FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mattchow_FTNT
Article Id 192590

Description

 

This article describes how to configure DoS protection’s quarantine/elapse/reset time for thresholds based on the number of concurrent sessions.

For example:

 

 

Scope

 

FortiGate.


Solution

DoS module in kernel relies on the ipsengine process to send quarantine request via the system API.


The default TCP source concurrent session is 5000, no timer will be set by default, and sessions will be blocked as long as they exceed 5000 concurrent sessions.
To specify a period of blocking the attacker, it can be configured as commands below.
 
For example, block the IP for 1 minute once it exceeds the 5000 concurrent sessions:

 

config firewall DoS-policy
    edit 1
        set interface "port15"
        set srcaddr "all"
        set dstaddr "all"
        set service "ALL"
            config anomaly
                edit "tcp_dst_session"
                    set status enable
                    set log enable
                    set action block
                    set quarantine attacker
                    set quarantine-expiry 0d0h1m    <----- m=minutes, h=hours, d=day.
                    set quarantine-log enable
                    set threshold 5000
                next
            end
    next
end

 

Note that if the anomaly is on FortiGate itself, the traffic is considered local-in traffic in the firewall. FortiOS only does such quarantine for forwarding traffic and not for local-in traffic. Hence, the anomaly on FortiGate itself will only take effect with the IPS meter (when the threshold is met, there will be a drop based on PPS) and does not quarantine itself (endpoint check).

Hence, it is expected behavior that FortiGate will respond to the traffic until the threshold value is reached although the IP address is mentioned in the quarantine list.

 

To verify the quarantine IP on CLI, the following commands can be used (based on the FortiOS version):


diagnose ips anomaly list

diagnose user quarantine list

 

Restarting the engine will affect the DoS module.

 

Restart the engines:


diagnose test application ipsmonitor 99