Policy configuration – FortiOS 6

IPv4 DoS policy

To configure a IPv4 DoS policy in the GUI

  1. Go to Policy & Objects > IPv4 DoS Policy

The right side window will display a table of the existing IPv4 DoS Policies.

  • To edit an existing policy, double click on the policy you wish to edit l To create a new policy, select the Create New icon in the top left side of the right window.
  1. Set the Incoming Interface parameter by using the drop down menu to select a single interface.
  2. Set the Source Address parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
  3. Set the Destination Address parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.
  4. Set the Services parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
  5. Set the parameters for the various traffic anomalies.

All of the anomalies that profiles have been created for are in 2 tables. These tables break up the anomaly profiles into L3 Anomalies and L4 Anomalies. All of the anomalies have the following parameters that can be set on a per anomaly or per column basis.

  • Status – enable or disable the indicated profile l Logging – enable or disable logging of the indicated profile being triggered l Action – whether to Pass or Block traffic when the threshold is reached l Threshold – the number of anomalous packets detected before triggering the action.

The listing of anomaly profiles includes:

L3 Anomalies

  • ip_src_session l ip_dst_session

L4 Anomalies

IPv4 DoS policy

  • tcp_syn_flood l tcp_port_scan l tcp_src_session l tcp_dst_session l udp_flood l udp_scan l udp_src_session l udp_dst_session l icmp_flood l icmp_sweep l icmp_src_session l sctp_flood l sctp_scan l sctp_src_session l sctp_dst_session
  1. Toggle whether or not to Enable this policy.The default is enabled.
  2. Select the OK button to save the policy.

Example

The company wishes to protect against Denial of Service attach. They have chosen some where they wish to block the attacks of the incidence goes above a certain threshold and for some others they are just trying to get a baseline of activity for those types of attacks so they are letting the traffic pass through without action.

  • The interface to the Internet is on WAN1 l There is no requirement to specify which addresses are being protected or protected from. l The protection is to extend to all services.
  • The TCP attacks are to be blocked l The UDP, ICMP, and IP attacks are to be recorded but not blocked.
  • The SCTP attack filters are disabled
  • The tcp_syn_flood attach’s threshold is to be changed from the default to 1000

Configuring the DoS policy in the GUI

  1. Go to Policy & Objects > Policy > DoS.
  2. Create a new policy
  3. Fill out the fields with the following information:
Field Value
Incoming Interface wan1
Source Address all
Destination Addresses all
Service ALL

L3 Anomalies

Name Status Logging Action Threshold
ip_src_session enabled enabled Pass 5000
ip_dst_session enabled enabled Pass 5000

L4 Anomalies

Name Status Logging Action Threshold
tcp_syn_flood enabled enabled Block 1000
tcp_port_scan enabled enabled Block <default value>
tcp_src_session enabled enabled Block <default value>
tcp_dst_session enabled enabled Block <default value>
udp_flood enabled enabled Pass <default value>
udp_scan enabled enabled Pass <default value>
udp_src_session enabled enabled Pass <default value>
udp_dst_session enabled enabled Pass <default value>
icmp_flood enabled enabled Pass <default value>
icmp_sweep enabled enabled Pass <default value>
icmp_src_session enabled enabled Pass <default value>
icmp_dst_session enabled enabled Pass <default value>
sctp_flood not enabled not enabled Pass <default value>
sctp_scan not enabled not enabled Pass <default value>
sctp_src_session not enabled not enabled Pass <default value>
sctp_dst_session not enabled not enabled Pass <default value>
  1. Toggle the button next to Enable this policy to ON.
  2. Select OK.

IPv4 DoS policy

Configuring the IPv4 DoS policy in the GUI

Using the CLI of your choice, enter the following commands:

config firewall DoS-policy edit 0 set status enable set interface wan1 set srcaddr all set dstaddr all set service ALL config anomaly edit “tcp_syn_flood” set status enable set log disable set action block set threshold 1000 next

edit “tcp_port_scan” set status enable set log disable set action block set threshold 1000 next

edit “tcp_src_session” set status enable set log disable set action block set threshold 5000 next

edit “tcp_dst_session” set status enable set log disable set action block set threshold 5000 next

edit “udp_flood” set status enable set log disable set action pass set threshold 2000

next

edit “udp_scan” set status enable set log disable set action pass set quarantine none set threshold 2000 next

edit “udp_src_session” set status enable set log disable set action pass set threshold 5000 next

edit “udp_dst_session” set status enable set log disable

set action pass set threshold 5000 next

edit “icmp_flood” set status enable set log disable set action pass set threshold 250 next

edit “icmp_sweep” set status enable set log disable set action pass set threshold 100 next

edit “icmp_src_session” set status enable set log disable set action pass set threshold 300 next

edit “icmp_dst_session” set status enable set log disable set action pass set threshold 1000 next

edit “ip_src_session” set status disable set log enable set action pass set threshold 5000 next

edit “ip_dst_session” set status disable set log enable set action pass set threshold 5000 next

edit “sctp_flood” set status disable set log disable set action pass set threshold 2000 next

edit “sctp_scan” set status disable set log disable set action pass set threshold 1000 next

edit “sctp_src_session” set status disable set log disable set action pass set threshold 5000 next

IPv6 DoS policy

edit “sctp_dst_session” set status disable set log disable set action pass set threshold 5000

next

end

end

end

In this example of the CLI, all of the relevant settings have been left in, but some of them are default settings and would not have to have been specifically set to work. For instance, if the action parameter is not set it automatically defaults to pass.

This entry was posted in Administration Guides, FortiGate, FortiOS 6 on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.