Fortinet 338 FortiWeb 5.0 Patch 6 Administration Guide
Rate limiting
In addition to controlling which URLs a client can access, you can control how often. This can
be especially important to preventing scouting and brute force password attacks.
If you need to restrict access as well as rate limiting, you can do both at the same time. See
“Combination access control & rate limiting” on page 325.

DoS prevention

You can protect your web assets from a wide variety of denial of service (DoS) attacks.
DoS features are organized by which open system interconnections (OSI) model layer they use
primarily to apply the rate limit:
Application layer (HTTP or HTTPS)
• Network and transport layer (TCP/IP)
Appropriate DoS rate limits vary by the web application you are protecting. For details, see
“Reducing false positives” on page 624.

Configuring application-layer DoS protection

The DoS Protection > Application submenu enables you to configure DoS protection at the
network application layer.
For some DoS protection features, the FortiWeb appliance uses session management to track
requests.
1. When a FortiWeb appliance receives the first request from any client, it adds a session
cookie to the response from the web server in order to track the session. The client will
include the cookie in subsequent requests.
2. If a client sends another request before the session timeout, FortiWeb examines the session
cookie in the request.
If the cookie does not exist or its value has changed, the FortiWeb appliance drops the
request.
If the same cookie exists, the request is treated as part of the same session. FortiWeb
increments its count of connections and/or requests from the client. If the rate exceeds
the limit, FortiWeb drops the extra connection or request.
If a client is not really interested in actually receiving a response and/or attempting to
authenticate or connecting, but is simply attempting to consume resources in order to deprive
legitimate clients, consider more than simple HTTP-layer rate limiting. See also “DoS
prevention” on page 338.
Some DoS protection features are not supported in all modes of operation. For details, see
“Supported features in each operation mode” on page 62.