Created on
04-01-2021
02:07 AM
Edited on
01-16-2025
06:45 AM
By
Jean-Philippe_P
Description
This article describes how to configure DoS protection’s quarantine/elapse/reset time for thresholds based on the number of concurrent sessions.
For example:
Scope
FortiGate.
Solution
DoS module in kernel relies on the ipsengine process to send quarantine request via the system API.
The default TCP source concurrent session is 5000, no timer will be set by default, and sessions will be blocked as long as they exceed 5000 concurrent sessions.
To specify a period of blocking the attacker, it can be configured as commands below.
For example, block the IP for 1 minute once it exceeds the 5000 concurrent sessions:
config firewall DoS-policy
edit 1
set interface "port15"
set srcaddr "all"
set dstaddr "all"
set service "ALL"
config anomaly
edit "tcp_dst_session"
set status enable
set log enable
set action block
set quarantine attacker
set quarantine-expiry 0d0h1m <----- m=minutes, h=hours, d=day.
set quarantine-log enable
set threshold 5000
next
end
next
end
Note that if the anomaly is on FortiGate itself, the traffic is considered local-in traffic in the firewall. FortiOS only does such quarantine for forwarding traffic and not for local-in traffic. Hence, the anomaly on FortiGate itself will only take effect with the IPS meter (when the threshold is met, there will be a drop based on PPS) and does not quarantine itself (endpoint check).
Hence, it is expected behavior that FortiGate will respond to the traffic until the threshold value is reached although the IP address is mentioned in the quarantine list.
To verify the quarantine IP on CLI, the following commands can be used (based on the FortiOS version):
diagnose ips anomaly list
diagnose user quarantine list
Restarting the engine will affect the DoS module.
Restart the engines:
diagnose test application ipsmonitor 99
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2025 Fortinet, Inc. All Rights Reserved.