Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
filiaks1
Contributor II

Created on ‎06-15-2025 03:02 PM Edited on ‎06-17-2025 12:47 AM

Is there are forti product that monitors the server response latency or response codes for auto DOS?

Hi,

 

After reviewing the forti demos at https://www.fortinet.com/demo-center and the documentation and some trainings I wondered what layer 3/4 and expecially layer 7 HTTP auto DOS protections are available without configuring manual thresholds in FortiDDos, FortiWeb, FortiADC ?

 

I mean like by triggering DOS protection based on the web server latency in HTTP responses or web server starting to return more 5xx response codes ?

 

I beliave that only fortiDOS offers auto thresholds as in the HTTP profile I see no manual thresholds like in FortiWeb or FortiADC but if I could get a confirmation?

 

Screenshot 2025-06-16 010933.png

 

 

Screenshot 2025-06-17 104649.png

Labels:
560
0 Kudos
5 REPLIES 5
shafiq23
Staff & Editor
Staff & Editor

Created on ‎06-16-2025 06:14 PM Edited on ‎06-16-2025 06:32 PM

Hello @filiaks1,

 

I believe a Custom Policy in FortiWeb would be some sort of threshold control for such scenario. 

 

1. Match range 5XX return codes

2. Define occurrences in specific time period

 

custom-policy.png

 

Thanks.


Regards,
Shafiq

519
filiaks1
Contributor II

Created on ‎06-17-2025 12:36 AM Edited on ‎06-17-2025 12:52 AM

Not a bad idea @shafiq23  and the custom policy can track more than just IP address like user and session. Still it is not dynamic as I would have hoped but it is there. Probably TCL script can do the same but custom policy seems more readable as scripting I saw is also in FortiADC but not the custom policy.

 

 

 

Screenshot 2025-06-17 104758.png

 

Outside of that I saw that fortiddos is uses auto behavioral thresholds that are based on the number of http packets that are expected in a particular time window not the server latency/response codes.

494
0 Kudos
filiaks1
Contributor II

Created on ‎06-18-2025 03:41 AM Edited on ‎06-19-2025 07:07 AM

Extra note during DDOS the servers can stop replying or send 503 like Nginx and after playing with the Custom Policy unfortunatly this is more to block attackers that trigger 5xx errors @shafiq23 not for triggering DOS protections?

 

Maybe if everyone could start getting javascript or captcha checks if many 5xx errors are seen with a custome policy or TCL script  config not just the user generating the current traffic as they could be not attackers even if they get 5xx because of the server utlization?

 

Also what you showed with the custom policy and response codes I think the FortiWeb ML can do this automatically FortiWeb Bot Protection: Machine Learning based Protection 

 

 

An extra question @shafiq23  is FortiWeb Bot needing javascripts as if the traffic is API? I think only biometric and deception need a javascript?

 

 

 

 

 

 

Screenshot 2025-06-18 133631.png

Screenshot 2025-06-18 134044.png

 

464
0 Kudos
shafiq23
Staff & Editor
Staff & Editor
In response to filiaks1

Created on ‎06-19-2025 05:57 PM

Hello @filiaks1,

 

ML based bot detection is also a good approach to detect deviation of HTTP error responses(return codes larger than 400). 

Previous sample custom policy is used to statically block occurrences of HTTP 5XX responses - it might block legitimate requests.

 

From my understanding, js is inserted when Bot Confirmation is enabled and if the response is is HTML. 

 

Thanks.

 

Regards,

Shafiq

439
filiaks1
Contributor II
In response to shafiq23

Created on ‎06-23-2025 12:24 AM Edited on ‎06-23-2025 12:26 AM

This will not be anabled for API traffic that much I am aware of as this checks if you are a browser and we don't want that. Also the response will not be html for API but thanks for confirming this detection by FortiWeb.

 

Configuring bot detection policy | FortiWeb 7.0.1 | Fortinet Document Library

 
 

Screenshot 2025-06-23 102446.png

416
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.