Created on 01-15-2025 03:37 AM Edited on 01-16-2025 12:00 AM By Jean-Philippe_P
Description | This article describes configuring FortiGate to block DOS attacks for specific servers from trusted networks. |
Scope | FortiGate. |
Solution |
Servers are deployed in the DMZ, access to the servers is secured, and limited access is allowed to trusted networks using the FortiGate firewall policy.
For example:
However, it will not limit the number of sessions a client can establish with the server.
With this configuration of DOS policy, all the incoming TCP connections to the server are validated with the existing session count, and if it exceeds, FortiGate will drop the connection.
id=65308 trace_id=72 func=print_pkt_detail line=5895 msg="vd-root:0 received a packet(proto=6, 10.0.0.2:49997->172.16.0.2:443) tun_id=0.0.0.0 from port3. flag [S], seq 1736347348, ack 0, win 2920" id=65308 trace_id=72 func=init_ip_session_common line=6076 msg="allocate a new session-00001248, tun_id=0.0.0.0" id=65308 trace_id=72 func=vf_ip_route_input_common line=2605 msg="find a route: flag=04000000 gw-172.16.0.2 via port2" id=65308 trace_id=72 func=fw_forward_handler line=903 msg="Allowed by Policy-1:"
FortiGate-VM64-KVM # get sys session list | grep -n 172.16.0.2 6:tcp 157 10.0.0.2:49997 - 172.16.0.2:443 -
If the same client is compromised and tries to flood the TCP connection to the server or tries to overload the server sessions, the FortiGate DOS policy will block the same.
There are active 5 TCP sessions from the same source IP to the server that exist.
FortiGate-VM64-KVM # get sys session list | grep -n 172.16.0.2 5:tcp 162 10.0.0.2:40966 - 172.16.0.2:443 - <<1 6:tcp 170 10.0.0.2:1145 - 172.16.0.2:443 - <<2 9:tcp 176 10.0.0.2:59487 - 172.16.0.2:443 - <<3 11:tcp 173 10.0.0.2:23752 - 172.16.0.2:443 - <<4 12:tcp 171 10.0.0.2:9626 - 172.16.0.2:443 - <<5
As per the DOS policy anomaly, 6 TCP connections will be blocked.
FortiGate will also generate an anomaly log if logging is enabled:
date=2025-01-08 time=06:37:51 eventtime=1736347071755156144 tz="-0800" logid="0720018432" type="utm" subtype="anomaly" eventtype="anomaly" level="alert" vd="root" severity="critical" srcip=10.0.0.2 srccountry="Reserved" dstip=172.16.0.2 dstcountry="Reserved" srcintf="port3" srcintfrole="undefined" sessionid=0 action="clear_session" proto=6 service="HTTPS" count=1 attack="tcp_src_session" srcport=19768 dstport=443 attackid=100663402 policyid=1 policytype="DoS-policy" ref="http://www.fortinet.com/ids/VID100663402" msg="anomaly: tcp_src_session, 6 > threshold 5" crscore=50 craction=4096 crlevel="critical" |