RE: can I ban an IP that triggers a Dos sensor?
Finally! Thanks for nothing fortinet.
You can set block attacker in the command line. I don' t know if this was available prior to 5.0.4 or not, I don' t remember seeing anything in 4.x and I looked all over.
Anyway, in 5.0.4 you can set quarantine like this:
config firewall DoS_Policy
edit (integer- number of policy)
edit icmp_flood (or whatever anomaly you want to set)
set quarantine attacker (attacker, both, interface, or none)
(once you set quarantine you can set quarantine-log enable so you can see banned users in the gui and you can set quarentine-expiry, default is 5 minutes)
set quarantine-log enable
set quarantine-expiry 60