Setting signature threshold values, 277 setting signature threshold values – Fortinet FortiGate 4000 User Manual

Page 277

Advertising
background image

Network Intrusion Detection System (NIDS)

Preventing attacks

FortiGate-4000 Installation and Configuration Guide

277

Setting signature threshold values

You can change the default threshold values for the NIDS Prevention signatures listed
in

Table 48

. The threshold depends on the type of attack. For flooding attacks, the

threshold is the maximum number of packets received per second. For overflow
attacks, the threshold is the buffer size for the command. For large ICMP attacks, the
threshold is the ICMP packet size limit to pass through.

For example, setting the icmpflood signature threshold to 500 allows 500 echo
requests from a source address, to which the system sends echo replies. The
FortiGate unit drops any requests over the threshold of 500.

If you enter a threshold value of 0 or a number out of the allowable range, the
FortiGate unit uses the default value.

Table 48: NIDS Prevention signatures with threshold values

Signature
abbreviation

Threshold value units

Default
threshold
value

Minimum
threshold
value

Maximum
threshold
value

synflood

Threshold: Maximum number of SYN

segments received per second.

2048

1

1000000

Queue Size: Maximum proxied

connections.

4096

100

1000000

Timeout: Number of seconds for the

SYN cookie to keep a proxied

connection alive.

15

1

3600

portscan

Maximum number of SYN segments

received per second

512

1

1000000

srcsession

Total number of TCP sessions initiated

from the same source

2048

1

1000000

ftpovfl

Maximum buffer size for an FTP

command (bytes)

256

32

1408

smtpovfl

Maximum buffer size for an SMTP

command (bytes)

512

32

1408

pop3ovfl

Maximum buffer size for a POP3

command (bytes)

512

32

1408

udpflood

Maximum number of UDP packets

received from the same source or sent

to the same destination per second

2048

1

1000000

udpsrcsession

Total number of UDP sessions initiated

from the same source

2048

1

1000000

icmpflood

Maximum number of ICMP packets

received from the same source or sent

to the same destination per second

256

1

1000000

icmpsrcsession

Total number of ICMP sessions

initiated from the same source

128

1

1000000

icmpsweep

Maximum number of ICMP packets

received from the same source per

second

128

1

1000000

icmplarge

Maximum ICMP packet size (bytes)

32000

64

64000

Advertising
Popular Brands
Popular manuals