Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

difference between tcp_port_scan and tcp_src_session

We're blocking good traffic because we set up the tcp_port_scan filter. The traffic is coming in on http/https. What is the Fortinet definition of the word "scan"? 


IBM defines it as "probing each port for a response.", whereas Fortinet defines a tcp_port_scan as an excessive 'rate of TCP packet from an IP address...'. Wouldn't excessive traffic be monitored by tcp_src_session?




These look like FortiGate CLI instructions. You might get more responses on that Forum.

Generally tcp_src_sessions is looking at the number of connections a particular source is starting/maintaining. 

You are correct that normally a "scan" is a probe (vertical for ports, horizontal for IP addresses) but in this case FortiGate uses this to indicate a pps rate per TCP port. Port rate limiting is usually a last-resort situation and these should be set pretty high.  

Product Manager - FortiDDoS B/E/F-Series

Thanks for conforming the strange labeling Steve. I'll ramp up the numbers on those blocks. 

I don't see a CLI forum. What's it called?


Sorry, I was not referring to a CLI forum but to the FortiGate Forums.  FortiDDoS (this forum) is a completely different product line for DDoS mitigation only.  The CLI commands you are using come from FortiGate, not FortiDDoS.  I am not a FortiGate expert and expect you would get better responses from the people who monitor the FortiGate forums.

Product Manager - FortiDDoS B/E/F-Series
Top Kudoed Authors