FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Andy_G
Staff
Staff
Article Id 192120
Description
The following is an example showing how to enable Denial of Service (DoS) sensors in FortiGate FortiOS 4.0. This example enables a configuration for TCP Destination Session, called tcp_dst_session DoS sensor.
 
A DoS sensor can be enabled as an independent option in the Intrusion Protection menu. 
 
 

Solution
1.  Go to UTM > Intrusion Protection > DoS Sensor and select Create New or edit existing sensors. Selecting the check-box under Status enables all anomalies contained within the sensor, and their configured thresholds/actions.  NOTE: Once selected, DoS sensor is enabled independent of a protection profile. 
 
sotoole_FD30873_4_0 IPS DoS menu.JPG
 
 
 
2.  Edit a Default group or select Add New. Edit All_Default > DoS Sensor TCP dst session.
 
sotoole_FD30873_DoS Config.JPG
 
Once an Anomaly is selected, a threshold can be set if desired to be different then Default values shown. The threshold setting determines how many sessions/packets displaying the anomalous behavior are required to trigger the anomaly action.

Action is also selected and for this example, is set to Block. Threshold is when a server is well known to have limited connections. In decreasing the default threshold, it tells FortiOS that only 100 sessions will be allowed at one time.
 
Another practical DoS Anomaly that can be used is ICMP Source or Destination (icmp_src_session and icmp_dst_session). This would protect assets from being overwhelmed with PING tests.
Contributors