Policy and Objects – FortiManager 5.2

9 Replies

DoS policy

The DoS (Denial of Service) Policy tab allows you to create, edit, delete, and clone DoS policies. The following information is displayed for these policies: Seq.# (sequence number), Interface (incoming interface), Source (source address), Destination (destination address), Service, and Install On (installation targets).

  1. Select the ADOM from the drop-down list in the toolbar.
  2. Select the policy package where you are creating the new DoS policy from the tree menu.
  3. Select DoS Policy NAT in the policy toolbar.
  4. Right-click on the sequence number of a current policy, or in an empty area of the content pane and select Create New from the menu. The Create New Policy dialog box opens.
New DoS policy
  1. Configure the following settings:
Incoming Interface Select the incoming interface from the drop-down list.
Source Address Select the source address from the drop-down list. You can select to create a new address or address group in the Source Address dialog box.
Destination Address Select the destination address from the drop-down list. You can create a new address or address group in the Add Destination Address dialog box.
Service Select the service from the drop-down list. You can create a new service or service group in the Add Service dialog box.
tcp_syn_flood Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.

|The default threshold is 2000.

 

tcp_port_scan Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.

The default threshold is 1000.
tcp_src_session Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.

The default threshold is 5000.
tcp_dst_session Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.

The default threshold is 5000.
udp_flood Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.

The default threshold is 2000.
udp_scan Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.

The default threshold is 2000.
udp_src_session Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.

The default threshold is 5000.
udp_dst_session Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.

The default threshold is 5000.
icmp_flood Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.

The default threshold is 250.
icmp_sweep Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.

The default threshold is 100.
icmp_src_session Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.

The default threshold is 300.
icmp_dst_session Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.

The default threshold is 1000.
ip_src_session Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.

The default threshold is 5000.
ip_dst_session Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.

The default threshold is 5000.
scttp_flood Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.

The default threshold is 2000.
sctp_scan Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.

The default threshold is 1000.
sctp_src_session Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.

The default threshold is 5000.
sctp_dst_session Select to enable the DoS status and logging, select the action to pass, block or proxy, and configure the threshold.

The default threshold is 5000.
  1. Select OK to save the setting.

IPv6 DoS policy

The IPv6 DoS Policy tab allows you to create, edit, delete, and clone IPv6 DoS policies. For more information on configuring DoS policies, see DoS policy.

NAT46 policy

Use NAT46 policies for IPv6 environments where you want to expose certain services to the public IPv4 Internet. You will need to configure a virtual IP to permit the access. The NAT46 Policy tab allows you to create, edit, delete, and clone NAT46 policies.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29
This entry was posted in Administration Guides, FortiManager and tagged , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

9 thoughts on “Policy and Objects – FortiManager 5.2

  1. Richard Lopez

    Question about ADOMs. In previous versions of FortiOS 4.3 maybe earlier. When you had multiple devices under an ADOM the policies and objects were clearly separated per device being managed. With the newer FortiOS it seems as though there is overlapping and my policies and objects seem to be cross contaminated between devices. What is your perspective on this and/or work around? Thank you in advance – Richard

    Reply
    1. Mike Post author

      I always keep my devices separated by Firmware version. ADOM 4.3 ADOM 5.2 ADOM 5.4 etc to keep things nice and neat.

      Reply
  2. simbhu

    I have an issue for deleting the V4.2 ADOMs from FMG V5.2 getting the below error.

    Some ADOM(s) were not deleted successfully because they are not empty

    But those ADOMs are not used anywhere. How to find out where it is used?

    No admin accounts having access to the ADOM, No policy package for the ADOM.

    Reply
    1. Mike Post author

      Usually, it experiences this issue because something somewhere is still referencing it. Whether that item be a policy package as you mentioned before or a group etc.

      Reply
  4. Thierry

    Hi Mike,

    We use fortimanager v5.4.1-build1082 160629 (GA) FMG-VM64 but we cant drag and drop within the rule base. (drag en drop from the object side plain does work) I have seen a instruction video were they lock the adom but also that future is non exsistent in our GUI.

    You have any idea what this could be ? I did not see any issues on this subject on the fortinet site. We have upgraded from a older version FM.

    kind regards and thanks for this great support site, i look here first!

    Reply
      1. Thierry

        Not sure ( I was not involved and there is no change history) but i did found this in the “alert message console”

        Upgrade image from v5.2.7-build0757-160408(GA) to v5.4.1-build1082-160629

        Reply
  5. linaab

    Hello,

    HELP !! we have multiple firewalls we would like to upload on our Fortimanager in the same ADOM.

    The problem is that some objects have the same names but different IPs adresses. i read that the only solution is mapping the objects. if we do so we will have to it manually on every object (more than ~200) which is not an option for me. Can you please help me with this problem ?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.