🎯在FortiGate中通过创建DoS策略进行防护，可在其中启用/修改异常。异常列表在创建策略时已预设，用户可选择启用或禁用某些异常。默认情况下，异常设置为通过违规流量且处于禁用状态，需在给定异常下设置启用状态和阻止操作。

💻可指定源/目的IP、服务以及应用DoS策略的传入接口。异常的阈值可配置，当流量超过该阈值时会被阻止。对于完全阻止发送方IP，可在特定异常下使用设置隔离参数。

🔍进行了DoS策略的配置和验证。通过发送不同频率的数据包来测试防护效果，当发送频率超过阈值时，FortiGate会开始阻止过多的ICMP数据包。还提到了添加具有隔离功能的第二策略及相关测试情况。

🚫提到了释放被阻止的发送方的方法。FortiGate不会显示被阻止主机的源IP，只显示目标IP。可以清除被阻止的攻击者列表，但对于设置了隔离的发送方，清除列表后仍会在隔离期内被阻止。

Facts to know:

You use Dos protection by creating Dos policy (Policy & Objects -> IPv4/Ipv6 DoS Policy) in which you enable/modify anomalies. The list of anomalies is pre-set in any policy you create. You only have the choice which ones to enable and which ones not to. All anomalies are set by default to Pass the offending traffic and are disabled, so make sure under the given anomaly to set status enable and action to block. On Fortigates with hardware NP modules, you also have Proxy as an action in tcp_syn_flood protection to enable, which makes Fortigate to proxy SYN connections. You can (actually must) specify: source/destination IPs to match the DoS policy (all can be used), service (ALL can be used), and incoming interface to apply the DoS policy to. Thresholds for anomalies are configurable and do what they say - once traffic matched by this policy exceeds the threshold, it gets blocked. No learning or adaptive thresholds here. By default, only exceeding the threshold packets get blocked. To block the sender IP completely, you can use set qurantine parameter under the specific anomaly. Dos sensor/policy protects against INCOMING traffic for the specified interface.For smarter anti-DDoS solution Fortinet have FortiDDoS physical appliance. Fortigate applies Dos protection early in the policy matching, before the Security policy is checked, so it consumes less resources than blocking the same traffic in Security rules. This means, though, that even if some security rule allows traffic, if such traffic exceeds DoS thresholds it may be blocked.Note: in previous versions of FortiOS the feature was called DoS sensor, so I mention it for easier reference only. In FortiOS 6.x and newer it is called DoS Policy. From my personal experience, to protect large networks with this DoS feature of Fortigate is more hassle than help. The false positives, especially for TCP SYN and alike protections, would block legitimate clients to the internal servers available from the Internet due to sudden surge of the client requests. You would need then to fix the thresholds, then again... For small networks, and those that do not have accessible from the outside servers, it may be a nice to have feature.

Configuring DoS policy.

I enable just icmp_flood anomaly here and change the threshold to 10 packets per second sent to destination of 12.12.12.3 :

config firewall DoS-policy    edit 1        set interface "port1"        set srcaddr "all"        set dstaddr "12.12.12.3"        set service "ALL_ICMP"        config anomaly            edit "tcp_syn_flood"                set threshold 2000            next            edit "tcp_port_scan"                set threshold 1000            next            edit "tcp_src_session"                set threshold 5000            next            edit "tcp_dst_session"                set threshold 5000            next            edit "udp_flood"                set threshold 2000            next            edit "udp_scan"                set threshold 2000            next            edit "udp_src_session"                set threshold 5000            next            edit "udp_dst_session"                set threshold 5000            next            edit "icmp_flood"                set status enable                set action block                set threshold 10            next            edit "icmp_sweep"                set threshold 100            next            edit "icmp_src_session"                set threshold 300            next            edit "icmp_dst_session"                set threshold 1000            next            edit "ip_src_session"                set threshold 5000            next            edit "ip_dst_session"                set threshold 5000            next            edit "sctp_flood"                set threshold 2000            next            edit "sctp_scan"                set threshold 1000            next            edit "sctp_src_session"                set threshold 5000            next            edit "sctp_dst_session"                set threshold 5000            next        end    nextend

Verification

Sending 5 packets per second, traffic is NOT blocked:

root@ubuntu:~# ping -i 0.2   12.12.12.3PING 12.12.12.3 (12.12.12.3) 56(84) bytes of data.64 bytes from 12.12.12.3: icmp_seq=1 ttl=255 time=3.03 ms64 bytes from 12.12.12.3: icmp_seq=2 ttl=255 time=1.96 ms64 bytes from 12.12.12.3: icmp_seq=3 ttl=255 time=0.469 ms64 bytes from 12.12.12.3: icmp_seq=4 ttl=255 time=0.318 ms64 bytes from 12.12.12.3: icmp_seq=5 ttl=255 time=0.405 ms64 bytes from 12.12.12.3: icmp_seq=6 ttl=255 time=0.497 ms

Sending roughly 10 packets per second - Fortigate starts to block excessive icmp packets.

root@ubuntu:~# ping -i 0.1   12.12.12.3PING 12.12.12.3 (12.12.12.3) 56(84) bytes of data.64 bytes from 12.12.12.3: icmp_seq=1 ttl=255 time=1.33 ms64 bytes from 12.12.12.3: icmp_seq=2 ttl=255 time=0.712 ms...--- 12.12.12.3 ping statistics ---143 packets transmitted, 115 received, 19% packet loss, time 14526ms

To see the active attacks/blocked anomalies (block happens when freq goes 10 or higher):

diagnose ips anomaly list

FG3-AS1680 # diagnose ips anomaly listlist nids meter:id=icmp_flood         ip=12.12.12.3 dos_id=1 exp=993 pps=1 freq=14

Next, I add second policy with destination address all but also with qurantine enabled.

config firewall DoS-policy    edit 2        set interface "port1"        set srcaddr "all"        set dstaddr "all"        set service "ALL"        config anomaly            edit "icmp_flood"                set status enable                set log enable                set quarantine attacker                set quarantine-expiry 2m  <-- to set to 2 min I entered: 000d00h02m                set quarantine-log disable                set threshold 10            next

Exceeding the threshold:

root@ubuntu:~# ping -c 2000 -i 0.01  13.13.13.6PING 13.13.13.6 (13.13.13.6) 56(84) bytes of data.64 bytes from 13.13.13.6: icmp_seq=1 ttl=254 time=0.741 ms64 bytes from 13.13.13.6: icmp_seq=2 ttl=254 time=1.82 ms64 bytes from 13.13.13.6: icmp_seq=3 ttl=254 time=1.89 ms--- 13.13.13.6 ping statistics ---2000 packets transmitted, 11 received, 99% packet loss, time 24308ms

As you can see, 1st 10 packets were allowed, the 11th packet triggered the following block.

FG3-AS1680 # diagnose ips anomaly listid=icmp_flood         ip=13.13.13.6 dos_id=2 exp=998 pps=38 freq=83

Also, because I set qurantine period for 2 minutes, even after stopping the attack traffic, the sending server is blocked from sending ANY packets to the target 13.13.13.6 for the next 2 minutes:

root@ubuntu:~# ping 13.13.13.6PING 13.13.13.6 (13.13.13.6) 56(84) bytes of data.--- 13.13.13.6 ping statistics ---11 packets transmitted, 0 received, 100% packet loss, time 10029ms

Releasing the blocked senders

Fortigate does not show us the source IPs of the blocked hosts, just the target IP, still, we can clear the blocked attackers list and allow the blocked senders to pass through. If they again send the excessive traffic, they will be blocked again, i.e the clear action is real-time and not permanent. Also, for the senders blocked with the quarantine, clearing the list will still keep them blocked until the qurantine expiration.

FG3-AS1680 # diagnose ips anomaly listlist nids meter:id=icmp_flood         ip=12.12.12.3 dos_id=1 exp=999 pps=2 freq=20

Clear the list:

diagnose ips anomaly clear

FG3-AS1680 # diagnose ips anomaly clearFG3-AS1680 # diagnose ips anomaly listlist nids meter:total # of nids meters: 0.

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.