Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
RH2
New Contributor II

can I ban an IP that triggers a Dos sensor?

We have created dos sensors to protect against dos attacks but I see the same ip address will trip the threshold several times. For example the icmp sweep sensor will block an ip but then I see the same ip sweeping again and again. it gets blocked but that does not keep it from happening again until it hits the threshold a 2nd time. Is there anyway to ban an ip that sets off a dos sensor? Or at least temporarily ban it?
5 REPLIES 5
ede_pfau
Esteemed Contributor III

DoS policy without ban or quarantine doesn' t make sense to me. The way a DoS sensor is configured doesn' t allow for this, sadly. One way to do it is to create a DoS policy (a.k.a. interface policy) which controls all of the traffic across one interface. Then, insert an IPS sensor with a custom signature, and action ' quarantine' . You can choose either an interval of several minutes or ' forever' . The sensor should trigger when a certain traffic pattern exceed a rate. From 4.3 on, there is a rate command for custom IPS signatures. You can find examples for this on the forums by searching for ' F-SBID' , the lead-in for custom IPS signatures. Sounds a bit involved but combines a catch-all DoS policy with the quarantine action.

Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
RH2
New Contributor II

Thanks. I' ll have to research the custom signature IPS.
RH2
New Contributor II

Finally! Thanks for nothing fortinet. You can set block attacker in the command line. I don' t know if this was available prior to 5.0.4 or not, I don' t remember seeing anything in 4.x and I looked all over. Anyway, in 5.0.4 you can set quarantine like this: config firewall DoS_Policy edit (integer- number of policy) config anomaly edit icmp_flood (or whatever anomaly you want to set) set quarantine attacker (attacker, both, interface, or none) (once you set quarantine you can set quarantine-log enable so you can see banned users in the gui and you can set quarentine-expiry, default is 5 minutes) set quarantine-log enable set quarantine-expiry 60
TopJimmy
New Contributor

set quarantine-log enable set quarantine-expiry 60
These settings are available in my 620b running 4.3.15.
-TJ
-TJ
Jose_Bavaresco
New Contributor

Hello RH,

 

In the DoS Policy section of the handbook is the explanation. page 513 #config firewall {DoS-policy | DoS-policy6} #edit <policyid> #set quarantine {none | attacker} #set quarantine-exipiry {string} #set quarantine-log {enable | disable} #end

 

Cheers

Labels
Top Kudoed Authors