Network Intrusion Detection System (NIDS) Preventing attacks
FortiGate-4000 Installation and Configuration Guide 277
Setting signature threshold values
You can change the default threshold values for the NIDS Prevention signatures listed
in Table 48. The threshold depends on the type of attack. For flooding attacks, the
threshold is the maximum number of packets received per second. For overflow
attacks, the threshold is the buffer size for the command. For large ICMP attacks, the
threshold is the ICMP packet size limit to pass through.
For example, setting the icmpflood signature threshold to 500 allows 500 echo
requests from a source address, to which the system sends echo replies. The
FortiGate unit drops any requests over the threshold of 500.
If you enter a threshold value of 0 or a number out of the allowable range, the
FortiGate unit uses the default value.
Table 48: NIDS Prevention signatures with threshold values
Signature
abbreviation
Threshold value units Default
threshold
value
Minimum
threshold
value
Maximum
threshold
value
synflood Threshold: Maximum number of SYN
segments received per second.
2048 1 1000000
Queue Size: Maximum proxied
connections.
4096 100 1000000
Timeout: Number of seconds for the
SYN cookie to keep a proxied
connection alive.
15 1 3600
portscan Maximum number of SYN segments
received per second
512 1 1000000
srcsession Total number of TCP sessions initiated
from the same source
2048 1 1000000
ftpovfl Maximum buffer size for an FTP
command (bytes)
256 32 1408
smtpovfl Maximum buffer size for an SMTP
command (bytes)
512 32 1408
pop3ovfl Maximum buffer size for a POP3
command (bytes)
512 32 1408
udpflood Maximum number of UDP packets
received from the same source or sent
to the same destination per second
2048 1 1000000
udpsrcsession Total number of UDP sessions initiated
from the same source
2048 1 1000000
icmpflood Maximum number of ICMP packets
received from the same source or sent
to the same destination per second
256 1 1000000
icmpsrcsession Total number of ICMP sessions
initiated from the same source
128 1 1000000
icmpsweep Maximum number of ICMP packets
received from the same source per
second
128 1 1000000
icmplarge Maximum ICMP packet size (bytes) 32000 64 64000