Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
x_member
Contributor

DOS Policies - Best Practice / Questions

I'm trying to develop, tune and implement some DoS policies on a FGT60d running 5.2.7 (no GUI option for DoS policies).

We have HTTP, HTTPS, SMTP services exposed through VIPs.

 

I've been able to setup a basic DoS policy (with logging and action "pass") using the CLI on the external interface "wan1" for all services with the intention of tuning thresholds, however monitoring this has shown me that this may not be the most practical approach.

 

At present I'm seeing tcp_port_scan anomalies triggered by both an (obviously) hostile IP address and the gateway IP of one of our largest customers - clearly I don't want to wind up quarantining the latter..

 

This leads me to the following questions:

1. Should I be applying DoS policies only to the services we expose?

2. Are DoS policies processed in top-down order similar to firewall policies?

3. Are DoS policies VIP aware? i.e. should I use the ViP as the destination address for the policy (as with a firewall policy)?

 

I should note that I have (and currently am)  reviewing other posts on DoS prevention within the forum however many lead to dead links or pose questions that the OP never returned  to update (as with many forums..).

 

I'm not looking to reinvent the wheel here but to implement a sensible level of defence (effort vs reward) that leaves customers unaffected and us with a minimum of maintenance overhead.

 

Thanks.

 

1 REPLY 1
telecosistem
New Contributor

Hello,

DoS Policy isn't available to desktop/small models.

Best regards,

follow us: [link]https://networkingcontrol.wordpress.com[/link]