Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
franz
New Contributor

Best practices to setting up a dos sensor

Hello to everyone, which are the thresholds to set a Dos sensor?Which one i must set to protect my web server from attack DoS/DDoS? Thanks
6 REPLIES 6
himani_FTNT
Staff
Staff

To understand more, the Threshold is basically is count of packet per second and if the threshold is exceeded action will be executed. For example, “tcp_syn_flood” if the syn packet of new tcp connection( only incomplete TCP connection not the established one) to one destination IP is hit the Threshold value and action is “block” , the FG unit will start blocking the attacked traffic and allow legitimate traffic. You can set the value at GUI-> Intrusion Protection->DoS sensor. The value of Threshold depends on the traffic (new connection pre second) on server, it should be set much higher then peek value. Default action any Ddos sensor is “pass”, chose action as your network desire.
CHood
New Contributor

I understand this is an old thread but it looks like a good place to ask my question. I' m trying to implement DoS Sensors. I' ve read up on the subject and everyone stresses the importance of checking your particular traffic peaks before setting up the trigger values for each sensor. Can someone give me a good, practical, step-by-step on exactly how I should go about pulling that info? Also, I' d like to set up the full gamut of sensors. Can the community give me some real-world advice, best practices, and maybe some dos and don' ts from their own experiences with setting up DoS sensors? Thanks!
RH2
New Contributor II

a couple of things to remember. When you first set it up, just have it log the action but pass the traffic so you don' t accidentally block legitimate traffic. What we did was to turn on logging for every option at the default threshold with an action of pass. I also set up an logging alerts to email the group. If you have alerts set up you will get these as they are logged as critical. Then review the logs or alerts for your subnets setting off an alert. We had to adjust the icmp sweep to account for our monitoring servers and snmp traffic. Once you have identified what traffic should be allowed without triggering an alert you can create a separate rule for that traffic that passes the traffic and is not logged. then below that, we set up a rule to block everything after hitting the thresholds we determined. Most of the settings we use are the default settings. NOTE: you can ban the attacker that sets off these alerts but it is only in the CLI. I don' t remember finding this option in v4, but it is in v5. Example of our DoS policies: 1. interface " external" >> sources " outstation offices" >> destination " monitoring servers" >> service " ALL" >> status " all checked" >> logging " none" >> action " pass" >> threshold " default (since we are passing and not logging" 2. interface " external" >> sources " all" >> destination " all" >> service " ALL" >> status " checked all" >> logging " checked all" >> action " blocked all" >> threshold " mostly defaults, but some adjusted higher"
CHood
New Contributor

Thanks, that definitely helps. I should mention here that my devices are 80Cs and, so, I have to do my DoS configuring from the CLI (still pretty bitter about that). In FortiOS v5 it appears, unless I' m understanding this incorrectly, that we now have two preconfigured policies, one for IPv4 and one for IPv6. I' ve set up each anomaly in the default DoS-Policy (for IPv4) with default thresholds set to log and pass. config anomaly edit " tcp_syn_flood" set status enable set log enable set action pass set threshold 2000 next ... end Also in v5 it appears that that you now apply the DoS policies via the interface policies. In configuring the interface policy I' ve specified it as follows: config firewall interface-policy edit 1 set interface " wan1" set srcaddr " all" set dstaddr " all" set service " ALL" next end I don' t see any option to specify the ID of the DoS-Policy so, I' m guessing, that' s assumed. I have options to set application lists, av profiles, dlp profiles, and web filters but I have those defined and applied via FSSO groups. Is there anything that I' m missing or am I good to go?
CHood
New Contributor

I have opened a ticket with support and here is their response which helps to clear up some of my confusion. Regarding this setup. first you will need to configure a sensor for DoS via CLI: config firewall DoS-policy edit <dospolicy_id_int> set client-reputation {enable | disable} set dstaddr <name_str> set interface <name_str> set service <name_str> set srcaddr <name_str> set status {enable | disable} config anomaly edit <anomaly_str> set action {block | pass} set log {enable | disable} set quarantine {attacker | both | interface | none} set status {enable | disable} set threshold <threshold_int> end end Use the following command to add a DoS policy from the CLI that adds syn flood protection for all traffic hitting the wan2 interface: config firewall DoS-policy edit 1 set interface wan2 set srcaddr all set dstaddr all set service ALL config anomaly edit tcp_syn_flood set status enable set log enable set action block end end In FortiOS 5.0 DoS sensors are no longer available. DoS policies are the most common method for applying DoS anomalies in FortiOS 5.0. You can also use the following command to apply DoS anomalies to a one-arm sniffer configuration. config firewall sniffer Interface policies are still available in FortiOS 5.0 from the CLI using the following commands: config firewall interface-policy config firewall interface-policy6 You can use interface policies to apply application control, intrusion protection, virus scanning, web filtering, email filtering and data leak protection to traffic received by an interface. The following commands are also available for adding sniffer interface policies, which are similar to interface policies: config firewall sniff-interface-policy config firewall sniff-interface-policy6 All of these command have similar syntax for applying Security Features to traffic connecting to or sniffed by a FortiGate interface. Hope this helps others who might be similarly confused.
Palerm0
New Contributor II

Hi,

I have an question for this older topic.

Is there a way to generate a report to see if the thresholds a good.

I know if a threshold is reached that a email is generated as critical. But i would like to see a graphical view of this.

 

Thanks

Palermo

 

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors