Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hklb
Contributor II

DoS policy - how to optimize rules ?

Hello,

 

I set up the DoS policy on our lab firewall. The configuration was very simple :

edit 2

set interface "port20"
set srcaddr "all"
set dstaddr "all"
set service "ALL"

config anomaly

edit "tcp_syn_flood"
set status enable
set log enable
set threshold 2000
next
edit "tcp_port_scan"
set log enable
set threshold 1000
next
edit "tcp_src_session"
set status enable
set log enable
set threshold 5000
next
edit "tcp_dst_session"
set status enable
set log enable
set threshold 5000
next
edit "udp_flood"
set status enable
set log enable
set threshold 2000
next
edit "udp_scan"
set status enable
set log enable
set threshold 2000
next
edit "udp_src_session"
set status enable
set log enable
set threshold 5000
next
edit "udp_dst_session"
set status enable
set log enable
set threshold 5000
next

edit "icmp_flood"
set status enable
set log enable
set action block
set quarantine attacker
set quarantine-log enable
set threshold 250
next
edit "icmp_sweep"
set status enable
set log enable
set action block
set quarantine attacker
set quarantine-log enable
set threshold 100
next

edit "icmp_src_session"
set status enable
set log enable
set threshold 300
next
edit "icmp_dst_session"
set status enable
set log enable
set threshold 1000
next
edit "ip_src_session"
set status enable
set log enable
set threshold 5000
next
edit "ip_dst_session"
set status enable
set log enable
set threshold 5000
next
edit "sctp_flood"
set log enable
set threshold 2000
next
edit "sctp_scan"
set log enable
set threshold 1000
next
edit "sctp_src_session"
set log enable
set threshold 5000
next
edit "sctp_dst_session"
set log enable
set threshold 5000
next
end

 

How can I see the average sessions/sec ? How can I optimize these settings according my environnement ?

 

I only found one diagnose debug command for this feature.. diag ips anomaly list.. But it show only the current state..

 

Thanks

 

Lucas

1 REPLY 1
ede_pfau
SuperUser
SuperUser

hi hklb,

 

well you have the 'current sessions' widget, and in the CLI "get sys perf stat" which shows the session setup rate over the last seconds and minutes. Not for longtime monitoring though.

Setting these thresholds is tricky. Imagine a browsing session: one page could easily lead to 100 sessions over a period of several seconds. With 2000 sessions per second we are talking about very high usage, and I dare say that with this value you are safe on the 'abuse' side. It mostly depends on your users' usage patterns.

 

Besides, I would not activate so many threshold sensors - at all, and - during regular usage. It all costs performance (as counters have to be watched). Of course, enabling a DoS policy after the fact will not gain you any laurels...you'll need to find a balance for this.

Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors