I am tweaking my DoS policies and have two inquiries for further clarification purposes. I understand that my destination address in the policy needs to be the public facing IP address for the servers/services I am wanting to protect.
1. Is the firewall's interface (or NAT pool) inferred in that (even though you specify the server's VIP address as the destination only)? So what I mean is, if the firewall's WAN interface is 1.1.1.1 and the server's VIP is 1.1.1.2 and I specify just the server's address in the destination, should I also receive anomaly info on the 1.1.1.1 as well should my policy threshold trip? I'm asking this as I am getting anomalies on my firewall's NAT pool interface for just general egress traffic that I don't have defined in my DoS Policy destination, so was curious about that.
2. Is there any benefit in separating out policies, i.e... one for L4 ICMP anomalies for all destinations and one for L4 TCP_src anomalies for specific destinations for example?
Edited to respond that I answered my own inquiry. First query was due to the fact that I totally forgot that my SSL VPN was also a public facing service. Second query was more just a matter of my preference in that I created on policy to cover ICMP only to all destinations with ICMP anomalies only and a second policy where I was very granular to those public facing servers on only the ports I had open for those VIPs with tcp anomalies only (no tcp_dst since this is Internet sourced policy and not an outbound destined).
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello,
Thank you for using the Community Forum.
I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Regards,
Created on 12-04-2022 11:47 AM Edited on 12-04-2022 11:48 AM
I think I'm good. I edited my question to relay that I was able to provide my own answer due to missing that I also had SSL VPN on the firewall interface that I forgot about along with the personal preference on separating the policies (ICMP and TCP) which I ended up doing to just keep some distinction in reporting.
Thank you for this update!
Do not hesitate to come back to our forum if you need anything.
Regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1692 | |
1087 | |
752 | |
446 | |
228 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.