FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
nithincs
Staff
Staff
Article Id 370285
Description This article describes configuring FortiGate to block DOS attacks for specific servers from trusted networks.
Scope FortiGate.
Solution

Servers are deployed in the DMZ, access to the servers is secured, and limited access is allowed to trusted networks using the FortiGate firewall policy.


Since server visibility or access is blocked from the internet, a DOS attack on the server from a public network is blocked.
However, this will still be limited in protecting the server from DOS attacks from internal devices or BYOD connected to the trusted network.


To avoid a DOS attack from the trusted network, it is necessary to create a DOS policy as per the network and security requirements.

 

For example:
In the below topology, Server 172.16.0.2 hosting the internal web application, is connected to FortiGate on port2.
Similarly, the LAN network is connected to port3 and the internet is connected to port1.

 

imgae_dos1.png


FortiGate IPv4 firewall policy will check the incoming connection, and if matching the firewall policy conditions, the session will be created, and communication will be allowed to the server.

 

imgae_dos2.png

 

However, it will not limit the number of sessions a client can establish with the server.
To limit the client session with the server, it is necessary to create a DOS policy.


In this example, the client needs a single active HTTPS session with the server to access the application hosted on the server, so it has been considered that any client in the LAN network connected via port3 can have 5 concurrent sessions with the server and not more than that.


DOS policy is created for the same with the 'tcp_src_session' count set to 5.

 

imgae_dos3.png

 

imgae_dos4.png

 

With this configuration of DOS policy, all the incoming TCP connections to the server are validated with the existing session count, and if it exceeds, FortiGate will drop the connection.
From Client 10.0.0.2, the application server is accessed, and the connection gets established.

 

id=65308 trace_id=72 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 10.0.0.2:49997->172.16.0.2:443) tun_id=0.0.0.0 from port3. flag [S], seq 1736347348, ack 0, win 2920"

id=65308 trace_id=72 func=init_ip_session_common line=6076 msg="allocate a new session-00001248, tun_id=0.0.0.0"

id=65308 trace_id=72 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-172.16.0.2 via port2"

id=65308 trace_id=72 func=fw_forward_handler line=903 msg="Allowed by Policy-1:"

 

FortiGate-VM64-KVM # get sys session list | grep -n 172.16.0.2

6:tcp     157    10.0.0.2:49997   -                172.16.0.2:443   -  

 

If the same client is compromised and tries to flood the TCP connection to the server or tries to overload the server sessions, the FortiGate DOS policy will block the same.

 

There are active 5 TCP sessions from the same source IP to the server that exist. 

 

FortiGate-VM64-KVM # get sys session list | grep -n 172.16.0.2

5:tcp     162    10.0.0.2:40966   -                172.16.0.2:443   -        <<1      

6:tcp     170    10.0.0.2:1145    -                172.16.0.2:443   -        <<2   

9:tcp     176    10.0.0.2:59487   -                172.16.0.2:443   -        <<3      

11:tcp     173    10.0.0.2:23752   -                172.16.0.2:443   -       <<4      

12:tcp     171    10.0.0.2:9626    -                172.16.0.2:443   -       <<5

 

As per the DOS policy anomaly, 6 TCP connections will be blocked.

 

imgae_dos5.png

 

FortiGate will also generate an anomaly log if logging is enabled:

 

date=2025-01-08 time=06:37:51 eventtime=1736347071755156144 tz="-0800" logid="0720018432" type="utm" subtype="anomaly" eventtype="anomaly" level="alert" vd="root" severity="critical" srcip=10.0.0.2 srccountry="Reserved" dstip=172.16.0.2 dstcountry="Reserved" srcintf="port3" srcintfrole="undefined" sessionid=0 action="clear_session" proto=6 service="HTTPS" count=1 attack="tcp_src_session" srcport=19768 dstport=443 attackid=100663402 policyid=1 policytype="DoS-policy" ref="http://www.fortinet.com/ids/VID100663402" msg="anomaly: tcp_src_session, 6 > threshold 5" crscore=50 craction=4096 crlevel="critical"