Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hklb
Contributor II

DoS policy - how to optimize rules ?

Hello,

 

I set up the DoS policy on our lab firewall. The configuration was very simple :

edit 2

set interface "port20"
set srcaddr "all"
set dstaddr "all"
set service "ALL"

config anomaly

edit "tcp_syn_flood"
set status enable
set log enable
set threshold 2000
next
edit "tcp_port_scan"
set log enable
set threshold 1000
next
edit "tcp_src_session"
set status enable
set log enable
set threshold 5000
next
edit "tcp_dst_session"
set status enable
set log enable
set threshold 5000
next
edit "udp_flood"
set status enable
set log enable
set threshold 2000
next
edit "udp_scan"
set status enable
set log enable
set threshold 2000
next
edit "udp_src_session"
set status enable
set log enable
set threshold 5000
next
edit "udp_dst_session"
set status enable
set log enable
set threshold 5000
next

edit "icmp_flood"
set status enable
set log enable
set action block
set quarantine attacker
set quarantine-log enable
set threshold 250
next
edit "icmp_sweep"
set status enable
set log enable
set action block
set quarantine attacker
set quarantine-log enable
set threshold 100
next

edit "icmp_src_session"
set status enable
set log enable
set threshold 300
next
edit "icmp_dst_session"
set status enable
set log enable
set threshold 1000
next
edit "ip_src_session"
set status enable
set log enable
set threshold 5000
next
edit "ip_dst_session"
set status enable
set log enable
set threshold 5000
next
edit "sctp_flood"
set log enable
set threshold 2000
next
edit "sctp_scan"
set log enable
set threshold 1000
next
edit "sctp_src_session"
set log enable
set threshold 5000
next
edit "sctp_dst_session"
set log enable
set threshold 5000
next
end

 

How can I see the average sessions/sec ? How can I optimize these settings according my environnement ?

 

I only found one diagnose debug command for this feature.. diag ips anomaly list.. But it show only the current state..

 

Thanks

 

Lucas

1 REPLY 1
ede_pfau
Esteemed Contributor III

hi hklb,

 

well you have the 'current sessions' widget, and in the CLI "get sys perf stat" which shows the session setup rate over the last seconds and minutes. Not for longtime monitoring though.

Setting these thresholds is tricky. Imagine a browsing session: one page could easily lead to 100 sessions over a period of several seconds. With 2000 sessions per second we are talking about very high usage, and I dare say that with this value you are safe on the 'abuse' side. It mostly depends on your users' usage patterns.

 

Besides, I would not activate so many threshold sensors - at all, and - during regular usage. It all costs performance (as counters have to be watched). Of course, enabling a DoS policy after the fact will not gain you any laurels...you'll need to find a balance for this.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors