Description
This article describes how to configure the IPv4 DOS policy.
Scope
FortiGate.
Solution
To configure the IPv4 DOS policy:
Configure DoS policy from the GUI.
Go to Policy & Objects -> IPv4 DoS Policy and 'Create New'.
Configure the given fields with the value based on the requirement to match the traffic and control it.
From the CLI.
config system settings
set gui-dos-policy enable
end
set gui-dos-policy enable
end
config firewall DoS-policy
edit 1
set status enable
set comments ''
set interface ''
config anomaly
edit "tcp_syn_flood"
set status disable
set log disable
set action pass
set quarantine none
set threshold 2000
next
edit "tcp_port_scan"
set status disable
set log disable
set action pass
set quarantine none
set threshold 1000
next
edit "tcp_src_session"
set status disable
set log disable
set action pass
set quarantine none
set threshold 5000
next
edit "tcp_dst_session"
set status disable
set log disable
set action pass
set quarantine none
set threshold 5000
next
edit "udp_flood"
set status disable
set log disable
set action pass
set quarantine none
set threshold 2000
next
edit "udp_scan"
set status disable
set log disable
set action pass
set quarantine none
set threshold 2000
next
edit "udp_src_session"
set status disable
set log disable
set action pass
set quarantine none
set threshold 5000
next
edit "udp_dst_session"
set status disable
set log disable
set action pass
set quarantine none
set threshold 5000
next
edit "icmp_flood"
set status disable
set log disable
set action pass
set quarantine none
set threshold 250
next
edit "icmp_sweep"
set status disable
set log disable
set action pass
set quarantine none
set threshold 100
next
edit "icmp_src_session"
set status disable
set log disable
set action pass
set quarantine none
set threshold 300
next
edit "icmp_dst_session"
set status disable
set log disable
set action pass
set quarantine none
set threshold 1000
next
edit "ip_src_session"
set status disable
set log disable
set action pass
set quarantine none
set threshold 5000
next
edit "ip_dst_session"
set status disable
set log disable
set action pass
set quarantine none
set threshold 5000
next
edit "sctp_flood"
set status disable
set log disable
set action pass
set quarantine none
set threshold 2000
next
edit "sctp_scan"
set status disable
set log disable
set action pass
set quarantine none
set threshold 1000
next
edit "sctp_src_session"
set status disable
set log disable
set action pass
set quarantine none
set threshold 5000
next
edit "sctp_dst_session"
set status disable
set log disable
set action pass
set quarantine none
set threshold 5000
next
end
edit 1
set status enable
set comments ''
set interface ''
config anomaly
edit "tcp_syn_flood"
set status disable
set log disable
set action pass
set quarantine none
set threshold 2000
next
edit "tcp_port_scan"
set status disable
set log disable
set action pass
set quarantine none
set threshold 1000
next
edit "tcp_src_session"
set status disable
set log disable
set action pass
set quarantine none
set threshold 5000
next
edit "tcp_dst_session"
set status disable
set log disable
set action pass
set quarantine none
set threshold 5000
next
edit "udp_flood"
set status disable
set log disable
set action pass
set quarantine none
set threshold 2000
next
edit "udp_scan"
set status disable
set log disable
set action pass
set quarantine none
set threshold 2000
next
edit "udp_src_session"
set status disable
set log disable
set action pass
set quarantine none
set threshold 5000
next
edit "udp_dst_session"
set status disable
set log disable
set action pass
set quarantine none
set threshold 5000
next
edit "icmp_flood"
set status disable
set log disable
set action pass
set quarantine none
set threshold 250
next
edit "icmp_sweep"
set status disable
set log disable
set action pass
set quarantine none
set threshold 100
next
edit "icmp_src_session"
set status disable
set log disable
set action pass
set quarantine none
set threshold 300
next
edit "icmp_dst_session"
set status disable
set log disable
set action pass
set quarantine none
set threshold 1000
next
edit "ip_src_session"
set status disable
set log disable
set action pass
set quarantine none
set threshold 5000
next
edit "ip_dst_session"
set status disable
set log disable
set action pass
set quarantine none
set threshold 5000
next
edit "sctp_flood"
set status disable
set log disable
set action pass
set quarantine none
set threshold 2000
next
edit "sctp_scan"
set status disable
set log disable
set action pass
set quarantine none
set threshold 1000
next
edit "sctp_src_session"
set status disable
set log disable
set action pass
set quarantine none
set threshold 5000
next
edit "sctp_dst_session"
set status disable
set log disable
set action pass
set quarantine none
set threshold 5000
next
end
It is advisable to initiate the Denial of Service (DOS) sensor configuration by enabling monitor mode.
Increase the threshold if the log shows the following:
If there are still logs for the known good IP addresses, increase the threshold again. Configure it to block once there are no new logs for Denial of Service (DoS) attacks for the known good IP addresses.
Related articles:
Troubleshooting Tip: Steps to perform in case of DoS/DDoS attack on FortiGate
