Understanding FortiDDoS Detection Mode
In Detection Mode, FortiDDoS logs events and builds traffic statistics for SPPs, but it does not take actions: it
does not drop or block traffic, and it does not aggressively age connections. Packets are passed through the
system to and from protected subnets. Any logs and reports that show drop or blocking activity are actually
simulations of drop or block actions the system would have taken if it were deployed in Prevention Mode.
When you get started with FortiDDoS, you deploy it in Detection Mode for 2-14 days so that the FortiDDoS
system can learn the baseline of normal inbound and outbound traffic. The length of the initial learning period
depends upon the seasonality of traffic (its predictable or expected variations) and how representative of normal
traffic conditions the learning period is. Ensure that there are no attacks during the initial learning period and that
it is long enough to be a representative period of activity. If activity is heavier in one part of the week than
another, ensure that your initial learning period includes periods of both high and low activity. Weekends alone
are an insufficient learning period for businesses that have substantially different traffic during the week. Thus, it
is better to start the learning period on a weekday. In most cases, 7 days is sufficient to capture the weekly
seasonality in traffic.
At the end of the initial learning period, you can adopt system-recommended thresholds (usually lower than the
factory default) and continue to use Detection Mode to review logs for false positives and false negatives. As
needed, you repeat the tuning: adjust thresholds and monitor the results.
When you are satisfied with the system settings, change to Prevention Mode. In Prevention Mode, the appliance
drops packets and blocks sources that violate ACL rules and DDoS attack detection thresholds.