Hello,
I set up the DoS policy on our lab firewall. The configuration was very simple :
edit 2
set interface "port20"
set srcaddr "all"
set dstaddr "all"
set service "ALL"
config anomaly
edit "tcp_syn_flood"
set status enable
set log enable
set threshold 2000
next
edit "tcp_port_scan"
set log enable
set threshold 1000
next
edit "tcp_src_session"
set status enable
set log enable
set threshold 5000
next
edit "tcp_dst_session"
set status enable
set log enable
set threshold 5000
next
edit "udp_flood"
set status enable
set log enable
set threshold 2000
next
edit "udp_scan"
set status enable
set log enable
set threshold 2000
next
edit "udp_src_session"
set status enable
set log enable
set threshold 5000
next
edit "udp_dst_session"
set status enable
set log enable
set threshold 5000
next
edit "icmp_flood"
set status enable
set log enable
set action block
set quarantine attacker
set quarantine-log enable
set threshold 250
next
edit "icmp_sweep"
set status enable
set log enable
set action block
set quarantine attacker
set quarantine-log enable
set threshold 100
next
edit "icmp_src_session"
set status enable
set log enable
set threshold 300
next
edit "icmp_dst_session"
set status enable
set log enable
set threshold 1000
next
edit "ip_src_session"
set status enable
set log enable
set threshold 5000
next
edit "ip_dst_session"
set status enable
set log enable
set threshold 5000
next
edit "sctp_flood"
set log enable
set threshold 2000
next
edit "sctp_scan"
set log enable
set threshold 1000
next
edit "sctp_src_session"
set log enable
set threshold 5000
next
edit "sctp_dst_session"
set log enable
set threshold 5000
next
end
How can I see the average sessions/sec ? How can I optimize these settings according my environnement ?
I only found one diagnose debug command for this feature.. diag ips anomaly list.. But it show only the current state..
Thanks
Lucas
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
hi hklb,
well you have the 'current sessions' widget, and in the CLI "get sys perf stat" which shows the session setup rate over the last seconds and minutes. Not for longtime monitoring though.
Setting these thresholds is tricky. Imagine a browsing session: one page could easily lead to 100 sessions over a period of several seconds. With 2000 sessions per second we are talking about very high usage, and I dare say that with this value you are safe on the 'abuse' side. It mostly depends on your users' usage patterns.
Besides, I would not activate so many threshold sensors - at all, and - during regular usage. It all costs performance (as counters have to be watched). Of course, enabling a DoS policy after the fact will not gain you any laurels...you'll need to find a balance for this.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1643 | |
1069 | |
751 | |
443 | |
210 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.