IPv4 DoS Policy:

o DoS attack attempts to make network devices unreachable by disrupting services.

o It attempt to disrupt network services by overloading network with unwanted traffic.
o FortiOS DoS protection features protect your firewall from all type of flooding attacks.
o Its turn your network resources and devices from being exhausted or overwhelmed.
o In the event of network floods, host sweeps, port scans and packet-based attacks.
o Create DoS Protection profiles and policies to protect critical individual inside devices.
o Or small groups of devices, internet-facing devices such as web and database servers.
o The DoS protection profiles can be used to mitigate several types of the DoS attacks.
o DoS policy examines network traffic arriving at an interface for anomalous patterns.
o Important to know normal & expected network traffic before changing default anomaly.
o This important to know that setting the thresholds too low could cause false positives.
o Also, important setting the thresholds too high could allow otherwise avoidable attacks.

To configure an IPv4 DoS policy, Go to Policy & Objects > IPv4 DoS Policy

1 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Incoming Interface:
o To which this security policy applies, and the traffic is coming into the firewall on.
Source Address:
o The address that traffic is coming from & must be an address listed in the Address section.
o Can include predefined “all” address which covers any address coming in on any interface.
o The source address can also include Multiple addresses or address groups can be chosen.
Destination Address:
o Destination Address in this policy, this will be the address that the traffic is addressed to.
o In this case it must be an address that is associated with the FortiGate unit firewall itself.
o Just like with Source Address this address must be already configured before being used.
o The Destination Address, Multiple addresses, virtual IPs or virtual IP groups can be chosen.
Service:
o In FW, in IPV4 DoS Policy, While the Service field allows for the use of the ALL service.
o Some admins prefer to optimize resources of firewall and only check specific services.
o In IPV4 DoS Policy, in Service section, multiple services or service groups can be chosen.

Anomalies Anomalies are predefined sensors set up for specific patterns of anomalous
traffic. anomalies cannot be configured by the user.
Status Enable or disable the indicated profile
Logging Regardless of whether the traffic is blocked or passed through the
anomalous traffic will be logged.
Action whether to Pass or Block traffic when the threshold is reached
Threshold The number of anomalous packets detected before triggering action.

Toggle whether or not to Enable this policy. The default is enabled.

2 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

 Anomaly Name Description Threshold
tcp_syn_flood If the SYN packet rate of new TCP connections, including 2000 packets
retransmission, to one destination IP address exceeds per second.
the configured threshold value, the action is executed.
tcp_port_scan If the SYN packet rate of new TCP connections, including 1000 packets
retransmission, from one source IP address exceeds the per second.
configured threshold value, the action is executed.
tcp_src_session If the number of concurrent TCP connections from one 5000
source IP address exceeds the configured threshold concurrent
value, the action is executed. sessions.
tcp_dst_session If the number of concurrent TCP connections to one 5000
destination IP address exceeds the configured threshold concurrent
value, the action is executed. sessions.
udp_flood If the UDP traffic to one destination IP address exceeds 2000 packets
the configured threshold value, the action is executed. per second.
udp_scan If the number of UDP sessions originating from one 2000 packets
source IP address exceeds the configured threshold per second.
value, the action is executed.
udp_src_session If the number of concurrent UDP connections from one 5000
source IP address exceeds the configured threshold concurrent
value, the action is executed. sessions.
udp_dst_session If the number of concurrent UDP connections to one 5000
destination IP address exceeds the configured threshold concurrent
value, the action is executed. sessions.
icmp_flood If the number of ICMP packets sent to one destination 250 packets
IP address exceeds the configured threshold value, the per second.
action is executed.
icmp_sweep If the number of ICMP packets originating from one 100 packets
source IP address exceeds the configured threshold per second.
value, the action is executed.
icmp_src_session If the number of concurrent ICMP connections from one 300
source IP address exceeds the configured threshold concurrent
value, the action is executed. sessions
icmp_dst_session If the number of concurrent ICMP connections to one 3000
destination IP address exceeds the configured threshold concurrent
value, the action is executed. sessions
ip_src_session If the number of concurrent IP connections from one 5000
source IP address exceeds the configured threshold concurrent
value, the action is executed. sessions.
ip_dst_session If the number of concurrent IP connections to one 5000
destination IP address exceeds the configured threshold concurrent
value, the action is executed. sessions.

3 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

 sctp_flood If the number of SCTP packets sent to one destination IP 2000 packets
address exceeds the configured threshold value, the per second
action is executed.
sctp_scan If the number of SCTP sessions originating from one 1000 packets
source IP address exceeds the configured threshold per second
value, the action is executed.
sctp_src_session If the number of concurrent SCTP connections from one 5000
source IP address exceeds the configured threshold concurrent
value, the action is executed. sessions
sctp_dst_session If the number of concurrent SCTP connections to one 5000
destination IP address exceeds the configured threshold concurrent
value, the action is executed. sessions

Let’s to configure an IPv4 DoS policy, Go to Policy & Objects > IPv4 DoS Policy. Select the Create
New icon in the top left side of the right window. Set the Incoming Interface parameter by using
the drop-down menu to select a single interface. Set the Source Address parameter by selecting
the field with the "+" next to the field label. Set the Destination Address parameter by selecting
the field with the "+" next to the field label. Set the Services parameter by selecting the field
with the "+" next to the field label. Set the parameters for the various traffic anomalies.

4 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Toggle whether or not to Enable this policy. The default is enabled. Select the OK button to save
the policy.

Verification & Testing:

First configure default gateway of Kali Linux to the FortiGate Firewall inside LAN Interface.
route add default gw 192.168.140.100 eth0
Let’s launch attack from Kali Linux Inside PC to on Outside Windows XP PC, Open terminal type:
root@kali:~# nmap -O 192.168.122.600

5 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717

Go to Log & Report > Anomaly to view attack logs and details in this case TCP session and TCP
Syn Flooding attack.

Let’s launch attack from Kali Linux Inside PC to on Outside Windows XP PC, Open terminal type:
root@kali:~# nmap -sP 192.168.122.0/24

Go to Log & Report > Anomaly to view attack logs and details in this case TCP port scan and TCP
session, ICMP Sweep and ICMP session attack.

root@kali:~# hping3 -c 15000 -d 120 -S -w 64 -p 80 --flood --rand-source 192.168.122.60

Go to Log & Report > Anomaly to view attack logs and details in this case TCP Flooding.

6 | P a g e Created by Ahmad Ali E-Mail: [email protected] , Mobile: 056 430 3717