Intrusion protection CLI configuration
Intrusion Protection
FortiGate Version 4.0 Administration Guide
472
01-400-89802-20090424
Understanding the anomalies
For each of the TCP, UDP, and ICMP protocols, DoS sensors offer four statistical anomaly
types. The result is twelve configurable anomalies.
Intrusion protection CLI configuration
This section describes the CLI commands that extend features available through the web-
based manager. For complete descriptions and examples of how to enable additional
features through CLI commands, see the
.
ips global fail-open
If for any reason the IPS should cease to function, it will fail open by default. This means
crucial network traffic will not be blocked, and the FortiGate unit will continue to operate
while the problem is being resolved.
Source
The IP address of the traffic source. 0.0.0.0/0 matches all addresses.
Add
After entering the required destination address, destination port, and
source address, select Add to add protected address to the Protected
Addresses list. The DoS sensor will be invoked only on traffic matching all
three of the entered values. If no addresses appear in the list, the sensor
will not be applied to any traffic.
Table 46: The twelve individually configurable anomalies
Anomaly
Description
tcp_syn_flood
If the SYN packet rate, including retransmission, to one destination IP
address exceeds the configured threshold value, the action is executed.
The threshold is expressed in packets per second.
tcp_port_scan
If the SYN packets rate, including retransmission, from one source IP
address exceeds the configured threshold value, the action is executed.
The threshold is expressed in packets per second.
tcp_src_session
If the number of concurrent TCP connections from one source IP address
exceeds the configured threshold value, the action is executed.
tcp_dst_session
If the number of concurrent TCP connections to one destination IP
address exceeds the configured threshold value, the action is executed.
udp_flood
If the UDP traffic to one destination IP address exceeds the configured
threshold value, the action is executed. The threshold is expressed in
packets per second.
udp_scan
If the number of UDP sessions originating from one source IP address
exceeds the configured threshold value, the action is executed. The
threshold is expressed in packets per second.
udp_src_session
If the number of concurrent UDP connections from one source IP address
exceeds the configured threshold value, the action is executed.
udp_dst_session
If the number of concurrent UDP connections to one destination IP
address exceeds the configured threshold value, the action is executed.
icmp_flood
If the number of ICMP packets sent to one destination IP address
exceeds the configured threshold value, the action is executed. The
threshold is expressed in packets per second.
icmp_sweep
If the number of ICMP packets originating from one source IP address
exceeds the configured threshold value, the action is executed. The
threshold is expressed in packets per second.
icmp_src_session
If the number of concurrent ICMP connections from one source IP
address exceeds the configured threshold value, the action is executed.
icmp_dst_session
If the number of concurrent ICMP connections to one destination IP
address exceeds the configured threshold value, the action is executed.
Содержание Gate 60D
Страница 678: ...Reports Log Report FortiGate Version 4 0 Administration Guide 678 01 400 89802 20090424 http docs fortinet com Feedback...
Страница 704: ...Index FortiGate Version 4 0 Administration Guide 704 01 400 89802 20090424 http docs fortinet com Feedback...
Страница 705: ...www fortinet com...
Страница 706: ...www fortinet com...