Fortinet 344 FortiWeb 5.0 Patch 6 Administration Guide
5. Click OK.
6. Group the rule in a DoS protection policy (see “Grouping DoS protection rules” on page 355)
that is used by a protection profile.
7. Enable the Session Management option in the protection profile.
Attack log messages contain DoS Attack: HTTP Access Limit Violation when this
feature detects a multi-URL HTTP flood. See also “Log rate limits” on page 544.
Example: HTTP request rate limit per IP
If you set 10 per second for both the shared and standalone limit, here are two scenarios:
A client opens 5 TCP connections, where each connection has a different source port. Each
TCP connection creates 3 HTTP GET requests. The FortiWeb appliance blocks the extra
connections as there are 15 HTTP requests overall, which exceeds the limit.
A client opens a single TCP connection with 12 HTTP GET requests. The Period Block action
is set. Once the count exceeds 10, the FortiWeb appliance blocks all traffic from the client
for the specified block period.
Limiting TCP connections per IP address by session cookie
You can limit the number of TCP connections per HTTP session. This can prevent TCP
connection floods from clients operating behind a shared IP with innocent clients.
Excessive numbers of TCP connections per session can occur if a web application or client is
malfunctioning, or if an attacker is attempting to waste socket resources to produce a DoS.
This feature is similar to DoS Protection > Network > TCP Flood Prevention. However, this
feature counts TCP connections per session cookie, while TCP Flood Prevention counts only
TCP connections per IP address. Because it uses session cookies at the application layer
instead of only TCP/IP connections at the network layer, this feature can differentiate multiple
clients that may be behind the same source IP address, such as when the source IP address
hides a subnet that uses network address translation (NAT). However, in order to work, the client
must support cookies.
If the count exceeds the limit, the FortiWeb appliance executes the Action.
Severity When rule violations are recorded in the attack log, each log
message contains a Severity Level (severity_level) field.
Select which severity level the FortiWeb appliance will use when it
logs a violation of the rule:
•Low
•Medium
•High
The default value is High.
Trigger Action Select which trigger, if any, that the FortiWeb appliance will use
when it logs and/or sends an alert email about a violation of the
rule. See “Configuring triggers” on page 557.
Setting name Description
This scan is bypassed if the client’s source IP is a known search engine and you have enabled
Allow Known Search Engines.