Fortinet 5.0 Patch 6 Rate limiting

Fortinet 338 FortiWeb 5.0 Patch 6 Administration Guide

Rate limiting

In addition to controlling which URLs a client can access, you can control how often. This can

be especially important to preventing scouting and brute force password attacks.

If you need to restrict access as well as rate limiting, you can do both at the same time. See

“Combination access control & rate limiting” on page 325.

You can protect your web assets from a wide variety of denial of service (DoS) attacks.

DoS features are organized by which open system interconnections (OSI) model layer they use

primarily to apply the rate limit:

• Application layer (HTTP or HTTPS)

• Network and transport layer (TCP/IP)

Appropriate DoS rate limits vary by the web application you are protecting. For details, see

“Reducing false positives” on page 624.

The DoS Protection > Application submenu enables you to configure DoS protection at the

network application layer.

For some DoS protection features, the FortiWeb appliance uses session management to track

requests.

1. When a FortiWeb appliance receives the first request from any client, it adds a session

cookie to the response from the web server in order to track the session. The client will

include the cookie in subsequent requests.

2. If a client sends another request before the session timeout, FortiWeb examines the session

cookie in the request.

• If the cookie does not exist or its value has changed, the FortiWeb appliance drops the

request.

• If the same cookie exists, the request is treated as part of the same session. FortiWeb

increments its count of connections and/or requests from the client. If the rate exceeds

the limit, FortiWeb drops the extra connection or request.

If a client is not really interested in actually receiving a response and/or attempting to

authenticate or connecting, but is simply attempting to consume resources in order to deprive

legitimate clients, consider more than simple HTTP-layer rate limiting. See also “DoS

prevention” on page 338.

Some DoS protection features are not supported in all modes of operation. For details, see

“Supported features in each operation mode” on page 62.