit "ip_dst_session"

                    set threshold 5000

                next

                edit "sctp_flood"

                    set threshold 2000

                next

                edit "sctp_scan"

                    set threshold 1000

                next

                edit "sctp_src_session"

                    set threshold 5000

                next

                edit "sctp_dst_session"

                    set threshold 5000

                next

            end

    next

end

 

By configuring a DoS policy in FortiGate, it is possible to enhance network security by protecting against various types of DoS attacks and taking appropriate actions to mitigate the impact of such attacks.

 

Note:

  • It is up to the FortiGate Administrator to monitor the traffic and determine the correct threshold to apply for each environment.
  • As of v7.6.1, it is possible to specify an SD-WAN zone as an interface in the DoS policy.

 

Related article:

Technical Tip: How to enable DoS logs in FortiGate
58659
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.