Fortinet 5.0 Patch 6 Preventing an HTTP request flood

Fortinet 347 FortiWeb 5.0 Patch 6 Administration Guide

4. Click OK.

5. Group the rule in a DoS protection policy (see “Grouping DoS protection rules” on page 355)

that is used by a protection profile.

6. Enable the Session Management option in the protection profile.

Attack log messages contain DoS Attack: Malicious IPs Violation when this

feature detects a TCP flood with the same HTTP session cookie. See also “Log rate limits”

on page 544.

Example: TCP connection per session limit

If you set 10 as the connection limit, here are two scenarios:

• A client opens 5 TCP connections. Each connection has a different source port. Because

each connection has a valid session cookie, and does not exceed the connection limit, the

FortiWeb appliance allows them.

• A client opens 11 TCP connections. The FortiWeb appliance blocks the last connection

because it exceeds the limit of 10.

See also

•Limiting TCP connections per IP address

Preventing an HTTP request flood

You can limit the number of HTTP requests per second, per session, per URL. This effectively

prevents HTTP request floods that utilize a single URL.

Because this feature uses session cookies at the application layer instead of only TCP/IP

connections at the network layer, this feature can differentiate multiple clients that may be

behind the same source IP address, such as when the source IP address hides a subnet that

uses network address translation (NAT). However, the client must support cookies.

This feature is similar to DoS Protection > Application > HTTP Access Limit. However, rather

than preventing many requests to any URL by the same client, it prevents many requests to the

same URL by the same client.

Severity When rule violations are recorded in the attack log, each log

message contains a Severity Level (severity_level) field.

Select which severity level the FortiWeb appliance will use when it

logs a violation of the rule:

•Low

•Medium

•High

The default value is High.

Trigger Action Select which trigger, if any, that the FortiWeb appliance will use

when it logs and/or sends an alert email about a violation of the

rule. See “Configuring triggers” on page 557.

Setting name Description