Activating DoS Protection - Performance Issues

Hi, DoS protection IS a UTM feature and part of IPS (combined with rates). Of course it will affect performance, but what are we talking about here, in terms of WAN throughput? Or do you use the FGT for heavy internal traffic as well? The FG-620B is rated at 16 Gbps firewall throughput and 1 Gbps IPS throughput. That should be sufficient for most WAN lines. Design hints: - be sure to select only relevant traffic in the DoS sensor, i.e. TCP only, HTTP/port 80 - scanning SSL / HTTPS as well will cost more - if the CPU load exceeds 50% you might consider putting the DoS sensor into a DoS interface policy. IPS on an interface takes action very early, before firewalling or AV processing, and thus preserves ressources. But frankly I cannot imagine that a DoS sensor on a WAN line challenges the 620B a bit.

Hello Ede, Thanks for the reply! We have activated a DoS Policy to the traffic coming from the external Interface and everything works OK! The CPU and memory usage haven' t increased at all. The traffic to our organization (Internal and external) is very low so the 620B is more than enough. We are monitoring the attack logs in order to fine tune the thresholds. Kind Regards, Andreas

You can try to trigger the DoS sensor by temporarily lowering the threshold (e.g. for ICMP flood) and sending in traffic. The detection alone won' t protect you much. Combine with a period of source IP blocking (say, 10 mins) to effectively suppress attacks. We use it a lot to protect from automated login attempts to ssh servers.

I am running V4 mr3 P1 and I know there is a bug with the proxy agent on the platform. this is not the proxy options, on the device, but a handling process in the internal working. You might need to Check with Forti if it the same issue