Description

This article describes how to enable denied session to be added into the session table to reduce the CPU processing due to denied session from same source/destination ip address, port and protocol.

Scope

FortiGate.

Solution

Below are the commands to enable denied session to be added into the session table:

config system settings
    set ses-denied-traffic enable
end

For optimum performance, adjust the global block-session-timer (this is in seconds).

config system global
    set block-session-timer <1-300>  (default = <30 seconds>) 
end

Blocking the packets of a denied session can take more CPU processing resources than passing the traffic through. 

• When 'ses-denied-traffic' is 'enabled', FortiGate keeps the session for 'block-session-timer' time.
• When the block session is created, proceeding traffic matching the session will reset the expiry timer. By putting denied sessions in the session table, they can keep track the same way that allowed sessions are so that the FortiGate unit does not have to reassess, whether or not, to deny each of the packets on an individual basis.

If the session is denied, all packets of that session are also denied.

Note:

The ses-denied-traffic and block-session-timer are not effective at blocking denial of-service attacks.