Home

FortiGate DoS Policy Configuration: A Comprehensive Guide to Thwarting Network Attacks

.

In today's threat landscape, Denial of Service (DoS) and Distributed Denial of Service (DDoS) attacks remain persistent dangers that can cripple business operations. FortiGate firewalls incorporate sophisticated DoS protection mechanisms that examine network traffic arriving at interfaces for anomalous patterns indicative of an attack. Unlike standard security policies that inspect traffic content, DoS policies operate at the threshold level, evaluating traffic volume and connection behaviors to identify and block attack traffic before it consumes system resources or reaches protected servers.

What distinguishes FortiGate's approach is its processing sequence efficiency—DoS policies are evaluated before security policies, preventing attacks from triggering more resource-intensive security protections that could slow down the firewall itself. This architectural decision ensures that during an attack, the FortiGate can maintain performance while dropping malicious traffic at the earliest possible point in the data path.

The Technical Foundation: How FortiGate Detects DoS Attacks

FortiGate's DoS protection relies on predefined anomaly sensors that cannot be modified or newly created by administrators. These sensors monitor specific traffic patterns and trigger actions when configured thresholds are exceeded. The system categorizes anomalies across multiple protocols including TCP, UDP, ICMP, and SCTP, with each anomaly type measuring either packets per second (rate-based) or concurrent sessions (count-based) .

When traffic exceeds a threshold, the FortiGate can take one of three actions:

  • Block: Drop the anomalous traffic completely
  • Monitor: Allow the traffic but generate log entries
  • Disable: Ignore the anomaly entirely

For rate-based anomalies, administrators can choose between two blocking behaviors through the anomaly-mode setting:

  • Continuous mode (default): Blocks all packets once the threshold is exceeded while the rate remains above the threshold
  • Periodical mode: Allows the configured number of packets per second even after detection, providing measured throughput during an attack

Comprehensive Anomaly Reference Table

Anomaly Type Description Recommended Threshold Attack Vector
tcp_syn_flood SYN packet rate of new TCP connections to one destination IP 2000 packets/sec Half-open connection exhaustion
tcp_port_scan SYN packet rate of new TCP connections from one source IP 1000 packets/sec Reconnaissance activity
tcp_src_session Concurrent TCP connections from one source IP 5000 sessions Source-based resource exhaustion
tcp_dst_session Concurrent TCP connections to one destination IP 5000 sessions Target-based resource exhaustion
udp_flood UDP traffic volume to one destination IP 2000 packets/sec Bandwidth saturation
udp_scan UDP session setup rate from one source IP 2000 sessions/sec Service discovery
udp_src_session Concurrent UDP connections from one source IP 5000 sessions Source-based UDP exhaustion
udp_dst_session Concurrent UDP connections to one destination IP 5000 sessions Target-based UDP exhaustion
icmp_flood ICMP packet volume to one destination IP 250 packets/sec Ping flood attacks
icmp_sweep ICMP session setup rate from one source IP 100 sessions/sec Network mapping
icmp_src_session Concurrent ICMP connections from one source IP 300 sessions Source-based ICMP abuse
icmp_dst_session Concurrent ICMP connections to one destination IP 1000 sessions Target-based ICMP abuse
ip_src_session Concurrent IP connections from one source IP 5000 sessions Generic source-based attacks
ip_dst_session Concurrent IP connections to one destination IP 5000 sessions Generic target-based attacks
sctp_flood SCTP packet volume to one destination IP 2000 packets/sec SCTP-specific flooding
sctp_scan SCTP session rate from one source IP 1000 packets/sec SCTP service discovery
sctp_src_session Concurrent SCTP connections from one source IP 5000 sessions Source-based SCTP attacks
sctp_dst_session Concurrent SCTP connections to one destination IP 5000 sessions Target-based SCTP attacks

Practical Implementation: Configuring DoS Policies

Prerequisites and Access

Before configuring DoS policies, ensure the feature is enabled in the FortiGate interface. Navigate to System > Feature Visibility and verify that DoS Policy is checked under Policy. The feature is available for both IPv4 and IPv6 traffic through separate menu options.

Step-by-Step GUI Configuration

  1. Navigate to DoS Policy section

    • Go to Policy & Objects > IPv4 DoS Policy (or IPv6 equivalent)
    • Click Create New to begin configuration

  2. Define basic policy parameters

    • Name: Assign a descriptive identifier (e.g., "WAN_Ingress_Protection")
    • Incoming Interface: Select the interface receiving traffic to inspect (typically WAN interfaces)
    • Source Address: Specify source IP ranges; can use "all" for comprehensive coverage or GEO address objects for geographic filtering
    • Destination Address: Must be an address associated with the firewall interface (interface address, secondary IP, or VIP address)
    • Service: Select services to monitor; "ALL" provides complete coverage but consider restricting to exposed services for optimal resource usage

  3. Configure anomaly thresholds and actions For each desired anomaly (L3 and L4 categories):

    • Enable logging: Toggle to record events when thresholds are exceeded
    • Select action: Choose Block, Monitor, or Disable
    • Set threshold: Define the packets per second or concurrent session count that triggers action
    • Repeat for all relevant anomalies based on your threat profile

  4. Finalize and enable

    • Add optional comments for documentation
    • Ensure the policy is enabled
    • Click OK to activate

CLI Configuration Example

For administrators preferring command-line configuration or requiring automation, the CLI provides granular control:

config firewall DoS-policy     edit 1         set name "Comprehensive_DOS_Protection"         set interface "wan1"         set srcaddr "all"         set dstaddr "all"         set service "ALL"         config anomaly             edit "tcp_syn_flood"                 set status enable                 set log enable                 set action block                 set threshold 2000                 set quarantine attacker                 set quarantine-expiry 1d                 set quarantine-log enable             next             edit "udp_flood"                 set status enable                 set log enable                 set action block                 set threshold 2000             next             edit "icmp_flood"                 set status enable                 set log enable                 set action block                 set threshold 250             next             # Additional anomalies as needed         end     next end

Advanced Configuration Strategies

Geographic Traffic Filtering

A powerful enhancement to DoS protection involves combining geographic address objects with DoS policies. This approach allows organizations to apply stricter thresholds or blocking to traffic originating from specific countries or regions.

To implement geographic filtering:

  1. Create a GEO address object under Policy & Objects > Addresses
  2. Select Type: Geography and choose the target country or region
  3. In your DoS policy, set this GEO object as the Source Address
  4. Configure anomalies with appropriate thresholds for that geographic source

This technique proves particularly valuable when organizations have no business relationships with certain regions, allowing them to preemptively protect against attacks originating from those areas.

Quarantine Capabilities

FortiGate DoS policies include quarantine functionality that extends beyond simply dropping attack traffic. When quarantine is enabled for an anomaly, the source IP address of the attacker is added to the system's banned user list, blocking all future traffic from that IP address across any policies utilizing Antivirus, DLP, or IPS features.

Quarantine configuration options include:

  • quarantine {none | attacker}: Choose whether to quarantine offending sources
  • quarantine-expiry: Set duration from 1 minute to 364 days 23 hours 59 minutes (default 5 minutes)
  • quarantine-log: Enable logging of quarantine events

View the current banned IP list using the diagnostic command:

diagnose user banned-ip list

Hardware Acceleration for SYN Flood Protection

FortiGate models equipped with NP7 and NP6XLite processors include specialized hardware modules for TCP SYN flood protection. These modules implement SYN cookie mechanisms at the hardware level, activating protection only after thresholds are exceeded and responding to connection attempts without involving the main CPU. This offloading significantly improves performance during large-scale SYN flood attacks and requires DoS-offloading to be enabled in the configuration.

Out-of-Band Deployment for Testing

Organizations concerned about the impact of DoS policies on legitimate traffic can initially deploy protection in monitor mode (also called sniffer mode or one-arm mode). In this configuration:

  • The FortiGate connects to a spanning or mirrored switch port
  • Traffic is analyzed but not blocked
  • Anomaly logs provide visibility into attack patterns
  • Thresholds can be fine-tuned based on real traffic data
  • After validation, policies can be switched to block mode

This approach proves invaluable for establishing baseline traffic patterns and avoiding false positives in production environments.

Troubleshooting and Monitoring

Log Analysis

Effective DoS protection requires continuous monitoring and adjustment. The primary troubleshooting tools are Anomaly logs and IPS anomaly debug messages. Access anomaly logs through:

  • Log & Report > Anomaly for detailed event viewing
  • Dashboard > Security > Top Threats for high-level attack visualization

Threshold Tuning Best Practices

Setting appropriate thresholds requires understanding your normal traffic patterns:

  1. Establish baseline: Monitor traffic during normal operations for 1-2 weeks
  2. Identify peaks: Document maximum legitimate traffic rates
  3. Set thresholds above peaks: Configure thresholds 20-30% above maximum observed legitimate traffic
  4. Start with monitor mode: Validate thresholds before enabling blocking
  5. Review and adjust: Periodically reassess as traffic patterns evolve

Administrators should remember that thresholds are not "set and forget"—they require ongoing adjustment as network usage patterns change and new applications are deployed.

Testing Your Configuration

Practical validation ensures DoS policies function as intended. Using tools like pentmenu or hping3 from a testing system (such as Kali Linux), administrators can generate controlled attack traffic to verify:

  • Thresholds trigger at expected levels
  • Block actions function correctly
  • Logging captures relevant details
  • Quarantine mechanisms activate and expire properly

A simple ICMP flood test example:

ping -c 2000 -i 0.01 [Target_IP]

With a properly configured icmp_flood threshold of 10 packets/second, the first 10 packets will be permitted, the 11th will trigger the threshold, and subsequent packets will be blocked according to the configured action.

Frequently Asked Questions

What is the difference between DoS policies and regular security policies?

DoS policies are evaluated before security policies in the FortiGate processing flow. They examine traffic patterns and volume rather than content, blocking attack traffic before it can trigger more resource-intensive security inspections like antivirus, IPS, or application control. This early evaluation preserves firewall performance during attacks.

Can I create custom anomalies not listed in the predefined set?

No, FortiGate does not allow users to create new anomaly types. The system includes predefined sensors for specific attack patterns across TCP, UDP, ICMP, and SCTP protocols. Administrators can only enable, disable, and set thresholds for these existing anomalies.

How do I determine the right threshold values for my network?

Threshold determination requires traffic baseline analysis. Monitor normal traffic patterns over 1-2 weeks, identify peak legitimate traffic rates, and set thresholds approximately 20-30% above those peaks. Start with monitor mode to validate settings before enabling blocking, and periodically review as network usage evolves.

What happens when a threshold is exceeded in continuous versus periodical mode?

In continuous mode (default), once the threshold is exceeded, all subsequent matching packets are blocked while the rate remains above the threshold. In periodical mode, the system continues to allow the configured threshold number of packets per second even after detection, providing measured throughput during an attack.

Can I apply DoS policies to specific countries or geographic regions?

Yes, by creating GEO address objects and using them as source addresses in DoS policies. This allows applying stricter thresholds or blocking to traffic from specific countries, which is particularly useful when organizations have no legitimate business with those regions.

How does quarantine differ from simply blocking traffic?

Blocking drops only the specific traffic matching the anomaly. Quarantine adds the source IP address to the system-wide banned user list, blocking all future traffic from that IP across any policies using Antivirus, DLP, or IPS features for the configured quarantine duration.

Do DoS policies affect firewall performance?

DoS policies are designed to minimize performance impact by detecting and dropping attack traffic early in the processing flow. Hardware acceleration for SYN floods further reduces CPU load. However, excessively low thresholds or logging every event could impact performance; proper tuning is essential.

What protocols are covered by FortiGate DoS protection?

The system provides anomalies for TCP, UDP, ICMP, and SCTP protocols, including flood detection, scanning detection, and session count monitoring for each protocol's source and destination perspectives.

How do I verify that my DoS policy is working?

Monitor anomaly logs under Log & Report > Anomaly and check Dashboard > Security > Top Threats. You can also perform controlled attack simulations from test systems to validate threshold triggering and blocking actions.

Can I apply DoS policies to SD-WAN interfaces?

Yes, as of FortiOS version 7.6.1, administrators can specify an SD-WAN zone as an interface in DoS policies, extending protection to software-defined WAN deployments.

What is the recommended approach for deploying DoS protection initially?

Start with monitor mode (sniffer mode) connected to a mirrored switch port to establish baselines and understand attack patterns without impacting production traffic. After fine-tuning thresholds based on real data, switch to in-line blocking mode.

How do I remove an IP address from quarantine?

Quarantine entries automatically expire after the configured duration. For manual removal, use the diagnostic command to view the banned list and clear specific entries, though this should be done cautiously to avoid readmitting active attackers.

Conclusion: Building a Resilient Defense

FortiGate DoS policy configuration represents a critical component of comprehensive network security strategy. By understanding the available anomaly types, implementing appropriate thresholds, and combining geographic filtering with quarantine capabilities, organizations can build robust defenses against increasingly sophisticated denial-of-service attacks.

The key to success lies in continuous refinement—starting with conservative thresholds in monitor mode, analyzing real traffic patterns, and gradually tuning policies to balance protection with legitimate business traffic. With hardware acceleration handling large-scale SYN floods and flexible deployment options supporting both in-line and out-of-band modes, FortiGate provides the tools necessary to maintain service availability even under sustained attack.

As attack methodologies evolve, so too must defensive strategies. Regular policy reviews, staying current with FortiOS updates, and maintaining awareness of emerging threat patterns ensure that DoS protection remains effective against tomorrow's challenges as effectively as it addresses today's.