Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
bhwong
New Contributor

How to block IP with too many sessions?

We have a email server that get over 10k hits of authentication failure error as the bots tries to login with random passwords everyday. The trend we notice on Fortigate is that these attacking source IPs will hit very high number of sessions. Is there a way to automate Fortigate to automatically block these source IPs from WAN1 to Port1 when their sessions reach a preset number?

1 Solution
jhouvenaghel_FTNT

Did you try to use a Dos sensor with an anomaly like tcp_src_session or udp_src_session ?

View solution in original post

2 REPLIES 2
jhouvenaghel_FTNT

Did you try to use a Dos sensor with an anomaly like tcp_src_session or udp_src_session ?

bhwong

The DOS Sensor seem to block the port instead of the source IP, affecting the services for everyone. It also require an active Fortiguard IPS subscription to function right?

Labels
Top Kudoed Authors