Blocking the packets of a denied session can take more CPU processing resources than passing the traffic through. By putting denied sessions in the session table, they can be kept track of in the same way that allowed session are so that the FortiGate unit does not have to reassess whether or not to deny each of the packets on an individual basis. If the session is denied all packets of that session are also denied.
In order to configure this to take place you will need to configure 2 CLI settings.
This setting determines whether or not the firmware includes denied session in the session table. The default of this setting is “disable” so it needs to be enabled.
This setting sets the length of time, in seconds, that the session is kept in the table. The range is from 1 to 300 seconds. The longer the session is in the table the less potential for impact on the CPU but the greater the amount of memory taken up holding the information in the table.
The following is an example configuration:
config sys settings
set ses-denied-traffic enable
config system global
set block-session-timer 60
It is worth noting that this feature’s primary function is to mitigate stress on the FortiGate’s resources from sessions that have been classified as “unwanted”, for lack of a better term. The scope of what the setting can handle does not include a full on assault by a Denial of Service type of attack. Protection from that sort of malicious attack is provided by DoS policies.
Bruce has been working with computers, and related technology, since before the World Wide Web was a thing. He has worked in system and network administration. He has even dabbled in technical support. He has made the switch to technical writing as part of his deep, dark and dastardly plan to make the arcane machinations of IT technology more easily understood by the poor folks who use it. That, and the voices in his head told him it was good idea. Never argue with the voices in your head. People will start to stare.
Latest posts by Bruce Davis (see all)