difference between tcp_port_scan and tcp_src_session

snailcheesy · ‎08-26-2016

We're blocking good traffic because we set up the tcp_port_scan filter. The traffic is coming in on http/https. What is the Fortinet definition of the word "scan"?

IBM defines it as "probing each port for a response.", whereas Fortinet defines a tcp_port_scan as an excessive 'rate of TCP packet from an IP address...'. Wouldn't excessive traffic be monitored by tcp_src_session?

Thanks!

SteveDDoS_FTNT · ‎08-26-2016

These look like FortiGate CLI instructions. You might get more responses on that Forum.

Generally tcp_src_sessions is looking at the number of connections a particular source is starting/maintaining.

You are correct that normally a "scan" is a probe (vertical for ports, horizontal for IP addresses) but in this case FortiGate uses this to indicate a pps rate per TCP port. Port rate limiting is usually a last-resort situation and these should be set pretty high.

Product Manager - FortiDDoS B/E/F-Series

snailcheesy · ‎08-26-2016

Thanks for conforming the strange labeling Steve. I'll ramp up the numbers on those blocks.

I don't see a CLI forum. What's it called?

SteveDDoS_FTNT · ‎08-31-2016

Sorry, I was not referring to a CLI forum but to the FortiGate Forums. FortiDDoS (this forum) is a completely different product line for DDoS mitigation only. The CLI commands you are using come from FortiGate, not FortiDDoS. I am not a FortiGate expert and expect you would get better responses from the people who monitor the FortiGate forums.

Product Manager - FortiDDoS B/E/F-Series

difference between tcp_port_scan and tcp_src_session

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website