- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
difference between tcp_port_scan and tcp_src_session
We're blocking good traffic because we set up the tcp_port_scan filter. The traffic is coming in on http/https. What is the Fortinet definition of the word "scan"?
IBM defines it as "probing each port for a response.", whereas Fortinet defines a tcp_port_scan as an excessive 'rate of TCP packet from an IP address...'. Wouldn't excessive traffic be monitored by tcp_src_session?
Thanks!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These look like FortiGate CLI instructions. You might get more responses on that Forum.
Generally tcp_src_sessions is looking at the number of connections a particular source is starting/maintaining.
You are correct that normally a "scan" is a probe (vertical for ports, horizontal for IP addresses) but in this case FortiGate uses this to indicate a pps rate per TCP port. Port rate limiting is usually a last-resort situation and these should be set pretty high.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for conforming the strange labeling Steve. I'll ramp up the numbers on those blocks.
I don't see a CLI forum. What's it called?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, I was not referring to a CLI forum but to the FortiGate Forums. FortiDDoS (this forum) is a completely different product line for DDoS mitigation only. The CLI commands you are using come from FortiGate, not FortiDDoS. I am not a FortiGate expert and expect you would get better responses from the people who monitor the FortiGate forums.
