Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
maskasuba
New Contributor

DDoS Protection on Fortigate 500E

Dear Experts,

we need you expert opinion regarding DDoS attack Mitigation.

We are running Fortigate 500E HA cluster (6.0.x) in our production environment. we want to protect our web-servers again DDoS attacks. What measures/steps should we take on our Production Fortigates to be able to protect our webservers in DMZ.

I know there are some dedicated products available from Fortinet for DDoS, but we are in a money saving mode nowadays that's why we are looking for the best practices available on the Fortigate.

Thank you for your response and time.

VidMate
2 REPLIES 2
srajeswaran
Staff
Staff

Applying DDOS policy is simple configuration and the same has been explained in below URLs.
The important point with regards to DDOS is understanding what is the legitimate connection/session/packet rate so that the abnormal sessions/packets/connections can be blocked with DOS policies.

You may start by applying the default threshold values and action as monitor . Check if the normal traffic triggers any DDOS attack, if so you need to increase the threshold and monitor otherwise decrease the threshold and monitor. You may have to repeat this multiple time to find the optimal thresholds and then set the action drop/block.
For example, your webservers may get 1000 connections per second, so if you set a threshold of 900, it will block the 100 legitimate connections.We need to avoid such situations.

Configuration/best practices.

https://docs.fortinet.com/document/fortigate/6.2.15/cookbook/771644/dos-protection
https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-Denial-of-Service-DoS-protection...
https://www.fortinet.com/resources/cyberglossary/ddos-protection

Regards,

Suraj

- Have you found a solution? Then give your helper a "Kudos" and mark the solution.

AEK
Honored Contributor

Hi

FortiGate can only protect against DoS, not DDoS.

As per my knowledge DDoS needs to be supported at ISP level, and eventually FortiDDoS.

AEK
AEK
Top Kudoed Authors