IPS anomaly thresholds

‎11-09-2007

Article

Description

IPS anomaly thresholds.

Components

All FortiGate units.

Steps or Commands

Some Anomaly attacks have a threshold associated with it. The administrator can fine-tune anomaly settings by giving different thresholds for different connections based on source subnet, destination subnet and service (destination port) of the connection. Multiple entries can be configured to one anomaly. For any new connection, the threshold of the best-match entry is applied.

To configure the anomaly threshold, use the following CLI command as an example:

config ips anomaly syn_flood
   config limit
     edit 1
        set dst_ip 10.1.1.0/24
        set service 80
        set threshold 500
     end
end

The table below includes the anomalies and their units for each threshold.

syn_flood	SYN packets rate (pps) of new TCP connections, including retransmission, to one destination IP
portscan	SYN packets rate (pps) of new TCP connections, including retransmission, from one source IP
tcp_dst_session	# of Concurrent TCP connections to one destination IP
tcp_src_session	# of Concurrent TCP connections from one source IP
udp_flood	UDP packets rate (pps) to one destination IP
udp_scan	UDP session creation rate (pps) from one source IP
udp_dst_session	# of Concurrent UDP connections to one destination IP
udp_src_session	# of Concurrent UDP connections from one source IP
icmp_flood	ICMP packets rate (pps) to one destination IP
icmp_sweep	ICMP session creation rate (pps) from one source IP
icmp_dst_session	# of Concurrent ICMP connections to one destination IP
icmp_src_session	# of Concurrent ICMP connections from one source IP