Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
jmoya
Staff
Staff

Created on ‎12-05-2014 11:47 AM Edited on ‎02-25-2025 05:42 AM By Moderator

Article Id 194729

Technical Tip: How to tune DDoS policies

Description

 
This article provides some guidelines as to how to tune up DDoS policies to avoid false positives or block extra traffic.
 
Scope
 
FortiGate.


Solution

 

The first thing to understand to apply DDoS policies is that these policies do not rely on stateful properties of the firewall, so a traffic like the following will be handled no matter if it is incoming or outgoing to the FortiGate.

di sniff pack Vlan_11 'port 80 and tcp[tcpflags] == tcp-syn' 1 25
interfaces=[Vlan_11]
filters=[port 80 and tcp[tcpflags] == tcp-syn]
0.876904 10.95.13.204.24088 -> 10.95.136.204.80: syn 3585436935
0.894848 10.95.4.223.7273 -> 10.95.128.117.80: syn 2436279189
0.947586 10.95.10.90.5871 -> 10.95.132.100.80: syn 1124757321
0.972220 10.95.5.29.26781 -> 10.95.128.217.80: syn 2500978264


With this in mind, use the DDoS policy with the following recommendations:

To protect servers from DoS attacks from the Internet:

  • Be sure to configure only the servers as a destination for the traffic. Use 'Address' objects, not VIPs.
  • Set the services provided in the server e.g. HTTP, HTTPS, SMTP, etc.
  • Configure only the anomalies which will match the services of the server(s). For example, if the server provides SMTP access only, use any combination of the following anomalies:
    • tcp_syn_flood
    • tcp_src_session
    • ip_src_session

  • Configure them to a 'normal' usage policy. From a given client, this will be a normal 'x' number of sessions from a single source. For example:

config firewall DoS-policy

    edit 1

        set interface "wan1"

        set srcaddr "all"

        set dstaddr "200.201.202.1"

        set service "SMTP"

            config anomaly

                edit "tcp_src_session"

                    set status enable
                    set action block
                    set quarantine attacker
                    set quarantine-expiry 10
                    set quarantine-log enable
                    set threshold 100
                next
            end
    next
end

 

Keep in mind that every service has its own characteristics of what is considered 'normal'.

If tcp_dst_session or ip_dst_session are used, this may limit the number of concurrent sessions the server will handle (which is the purpose of Denial of Service).

If the intention is to protect the FortiGate from the effects of a worm in the local network, use the following recommendations:

  • Set local networks as sources (do not use 'all').
  • Use destination as 'all' and service 'any'
  • Configure the anomalies the workstations should not process:
    • tcp_syn_flood
    • tcp_dst_session
    • ip_dst_session
    • tcp_port_scan

  • In the case of udp and some tcp_src anomalies, consider that some of that traffic could be sourced by torrent or Skype software.
 
Related article: 
Technical Tip: How to configure IPv4 DOS policy

 

Labels:
9784
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.