Fortinet 347 FortiWeb 5.0 Patch 6 Administration Guide
4. Click OK.
5. Group the rule in a DoS protection policy (see “Grouping DoS protection rules” on page 355)
that is used by a protection profile.
6. Enable the Session Management option in the protection profile.
Attack log messages contain DoS Attack: Malicious IPs Violation when this
feature detects a TCP flood with the same HTTP session cookie. See also “Log rate limits”
on page 544.
Example: TCP connection per session limit
If you set 10 as the connection limit, here are two scenarios:
A client opens 5 TCP connections. Each connection has a different source port. Because
each connection has a valid session cookie, and does not exceed the connection limit, the
FortiWeb appliance allows them.
A client opens 11 TCP connections. The FortiWeb appliance blocks the last connection
because it exceeds the limit of 10.
See also
Limiting TCP connections per IP address
Preventing an HTTP request flood
You can limit the number of HTTP requests per second, per session, per URL. This effectively
prevents HTTP request floods that utilize a single URL.
Because this feature uses session cookies at the application layer instead of only TCP/IP
connections at the network layer, this feature can differentiate multiple clients that may be
behind the same source IP address, such as when the source IP address hides a subnet that
uses network address translation (NAT). However, the client must support cookies.
This feature is similar to DoS Protection > Application > HTTP Access Limit. However, rather
than preventing many requests to any URL by the same client, it prevents many requests to the
same URL by the same client.
Severity When rule violations are recorded in the attack log, each log
message contains a Severity Level (severity_level) field.
Select which severity level the FortiWeb appliance will use when it
logs a violation of the rule:
•Low
•Medium
•High
The default value is High.
Trigger Action Select which trigger, if any, that the FortiWeb appliance will use
when it logs and/or sends an alert email about a violation of the
rule. See “Configuring triggers” on page 557.
Setting name Description