Protocol types
One of the fundamental aspects of a service is the type of protocol that use used to define it. When a service is defined one of the following categories of protocol needs to be determined: l TCP/UDP/SCTP l ICMP l ICMPv6 l IP
Depending on which of these protocol categories is choose another set of specifications will can also be defined.
| Protocol Type | Related specifications |
| TCP/UDP/SCTP | This is the most commonly used service protocol category. Once this category has been selected the other available options to choose are an address, either IP or
FQDN, and the protocol and port number. The protocol will be TCP, UDP or SCTP. |
| ICMP or ICMP6 | When ICMP or ICMP6 is chosen the available options are the ICMP Type and its code. |
| IP | When IP is the chosen protocol type the addition option is the Protocol Number. |
TCP/UDP/SCTP
TCP
Transmission Control Protocol (TCP) is one of the core or fundamental protocols of the Internet. It is part of the Transport Layer of the OSI Model. It is designed to provide reliable delivery of data from a program on one device on the network or Internet to another program on another device on the network or Internet. TCP achieves its reliability because it is a connection based protocol. TCP is stream-oriented. It transports streams of data reliably and in order.
TCP establishes a prior connection link between the hosts before sending data. This is often referred to as the handshake. Once the link is established the protocol uses checks to verify that the data transmitted. If an error check fails the data is retransmitted. This makes sure that the data is getting to the destination error free and in the correct order so that it can be put back together into a form that is identical to the way they were sent.
TCP is configured more for reliability than for speed and because of this TCP will likely be slower than a connectionless protocol such as UDP. This is why TCP is generally not used for real time applications such as voice communication or online gaming. Some of the applications that use TCP are:
l World Wide Web (HTTP and HTTPS) l Email (SMTP, POP3, IMAP4) l Remote administration (RDP) l File transfer (FTP)
UDP
User Datagram Protocol (UDP) like TCP is one of the core protocols of the Internet and part of the Transport Layer of the OSI Model. UDP is designed more for speed than reliability and is generally used for different applications than TCP. UDP sends messages, referred to as datagrams across the network or Internet to other hosts without establishing a prior communication link. In other words, there is no handshake.
UDP is an unreliable service as the datagrams can arrive out of order, duplicated or go missing without any mechanism to verify them. UDP works on the assumption that any error checking is done by the application or is not necessary for the function of the application. This way it avoids the overhead that is required to verify the integrity of the data.
This lack of overhead improves the speed of the data transfer and is why UDP is often used by applications that are time sensitive in nature. UDP’s stateless nature is also great for applications that answer a large number of small queries from a large number of clients.
Common uses for UDP are:
l Domain Name Resolution (DNS) l Time (NTP) l Streaming media (RTSP, RTP and RTCP) l Telephone of the Internet (VoIP) l File Transfer (TFTP) l Logging (SNMP) l Online games (GTP and OGP)
SCTP
Stream Control Transmission Protocol (SCTP) is part of the Transport Layer of the OSI Model just like TCP and UDP and provides some of the features of both of those protocols. It is message or datagram orientated like UDP but it also ensures reliable sequential transport of data with congestion control like TCP.
SCTP provides the following services:
- Acknowledged error-free non-duplicated transfer of user data l Data fragmentation to conform to discovered path MTU size l Sequenced delivery of user messages within multiple streams, with an option for order-of-arrival delivery of individual user messages
- Optional bundling of multiple user messages into a single SCTP packet l Network-level fault tolerance through supporting of multi-homing at either or both ends of an association l Congestion avoidance behavior and resistance to flooding and masquerade attacks
SCTP uses multi-streaming to transport its messages which means that there can be several independent streams of messages traveling in parallel between the points of the transmission. The data is sent out in larger chunks of data than is used by TCP just like UDP but the messages include a sequence number within each message in the same way that TCP does so that the data can be reassembled at the other end of the transmission in the correct sequence without the data having to arrive in the correct sequence.
SCTP is effective as the transport protocol for applications that require monitoring and session-loss detection. For such applications, the SCTP path and session failure detection mechanisms actively monitor the connectivity of the session. SCTP differs from TCP in having multi-homing capabilities at either or both ends and several streams within a connection, typically referred to as an association. A TCP stream represents a sequence of bytes; an SCTP stream represents a sequence of messages.
Some common applications of SCTP include supporting transmission of the following protocols over IP networks:
- SCTP is important in 3G and 4G/LTE networks (for example, HomeNodeB = FemtoCells) l SS7 over IP (for example, for 3G mobile networks) l SCTP is also defined and used for SIP over SCTP and H.248 over SCTP l Transport of Public Switched Telephone Network (PSTN) signaling messages over IP networks.
SCTP is a much newer protocol. It was defined by the IETF Signaling Transport (SIGTRAN) working group in 2000. It was introduced by RFC 3286 and more fully define by RFC 4960.
The FortiGate firewall can apply security policies to SCTP sessions in the same way as TCP and UDP sessions. You can create security policies that accept or deny SCTP traffic by setting the service to “ALL”. FortiOS does not include pre-defined SCTP services. To configure security policies for traffic with specific SCTP source or destination ports you must create custom firewall services for SCTP.
FortiGate units route SCTP traffic in the same way as TCP and UDP traffic. You can configure policy routes specifically for routing SCTP traffic by setting the protocol number to 132. SCTP policy routes can route SCTP traffic according to the destination port of the traffic if you add a port range to the policy route.
You can configure a FortiGate unit to perform stateful inspection of different types of SCTP traffic by creating custom SCTP services and defining the port numbers or port ranges used by those services. FortiGate units support SCTP over IPv4. The FortiGate unit performs the following checks on SCTP packets:
- Source and Destination Port and Verification Tag. l Chunk Type, Chunk Flags and Chunk Length l Verify that association exists l Sequence of Chunk Types (INIT, INIT ACK, etc) l Timer checking l Four way handshake checking l Heartbeat mechanism l Protection against INIT/ACK flood DoS attacks, and long-INIT flooding
- Protection against association hijacking
FortiOS also supports SCTP sessions over IPsec VPN tunnels, as well as full traffic and event logging for SCTP sessions.
Protocol port values
The source and destination ports for TCP/UDP/SCTP services are important to get correct. If they are reversed the service will not work. The destination port(s) are the on ones that refer to the ports that the computer will be listening on. These are the port numbers that most people are familiar with when they associate a port number to a protocol. In most cases the source port will be one that is randomly assigned by the computer that is not being already used by another service.
Most people associate HTTP with port 80. This means that a web-server will be listening on port 80 for any http requests being sent to the computer. The computer that is sending the request can use any port that is not already assigned to another service or communication session. There are 65,535 ports that it can randomly assign, but because the ports from 1 to 1024 are normally used for listening for incoming communications it is usually not in that range. It is unless there is a specific instance when you know that a communication will be coming from a predefined source port it is best practice to set the source port range from 1 to 65,535.
ICMP
The Internet Control Message Protocol (ICMP) is a protocol layered onto the Internet Protocol Suite to provide error reporting flow control and first-hop gateway redirection. It is normally used by the operating systems of networked computers to send connectivity status query, response and error messages. It is assigned protocol number 1. There is a separate version of the protocol for both IPv4 and for IPv6. It is not designed to be absolutely reliable like TCP.
ICMP is not typically used for transporting data or for end-user network applications with the exception of some diagnostic utilities such as ping and traceroute.
ICMP messages are sent in several situations, for example:
l when a datagram cannot reach its destination, l time exceeded messages l redirect messages l when the gateway does not have the buffering capacity to forward a datagram l when the gateway can direct the host to send traffic on a shorter route.
Some of the specific ICMP message types are: l ICMP_ECHO l ICMP_TIMESTAMP l ICMP_INFO_REQUEST l ICMP_ADDRESS
For ICMP error messages, only those reporting an error for an existing session can pass through the firewall. The security policy will allow traffic to be routed, forwarded or denied. If allowed, the ICMP packets will start a new session. Only ICMP error messages of a corresponding security policy is available will be sent back to the source. Otherwise, the packet is dropped. That is, only ICMP packets for a corresponding security policy can traverse the FortiGate unit.
ICMP types and codes
ICMP has a number of messages that are identified by the “Type” field. Some of these types have assigned “Code” fields as well. The table below shows the different types of ICMP Types with their associated codes if there are any.
ICMP types and codes
| Type Number | Type Name | Optional Code(s) |
| 0 | Echo Reply | |
| 1 | Unassigned | |
| 2 | Unassigned | |
| 3 | Destination Unreachable | 0 Net Unreachable
1 Host Unreachable 2 Protocol Unreachable 3 Port Unreachable 4 Fragmentation Needed and Don’t Fragment was Set 5 Source Route Failed 6 Destination Network Unknown 7 Destination Host Unknown 8 Source Host Isolated 9 Communication with Destination Network is Administratively Prohibited 10 Communication with Destination Host is Administratively Prohibited 11 Destination Network Unreachable for Type of Service 12 Destination Host Unreachable for Type of Service 13 Communication Administratively Prohibited 14 Host Precedence Violation 15 Precedence cutoff in effect |
| 4 | Source Quench |
| Type Number | Type Name | Optional Code(s) | |
| 5 | Redirect | 0 Redirect Datagram for the Network (or subnet)
1 Redirect Datagram for the Host 2 Redirect Datagram for the Type of Service and Network 3 Redirect Datagram for the Type of Service and Host |
|
| 6 | Alternate Host Address | ||
| 7 | Unassigned | ||
| 8 | Echo | ||
| 9 | Router
Advertisement |
||
| 10 | Router Selection | ||
| 11 | Time Exceeded | 0 Time to Live exceeded in Transit
1 Fragment Reassembly Time Exceeded |
|
| 12 | Parameter Problem | 0 Pointer indicates the error
1 Missing a Required Option 2 Bad Length |
|
| 13 | Timestamp | ||
| 14 | Timestand Reply | ||
| 15 | Information Request | ||
| 16 | Information Reply | ||
| 17 | Address Mask Request | ||
| 18 | Address Mask Reply | ||
| 19 | Reserved (for Security) | ||
| Type Number | Type Name | Optional Code(s) | |
| 20 – 29 | Reserved (for
Robustness Experiment) |
||
| 30 | Traceroute | ||
| 31 | Datagram
Conversion Error |
||
| 32 | Mobile Host Redirect | ||
| 33 | IPv6 Where-AreYou | ||
| 34 | IPv6 I-Am-Here | ||
| 35 | Mobile Registration | ||
| 36 | Mobile Registration Reply | ||
| 37 | Domain Name
Request |
||
| 38 | Domain Name
Reply |
||
| 39 | SKIP | ||
| 40 | Photuris | ||
| 41 – 255 | Reserved | ||
log-invalid-packet
The log-invalid-packet CLI setting is one that is intended to log invalid ICMP packets. The exact definition being:
If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B)|TCP (C,D) header, then if FortiOS can locate the A:C -> B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range then the ICMP packet is dropped.
When this field is enabled, the FortiGate also log messages that are not ICMP error packets.
Types of logs covered by log-invalid-packet
- Invalid ICMP l If ICMP error message verification (see “check-reset-range”) is enabled
- Invalid DNS packets l DNS packets that contain requests for non-existing domains
- iprope check failed l reverse path check fail l denied and broadcast traffic l no session matched
Some other examples of messages that are not errors that will be logged, based on RFC792: Type 3 messages correspond to “Destination Unreachable Message” l Type 3, Code 1 = host unreachable l Type 3, Code 3 = port unreachable
Type 11 messages correspond to “Time Exceeded Message” l Type 11, Code 0 = time to live exceeded in transit
ICMPv6
Internet Control Message Protocol version 6 (ICMPv6) is the new implementation of the Internet Control Message Protocol (ICMP) that is part of Internet Protocol version 6 (IPv6). The ICMPv6 protocol is defined in RFC 4443.
ICMPv6 is a multipurpose protocol. It performs such things as:
- error reporting in packet processing l diagnostic functions l Neighbor Discovery process l IPv6 multicast membership reporting
It also designed as a framework to use extensions for use with future implementations and changes.
Examples of extensions that have already been written for ICMPv6:
- Neighbor Discovery Protocol (NDP) – a node discovery protocol in IPv6 which replaces and enhances functions of ARP.
- Secure Neighbor Discovery Protocol (SEND) – an extension of NDP with extra security. l Multicast Router Discovery (MRD) – allows discovery of multicast routers.
ICMPv6 messages use IPv6 packets for transportation and can include IPv6 extension headers. ICMPv6 includes some of the functionality that in IPv4 was distributed among protocols such as ICMPv4, ARP (Address Resolution Protocol), and IGMP (Internet Group Membership Protocol version 3).
ICMPv6 has simplified the communication process by eliminating obsolete messages.
ICMPv6 messages are subdivided into two classes: error messages and information messages.
Error Messages are divided into four categories:
- Destination Unreachable
- Time Exceeded
- Packet Too Big
- Parameter Problems
Information messages are divided into three groups:
- Diagnostic messages
- Neighbor Discovery messages
- Messages for the management of multicast groups.
ICMPv6 types and codes
ICMPv6 has a number of messages that are identified by the “Type” field. Some of these types have assigned “Code” fields as well. The table below shows the different types of ICMP Types with their associated codes if there are any.
Type codes 0 − 127 are error messages and type codes 128 − 255 are for information messages.
ICMPv6 types and codes
| Type Number | Type Name | Code |
| 0 | Reserved | 0 – no route to destination
1 – communication with destination administratively prohibited 2 – beyond scope of source address 3 – address unreachable 4 – port unreachable 5 – source address failed ingress/egress policy 6 – reject route to destination 7 – Error in Source Routing Header |
| 1 | Destination Unreachable | |
| 2 | Packet Too Big | |
| 3 | Time Exceeded | 0 – hop limit exceeded in transit
1 – fragment reassembly time exceeded |
| 4 | Parameter Problem | 0 – erroneous header field encountered
1 – unrecognized Next Header type encountered 2 – unrecognized IPv6 option encountered |
| Type Number | Type Name | Code |
| 100 | Private
Experimentation |
|
| 101 | Private
Experimentation |
|
| 102 – 126 | Unassigned | |
| 127 | Reserved for expansion if ICMPv6 error messages | |
| 128 | Echo Request | |
| 129 | Echo Replay | |
| 130 | Multicast Listener Query | |
| 131 | Multicast Listener Report | |
| 132 | Multicast Listener
Done |
|
| 133 | Router Solicitation | |
| 134 | Router
Advertisement |
|
| 135 | Neighbor Solicitation | |
| 136 | Neighbor
Advertisement |
|
| 137 | Redirect Message | |
| 138 | Router
Renumbering |
0 – Router Renumbering Command
1 – Router Renumbering Result 255 – Sequence Number Reset |
| Type Number | Type Name | Code |
| 139 | ICMP Node
Information Query |
0 – The Data field contains an IPv6 address which is the Subject of this Query.
1 – The Data field contains a name which is the Subject of this Query, or is empty, as in the case of a NOOP. 2 – The Data field contains an IPv4 address which is the Subject of this Query. |
| 140 | ICMP Node
Information Response |
0 – A successful reply. The Reply Data field may or may not be empty.
1 – The Responder refuses to supply the answer. The Reply Data field will be empty. 2 – The Qtype of the Query is unknown to the Responder. The Reply Data field will be empty. |
| 141 | Inverse Neighbor
Discovery Solicitation Message |
|
| 142 | Inverse Neighbor
Discovery Advertisement Message |
|
| 143 | Version 2 Multicast Listener Report | |
| 144 | Home Agent
Address Discovery Request Message |
|
| 145 | Home Agent
Address Discovery Reply Message |
|
| 146 | Mobile Prefix
Solicitation |
|
| 147 | Mobile Prefix Advertisement | |
| 148 | Certification Path
Solicitation Message |
| Type Number | Type Name | Code |
| 149 | Certification Path
Advertisement Message |
|
| 150 | ICMP messages
utilized by experimental mobility protocols such as Seamoby |
|
| 151 | Multicast Router Advertisement | |
| 152 | Multicast Router
Solicitation |
|
| 153 | Multicast Router Termination | |
| 154 | FMIPv6 Messages | |
| 155 | RPL Control Message | |
| 156 | ILNPv6 Locator Update Message | |
| 157 | Duplicate Address Request | |
| 158 | Duplicate Address Confirmation | |
| 159 − 199 | Unassigned | |
| 200 | Private experimentation | |
| 201 | Private experimentation | |
| 255 | Reserved for expansion of ICMPv6
informational messages |
IP
Internet Protocol (IP) is the primary part of the Network Layer of the OSI Model that is responsible for routing traffic across network boundaries. It is the protocol that is responsible for addressing. IPv4 is probable the version that most people are familiar with and it has been around since 1974. IPv6 is its current successor and due to a shortage of available IPv4 addresses compared to the explosive increase in the number of devices that use IP addresses, IPv6 is rapidly increasing in use.
When IP is chosen as the protocol type the available option to further specify the protocol is the protocol number.
This is used to narrow down which protocol within the Internet Protocol Suite and provide a more granular control.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!