config firewall DoS-policy edit 11 set interface " port3" set srcaddr " INTER_######" set dstaddr " DMZ_GW" set service " PING" config anomaly edit " icmp_flood" set status enable set log enable set action block set quarantine attacker set quarantine-expiry 259200 set quarantine-log enable set threshold 10 next end next endand here' s my probe:
E:\>fping dmzgw.polsteam.com -t20 -n15 -b- Fast pinger version 2.22 (c) Wouter Dhondt (http://www.kwakkelflap.com) Pinging ########## [217.153.######] with 32 bytes of data every 20 ms: Reply[1] from 217.153.######: bytes=32 time=64.5 ms TTL=245 Reply[2] from 217.153.######: bytes=32 time=63.4 ms TTL=245 Reply[3] from 217.153.######: bytes=32 time=63.1 ms TTL=245 Reply[4] from 217.153.######: bytes=32 time=65.6 ms TTL=245 Reply[5] from 217.153.######: bytes=32 time=63.4 ms TTL=245 Reply[6] from 217.153.######: bytes=32 time=63.5 ms TTL=245 Reply[7] from 217.153.######: bytes=32 time=64.4 ms TTL=245 Reply[8] from 217.153.######: bytes=32 time=63.0 ms TTL=245 Reply[9] from 217.153.######: bytes=32 time=64.1 ms TTL=245 Reply[10] from 217.153.######: bytes=32 time=63.2 ms TTL=245 217.153.######: request timed out Reply[12] from 217.153.######: bytes=32 time=62.9 ms TTL=245 Reply[13] from 217.153.######: bytes=32 time=64.3 ms TTL=245 Reply[14] from 217.153.######: bytes=32 time=63.6 ms TTL=245 Reply[15] from 217.153.######: bytes=32 time=63.6 ms TTL=245 Ping statistics for 217.153.######: Packets: Sent = 15, Received = 14, Lost = 1 (6% loss) Approximate round trip times in milli-seconds: Minimum = 62.9 ms, Maximum = 65.6 ms, Average = 63.8 msIt can be seen that the " icmp_flood" scanner does its job detecting the anomaly. Still I can' t see the quarantine effect with myself being the " attacker" . I' d expect that all echo requests following the one no. 10 remain unresponded and an additional entry feed the Intrusion Protection log. Do you have experience quarantining DoS attackers and can you tell me what I am missing? Thanks, Rafal
I can' t see the quarantine effect with myself being the " attacker" . I' d expect that all echo requests following the one no. 10 remain unresponded and an additional entry feed the Intrusion Protection log.Have some progress on this issue. Will share results asap. Meanwhile pls. don' t bother to help. BR, Rafal
PCNSE
NSE
StrongSwan
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.