FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Description This article describes how to enable denied session to be added into the session table to reduce the CPU processing due to denied session from same source/destination ip address, port and protocol.
Solution Below are the commands to enable denied session to be added into the session table:
#config system settings #set ses-denied-traffic enable #end
For optimum performance, adjust the global block-session-timer.
#config system global #set block-session-timer <1-300> (default = <30>) #end
Blocking the packets of a denied session can take more CPU processing resources than passing the traffic through. By putting denied sessions in the session table, they can keep track the same way that allowed session are so that the FortiGate unit does not have to reassess, whether or not, to deny each of the packets on an individual basis. If the session is denied, all packets of that session are also denied.
Note: The ses-denied-traffic and block-session-timer are not effective at blocking denial of service attacks.
