DoS sensors

DoS sensors

The FortiGate IPS uses a traffic anomaly detection feature to identify network traffic that does not fit known or common traffic patterns and behavior. For example, one type of flooding is the denial of service (DoS) attack that occurs when an attacking system starts an abnormally high number of sessions with a target system. The high number of sessions slows down or disables the target system so legitimate users can no longer use it. This type of attack gives the DoS sensor its name, although it is capable of detecting and protecting against a number of anomaly attacks.

You can enable or disable logging for each traffic anomaly, and configure the detection threshold and action to take when the detection threshold is exceeded.

You can create multiple DoS sensors. Each sensor consists of 12 anomaly types that you can configure. Each sensor examines the network traffic in sequence, from top to bottom. When a sensor detects an anomaly, it applies the configured action. Multiple sensors allow great granularity in detecting anomalies because each sensor can be configured to examine traffic from a specific address, to a specific address, on a specific port, in any combination.

When arranging the DoS sensors, place the most specific sensors at the top and the most general at the bottom. For example, a sensor with one protected address table entry that includes all source addresses, all destination addresses, and all ports will match all traffic. If this sensor is at the top of the list, no subsequent sensors will ever execute.

The traffic anomaly detection list can be updated only when the FortiGate firmware image is upgraded.

Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings must be configured separately in each VDOM. All sensors and custom signatures will appear only in the VDOM in which they were created.

This section describes:

Viewing the DoS sensor list

Configuring DoS sensors

Understanding the anomalies

FortiGate IPS User Guide Version 3.0 MR7

 

01-30007-0080-20080916

45

Page 45
Image 45
Fortinet IPS manual DoS sensors