Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor II

Enable detection mode

Hi eveyone,


I'm really new in the FortiDDoS, and I have some questions about implementation:


1. Where can I see the minimum threshold for each attack? 2. In "Adjust Minimum Threshold By Percentage" what means the value that is there (range 100 - 300%)? 3. How long the FortiDDoS take to have a baseline? 4. Before I set the prevention mode how can I see what will be block? 5. If something is block after prevention mode, how can I fix it?


1) The system must learn and then Traffic Stats reports generated and System Recommendations Thresholds set before you will see any Thresholds.

2) This is used very seldom.  Once you have thresholds set, if you add another link, for example, and immediately see a doubling of your traffic, you can use this to double all thresholds (200%).

3) We usually ask for a week to capture a good profile of your traffic.

4) Once Thresholds are set, the system continues to learn traffic but also starts to show the drops that would happen if the system is in Prevention mode.  In Detection Mode, the system shows drops but never drops a packet.  In Prevention Mode, the drops are real. Even without Thresholds set, you will be seeing "drops" for anomalous packets. In Detection Mode, those will not be dropped. Since FortiDDoS inspects every packet, even single-packet anomalies are seen.

5) Thresholds that result in false positives in Prevention Mode can be manually changed at any time.  However, a fully configured system can be managing over 3.6million parameters, so you want to use Traffic Statistics and System Recommendations, then tune a few parameters as needed.  That is why FortiDDoS shows "drops" in Detection mode - you can tune parameters before moving to Prevention.


To ensure optimum protection, we recommend that you segregate the following types of services into different Service Protection Profiles (SPPs):

- DNS servers

- Firewalls, proxies and email servers

- Web servers

- Any authenticating servers like SSL VPN and FTP, HTTPS if people log on to services.

- Your larger subnet(s) - like /29s or /24s where the above services reside should also be included in an SPP. There is no need to place these in any particular order.  The system sorts that out.

SPP setup could look like this:

- SPP-0 - unused, but thresholds will be set

- SPP-1 - large subnets

- SPP-DNS - DNS serve

- SPP-FW - FW/proxy/email public IPs


Each of these requires different types of features to mitigate better. Having all services in one SPP is OK but makes it much more difficult to tune, analyze and troubleshoot.

We recommend you do NOT use SPP-0.  SPP-0 is like a default VDOM and traffic lands there when we cannot identify any other place to put it.  It is useful for forensics.

Lastly, you should be entering the subnets of your services ( to /32 single IPs) and also the large subnet that they belong to (say a /29 or a /24).  Attackers frequently attack unused IPs (and they can find them) because they only want to fill the pipe, they don't care if there is anything at the end of it - as long as the routing send that packet to you, the attack is successful.


You can enter a FortiCare ticket and ask CS to assign it to Stephen Robinson and I will be happy to help with the setup.

Product Manager - FortiDDoS B/E/F-Series

Hello Stive, I appreciate your answer and your entire help, with your instructions now I can see better how it works and how it have to be implemented. For now I activated the prevention mode if there is something that i will need or my client, i'm going to create a ticket for you entire help. thank you soo much.


Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Top Kudoed Authors