- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Enable detection mode
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Enable detection mode
Hi eveyone,
I'm really new in the FortiDDoS, and I have some questions about implementation:
1. Where can I see the minimum threshold for each attack? 2. In "Adjust Minimum Threshold By Percentage" what means the value that is there (range 100 - 300%)? 3. How long the FortiDDoS take to have a baseline? 4. Before I set the prevention mode how can I see what will be block? 5. If something is block after prevention mode, how can I fix it?
2 REPLIES 2
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
1) The system must learn and then Traffic Stats reports generated and System Recommendations Thresholds set before you will see any Thresholds.
2) This is used very seldom. Once you have thresholds set, if you add another link, for example, and immediately see a doubling of your traffic, you can use this to double all thresholds (200%).
3) We usually ask for a week to capture a good profile of your traffic.
4) Once Thresholds are set, the system continues to learn traffic but also starts to show the drops that would happen if the system is in Prevention mode. In Detection Mode, the system shows drops but never drops a packet. In Prevention Mode, the drops are real. Even without Thresholds set, you will be seeing "drops" for anomalous packets. In Detection Mode, those will not be dropped. Since FortiDDoS inspects every packet, even single-packet anomalies are seen.
5) Thresholds that result in false positives in Prevention Mode can be manually changed at any time. However, a fully configured system can be managing over 3.6million parameters, so you want to use Traffic Statistics and System Recommendations, then tune a few parameters as needed. That is why FortiDDoS shows "drops" in Detection mode - you can tune parameters before moving to Prevention.
To ensure optimum protection, we recommend that you segregate the following types of services into different Service Protection Profiles (SPPs):
- DNS servers
- Firewalls, proxies and email servers
- Web servers
- Any authenticating servers like SSL VPN and FTP, HTTPS if people log on to services.
- Your larger subnet(s) - like /29s or /24s where the above services reside should also be included in an SPP. There is no need to place these in any particular order. The system sorts that out.
SPP setup could look like this:
- SPP-0 - unused, but thresholds will be set
- SPP-1 - large subnets
- SPP-DNS - DNS serve
- SPP-FW - FW/proxy/email public IPs
etc...
Each of these requires different types of features to mitigate better. Having all services in one SPP is OK but makes it much more difficult to tune, analyze and troubleshoot.
We recommend you do NOT use SPP-0. SPP-0 is like a default VDOM and traffic lands there when we cannot identify any other place to put it. It is useful for forensics.
Lastly, you should be entering the subnets of your services ( to /32 single IPs) and also the large subnet that they belong to (say a /29 or a /24). Attackers frequently attack unused IPs (and they can find them) because they only want to fill the pipe, they don't care if there is anything at the end of it - as long as the routing send that packet to you, the attack is successful.
You can enter a FortiCare ticket and ask CS to assign it to Stephen Robinson and I will be happy to help with the setup.
Product Manager - FortiDDoS B/E/F-Series
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Stive, I appreciate your answer and your entire help, with your instructions now I can see better how it works and how it have to be implemented. For now I activated the prevention mode if there is something that i will need or my client, i'm going to create a ticket for you entire help. thank you soo much.
Related Posts
- Novice Needing Help Setting Up FortiGate... 186 Views
- Fortiportal SSID Greyed out 202 Views
- IPsec tunnel stability issue - two... 341 Views
- Automatically Ban Malicious Inbound IPs using... 302 Views
- ipv6 - internal lan interface cannot... 395 Views
Labels
-
FortiGate
6,604 -
FortiClient
1,318 -
5.2
801 -
5.4
639 -
FortiManager
572 -
FortiAnalyzer
417 -
6.0
416 -
5.6
362 -
FortiSwitch
339 -
FortiAP
337 -
FortiClient EMS
269 -
6.2
251 -
FortiMail
248 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
152 -
6.4
128 -
FortiNAC
108 -
FortiGuard
102 -
FortiSIEM
89 -
FortiGateCloud
87 -
FortiCloud Products
85 -
IPsec
73 -
FortiToken
72 -
Customer Service
70 -
4.0MR3
64 -
SSL-VPN
63 -
Wireless Controller
58 -
FortiProxy
45 -
FortiADC
44 -
Fortivoice
41 -
FortiEDR
39 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
32 -
FortiSandbox
31 -
FortiSwitch v6.4
28 -
SD-WAN
26 -
Firewall policy
25 -
FortiConnect
24 -
FortiWAN
22 -
VLAN
21 -
High Availability
21 -
FortiConverter
21 -
FortiPortal
18 -
FortiAuthenticator
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
SAML
14 -
Certificate
14 -
DNS
13 -
Interface
13 -
FortiDDoS
13 -
BGP
12 -
FortiGate v5.0
12 -
Routing
12 -
FortiCASB
12 -
LDAP
11 -
VDOM
11 -
Logging
11 -
Virtual IP
10 -
FortiRecorder
10 -
RADIUS
9 -
FortiWeb v5.0
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
fortilink
8 -
Traffic shaping
8 -
SSID
7 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
SSL SSH inspection
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
Authentication
6 -
FortiBridge
6 -
Fortigate Cloud
6 -
SNMP
6 -
SSO
6 -
Application control
6 -
Traffic shaping policy
5 -
Web application firewall profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
Proxy policy
4 -
packet capture
4 -
WAN optimization
4 -
Automation
4 -
DNS Filter
4 -
Web profile
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
Port policy
4 -
FortiScan
4 -
IPS signature
3 -
FortiToken Cloud
3 -
FortiAP profile
3 -
DoS policy
3 -
Intrusion prevention
3 -
FortiDB
3 -
FortiDeceptor
2 -
Fortinet Engage Partner Program
2 -
FortiInsight
2 -
NAC policy
2 -
Antivirus profile
2 -
Traffic shaping profile
2 -
VoIP profile
2 -
FortiPAM
2 -
FortiAI
2 -
FortiHypervisor
2 -
Email filter profile
2 -
Netflow
2 -
trunk
2 -
System settings
2 -
4.0MR1
1 -
TACACS
1 -
Users
1 -
Replacement messages
1 -
Schedule
1 -
Subscription Renewal Policy
1 -
SDN connector
1 -
FortiCWP
1 -
FortiNDR
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Web rating
1 -
Internet Service Database
1 -
Multicast routing
1 -
Zone
1 -
Explicit proxy
1 -
Protocol option
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.