Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
unknown1020
New Contributor III

DoS policy in FortiGate

Hi, friends.

 

Are the DoS policies created in fortigate necessary when having HTTPS and HTTP publishing?


I have a SIP publishing policy on the firewall but I'm not sure if I should create DoS policies or not.

 

To avoid blocking problems due to false positives perhaps, I am configuring a DDos profile in MONITOR mode, but I have a question, what is the difference between "logging" and "monitor"?

 

I attach an image of my MONITOR profile.

 

Sin título.jpg

 

Could you help me with this query please.

12 REPLIES 12
Mrinmoy
Staff
Staff

Logging: Enable/disable logging for specific anomalies or all of them. Anomalous traffic will be logged when the action is Block or Monitor.
Monitor: Allow the anomalous traffic, but record a log message if logging is enabled.

Mrinmoy Purkayastha
unknown1020
New Contributor III

So to create a monitor mode profile, would it only be necessary to enable "monitor" or also logging? I'm confused.

I want to create a profile that doesn't take any action, just monitor.

 

dbu

Hi @unknown1020 ,

I believe if you choose Monitor it will not take any action on the traffic, it will only log this traffic for audit purposes. Basically it allows the anomalous traffic, and records a log message if logging is enabled.

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
unknown1020
New Contributor III

Thank you.

One question, I only have one service published on my firewall regarding the "SIP" service. I do not have HTTP HTTPS published services on the firewall. Are these DDos policies only created in the firewall for those publications HTTP HTTPS?

dbu

DoS policies examine the network traffic arriving at a FortiGate interface for anomalous patterns, which usually indicates an attack. On the other side "SIP" service  you refer i believe is for traffic going through the firewall. 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
unknown1020
New Contributor III

I have a SIP (Wan to Lan) service publication.

I have seen KB https://community.fortinet.com/t5/FortiGate/Technical-Tip-Configure-Denial-of-Service-DoS-protection... where incoming interface select the WAN.

 

For this reason, I ask if these DDOS policies are related to WAN TO LAN publications? directly to the http and https service.

In my case I only have the SIP service (wan to lan) therefore can I also create those ddos monitor policies?

dbu

Yes you are protecting the HTTP/HTTPS service on the interface 'wan2' in your case, if that is the only interface expecting traffic. 
That policy will only log traffic if logging is enabled. 

Regards!
If you have found a solution, please like and accept it to make it easily accessible for others.
unknown1020
New Contributor III

I only have the SIP (WAN TO LAN) service publication, so it is viable to create the Ddos policy, correct? For my SIP publication

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors