2 configuration commands, 1 dos-control sipdip, 2 dos-control tcpfrag – Fortinet 548B User Manual
Page 302
- 302 -
TCP SYN Mode: May be enabled or disabled. The factory default is disabled.
TCP SYN&FIN Mode: May be enabled or disabled. The factory default is disabled.
First Fragment Mode: May be enabled or disabled. The factory default is disabled.
TCP Fragment Offset Mode: May be enabled or disabled. The factory default is disabled.
7.13.2 Configuration Commands
7.13.2.1 dos-control sipdip
This command enables Source IP Address = Destination IP Address (SIP=DIP) Denial of Service
protection. If the mode is enabled, Denial of Service prevention is active for this type of attack. If packets
ingress with SIP=DIP, the packets will be dropped if the mode is enabled.
Syntax
dos-control sipdip
no dos-control sipdip
no - This command disables Source IP Address = Destination IP Address (SIP=DIP) Denial of
Service prevention.
Default Setting
Disabled
Command Mode
Global Config
7.13.2.2 dos-control tcpfrag
This command enables Minimum TCP Header Size Denial of Service protection. If the mode is enabled,
Denial of Service prevention is active for this type of attack. If packets ingress having a TCP Header Size
smaller then the configured value, the packets will be dropped if the mode is enabled. The default is
disabled. If you enable dos-control tcpfrag, but do not provide a Minimum TCP Header Size, the system
sets that value to 20.
Syntax
dos-control tcpfrag [<0-255>]
no dos-control tcpfrag
<0-255> - This command sets minimum TCP header length