Fortinet 351 FortiWeb 5.0 Patch 6 Administration Guide
4. Click OK.
5. Group the rule in a DoS protection policy (see “Grouping DoS protection rules” on
page 355).
6. Select the DoS protection policy in a protection profile (see “Configuring a protection profile
for inline topologies” on page 468).
7. Enable the Session Management option in the protection profile.
Attack log messages contain DoS Attack: HTTP Flood Prevention Violation
when this feature detects an HTTP flood.
Example: HTTP request flood prevention
Assuming you set 10 as the limit, here are three scenarios:
A client opens a single TCP connection with 8 HTTP GET requests. As long as they all have
the session cookie set by the FortiWeb appliance, it allows the requests.
A client opens a single TCP connection with 8 HTTP GET requests. One request does not
have the session cookie. The FortiWeb appliance drops the TCP connection (dropping all
sessions).
Two clients open 2 TCP connections. Each has 6 HTTP requests with the same session
cookie. The FortiWeb appliance blocks the last two requests because there are 12, which
exceeds the 10 limit.
Configuring network-layer DoS protection
The DoS Protection > Network submenu enables you to configure DoS protection at the
network layer.

Limiting TCP connections per IP address

You can limit the number of fully-formed TCP connections per source IP address. This
effectively prevents TCP flood-style denial-of-service (DoS) attacks.
TCP flood attacks exploit the fact that servers must consume memory to maintain the state of
the open connection until either the timeout, or the client or server closes the connection. This
consumes some memory even if the client is not currently sending any HTTP requests.
Normally, a legitimate client will form a single TCP connection, through which they may make
several HTTP requests. As a result, each client consumes a negligible amount of memory to
track the state of the TCP connection. However, an attacker will open many connections with
Severity When rule violations are recorded in the attack log, each log
message contains a Severity Level (severity_level) field.
Select which severity level the FortiWeb appliance will use when it
logs a violation of the rule:
•Low
•Medium
•High
The default value is High.
Trigger Action Select which trigger, if any, that the FortiWeb appliance will use
when it logs and/or sends an alert email about a violation of the
rule. See “Configuring triggers” on page 557.
Setting name Description