Category Archives: FortiOS 6

Inside FortiOS: Denial of Service (DoS) protection

FortiOS DoS protection maintains network integrity and performance by identifying and blocking harmful IPv4 and IPv6-based denial of service (DoS) attacks.

About DoS and DDoS attacks

A denial of service (DoS) occurs when an attacker overwhelms server resources by flooding a target system with anomalous data packets, rendering it unable to service genuine users. A distributed denial of service (DDoS) occurs when an attacker uses a master computer to control a network of compromised systems, otherwise known as a ‘botnet’, which collectively inundates the target system with excessive anomalous data packets.

FortiOS DoS and DDoS protection

FortiOS DoS protection identifies potentially harmful traffic that could be part of a DoS or a DDoS attack by looking for specific traffic anomalies. Traffic anomalies that become DoS attacks include: TCP SYN floods, UDP floods, ICMP floods, TCP port scans, TCP session attacks, UDP session attacks, ICMP session attacks, and ICMP sweep attacks. Only traffic identified as part of a DoS attack is blocked; connections from legitimate users are processed normally.

FortiOS applies DoS protection very early in its traffic processing sequence to minimize the effect of a DoS attack on FortiOS system performance. DoS protection is the first step for packets after they are received by a FortiGate interface. Potential DoS attacks are detected and blocked before the packets are sent to other FortiOS systems.

FortiOS also includes an access control list feature that is implemented next. This accelerated ACL technology uses NP6 processors to block traffic (including DoS attacks) by source and destination address and service again before the packets are sent to the FortiGate CPU.

FortiOS DoS protection can operate in a standard configuration or operate out of band in sniffer mode, also known as one-arm mode, similar to intrusion detection systems. When operating in sniffer mode the FortiGate unit detects attacks and logs them without blocking them.

FortiOS DoS policies determine the course of action to take when anomalous traffic reaches a configured packet rate threshold. You can block an attacker, block an interface, block an attacker and interface, or allow traffic to pass through for monitoring purposes. This allows you to maintain network security by gathering information about attacks, monitor potentially offending traffic, or block offenders for the most protection.

FortiGates with NP6 processors also support synproxy DoS protection. An NP6-accelerated TCP SYN proxy offloads the three-way TCP handshake TCP SYN anomaly checking DoS protection to NP6 processors.

FortiOS DDoS prevention

In addition to using DoS protection for protection against DoS attacks, FortiOS includes a number of features that prevent the spread of Botnet and C&C activity. Mobile Malware or Botnet and C&C protection keeps Botnet and C&C code from entering a protected network and compromising protected systems. As a result, systems on the protected network cannot become Botnet clients.

In addition, FortiOS can monitor and block outgoing Botnet connection attempts. Monitoring allows you to find and remove Botnet clients from your network and blocking prevents infected systems from communicating with Botnet sites.

Configuration options

Choose the standard configuration for maximum protection or configure sniffer mode to gather information.

Standard configuration

DoS protection is commonly configured on a FortiGate unit that connects a private or DMZ network to the Internet or on a FortiWiFi unit that connects a wireless LAN to an internal network and to the Internet. All Internet traffic or wireless LAN traffic passes through DoS protection in the FortiGate unit or the FortiWiFi unit.

Out of band configuration (sniffer mode)

A FortiGate unit in sniffer mode operates out of band as a one-armed Intrusion Detection System by detecting and reporting attacks. It does not process network traffic nor does it take action against threats. The FortiGate interface operating in sniffer mode is connected to a Test Access Point (TAP) or a Switch Port Analyzer (SPAN) port that processes all of the traffic to be analyzed. The TAP or SPAN sends a copy of the switch traffic to the out of band FortiGate for analysis.

FortiOS records log messages and sends alerts to system administrators when a DoS attack is detected. IDS scanning does not affect network performance or network traffic if the IDS fails or goes offline.

DoS policies

DoS policies provide effective and early DoS detection while remaining light on system resources. They are configured to monitor and to stop traffic with abnormal patterns or attributes. The DoS policy recognizes traffic as a threat when the traffic reaches a user-configured packet rate threshold. The policy then determines the appropriate action. In addition to choosing whether or not to log each type of anomaly, you can choose to pass or block threats.

DoS policy anomaly protection is applied to all incoming traffic to a single FortiGate interface, but you can narrow policies by specifying service, source address, and destination address. The FortiGate unit processes DoS policies in their own respective order first, followed by all other firewall policies.

Hardware acceleration

Hardware acceleration enhances protection and increases the efficiency of your network. FortiOS integrated Content Processors (CPs), Network Processors (NPs), and Security Processors (SPs) accelerate specialized security processing. DoS SYN proxy protection is built in to NP6 processors and many Fortinet Security Processors, like the CE4, XE2, and FE8, to guard against TCP SYN floods. TCP packets with the SYN flag are the most efficient DoS attack tool because of how communication sessions are initiated between systems. NP6 and SP processors can offload TCP SYN flood attack detection and blocking. The SP module increases a FortiGate unit’s capacity to protect against TCP SYN flood attacks while minimizing the effect of attacks on the FortiGate unit’s overall performance and the network performance. The result is improved capacity and overall system performance.

The FortiGuard Center

The FortiGuard Center shows information on all the most recent FortiGuard news, including information concerning zero-day research and hot intrusion detections. Research papers are also available that concern a The FortiGuard Center Inside FortiOS: Denial of Service (DoS) protection

variety of current security issues.

To view recent developments, go to http://www.fortiguard.com/static/intrusionprevention.html.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

IPv6 Neighbor Discovery Proxy

Leave a reply

IPv6 Neighbor Discovery Proxy

The following is an example configuration of a FortiGate using ND Proxy. Some of these configuration steps have been covered elsewhere, but are shown here to demonstrate how they all work together to achieve the desired effect.

Steps:

Create zone for ND proxy use that includes the upstream and downstream interfaces. l Create policies to allow ICMPv6 and DHCPv6 traffic. l Enable ND Proxy on the interfaces.
Enable “autoconf” on the upstream interface.

Add a zone including wan and lan.

It is possible to use firewall and multicast policies that don’t use a zone, but using a zone simplifies the configuration, especially if you have more than two interfaces. config system zone edit ndproxy_zone set interface wan lan

end

Add forward firewall policy and multicast policy to allow at least ICMPv6 and DHCPv6 traffic.

config firewall multicast-policy6 edit 0 set srcintf ndproxy_zone set dstintf ndproxy_zone set srcaddr all set dstaddr all

end and

config firewall policy6 edit 0 set srcintf ndproxy_zone set dstintf ndproxy_zone set srcaddr all set dstaddr all set action accept set schedule always set service ALL

end

Enable ND proxy on WAN and LAN.

config system nd-proxy set status enable set member wan lan end

Enable autoconf on the upstream interface.

RA received on the other interface(s) will be dropped.

config system interface edit wan …

config ipv6

set autoconf enable end end

IPv6 PIM sparse mode multicast routing

Leave a reply

IPv6 PIM sparse mode multicast routing

FortiOS supports PIM sparse mode multicast routing for IPv6 multicast (multicast6) traffic and is compliant with RFC 4601. You can use the following command to configure IPv6 PIM sparse multicast routing.

config router multicast6 set multicast-routing {enable | disable} config interface edit <interface-name> set hello-interval <1-65535 seconds> set hello-holdtime <1-65535 seconds>

end config pim-sm-global config rp-address edit <index> set ipv6-address <ipv6-address>

end

The following diagnose commands for IPv6 PIM sparse mode are also available:

diagnose ipv6 multicast status diagnose ipv6 multicast vif diagnose ipv6 multicast mroute

Configure hosts in an SNMP v1/2c community to send queries or receive traps

Leave a reply

Configure hosts in an SNMP v1/2c community to send queries or receive traps

When you add a host to an SNMP v1/2c community you can now decide whether the FortiGate unit will accept queries from the host or whether the FortiGate unit will send traps to the host. You can also configure the host for both traps and queries. You can add up to 16 IPv4 hosts and up to 16 IPv6 hosts.

Use the following command to add two hosts to an SNMP community:

config system snmp community config hosts edit 1 set interface port1 set ip 172.20.120.1 set host-type query

end

config hosts6 edit 1 set interface port6 set ip 2001:db8:0:2::30 set host-type trap end

Blocking IPv6 packets by extension headers

Leave a reply

Blocking IPv6 packets by extension headers

FortiOS can now block IPv6 packets based on the extension headers, using the CLI syntax: config firewall ipv6-eh-filter.

The following commands are now available:

set hop-opt {disable | enable}: Block packets with Hop-by-Hop Options header. l set dest-opt {disable | enable}: Block packets with Destination Options header.
set hdopt-type <integer>: Block specific Hop-by-Hop and/or Destination Option types (maximum 7 types, each between 0 and 255). l set routing {disable | enable}: Block packets with Routing header.
set routing-type <integar>: Block specific Routing header types (maximum 7 types, each between 0 and 255).
set fragment {disable | enable}: Block packets with Fragment header. l set auth {disable | enable}: Block packets with Authentication header. l set no-next {disable | enable}: Block packets with No Next header.

IPv6 IPS

Leave a reply

IPv6 IPS

IPv6 IPS signature scan can be enabled by interface policy. The user can create an normal IPS sensor and assign it to the IPv6 interface policy.

config firewall interface-policy6 edit 1 set interface “port1” set srcaddr6 “all” set dstaddr6 “all” set service6 “ANY” set ips-sensor-status enable set ips-sensor “all_default”

end

IPv6 RSSO support

Leave a reply

IPv6 RSSO support

RADIUS Single Sign-On (RSSO) is supported in IPv6, but can only be configured in the CLI:

config firewall policy6 edit <id> set rsso enable

set fall-through-unathenticated enable

end

RIPng — RIP and IPv6

Leave a reply

RIPng — RIP and IPv6

RIP next generation, or RIPng, is the version of RIP that supports IPv6.

This is an example of a typical small network configuration using RIPng routing.

Your internal R&D network is working on a project for a large international telecom company that uses IPv6. For this reason, you have to run IPv6 on your internal network and you have decided to use only IPv6 addresses.

Your network has two FortiGate units running the RIPng dynamic routing protocol. Both FortiGate units are connected to the ISP router and the internal network. This configuration provides some redundancy for the R&D internal network enabling it to reach the internet at all times.

This section includes the following topics:

l Network layout and assumptions l Configuring the FortiGate units system information l Configuring RIPng on FortiGate units l Configuring other network devices l Testing the configuration l Debugging IPv6 on RIPng

Network layout and assumptions

Basic network layout

All internal computers use RIP routing, so no static routing is required. And all internal computers use IPv6 addresses.

Where possible in this example, the default values will be used or the most general settings. This is intended to provide an easier configuration that will require less troubleshooting.

In this example the routers, networks, interfaces used, and IP addresses are as follows:

Rip example network topology

Network	Router	Interface & Alias	IPv6 address
R&D	Router1 Router2	port1 (internal)	2002:A0B:6565:0:0:0:0:0
		port2 (ISP)	2002:AC14:7865:0:0:0:0:0
		port1 (internal)	2002:A0B:6566:0:0:0:0:0
		port2 (ISP)	2002:AC14:7866:0:0:0:0:0

Network topology for the IPv6 RIPng example

Assumptions

The following assumptions have been made concerning this example:

All FortiGate units have 5.0+ firmware, and are running factory default settings.
All CLI and web-based manager navigation assumes the unit is running in NAT/Route operating mode, with VDOMs disabled.
All FortiGate units have interfaces labeled port1 and port2 as required. l All firewalls have been configured for each FortiGate unit to allow the required traffic to flow across interfaces. l All network devices are support IPv6 and are running RIPng.

Configuring the FortiGate units system information

Each FortiGate unit needs IPv6 enabled, a new hostname, and interfaces configured.

To configure system information on Router1 – web-based manager:

Go to Dashboard.
For Host name, select Change.
Enter “Router1”.
Go to System > Feature Visibility.
Enable IPv6 and click Apply.
Go to Network > Interfaces.
Edit port1 (internal) interface.
Set the following information, and select OK.

Alias	internal
IP/Netmask	2002:A0B:6565::/0
Administrative Access	HTTPS SSH PING
Description	Internal RnD network
Administrative Status	Up

Edit port2 (ISP) interface.
Set the following information, and select OK.

Alias	ISP
IP/Netmask	2002:AC14:7865::/0
Administrative Access	HTTPS SSH PING
Description	ISP and internet
Administrative Status	Up

To configure system information on Router1 – CLI:

config system global set hostname Router1 set gui-ipv6 enable

end config system interface edit port1

set alias internal set allowaccess https ping ssh set description “Internal RnD network” config ipv6

set ip6-address 2002:a0b:6565::/0

end

next edit port2

set alias ISP set allowaccess https ping ssh set description “ISP and internet” config ipv6

set ip6-address 2002:AC14:7865:: end end

To configure system information on Router2 – web-based manager:

Go to Dashboard.
For Host name, select Change.
Enter “Router2”.
Go to System > Feature Visibility.
Enable IPv6 and click Apply.
Go to Network > Interfaces.
Edit port1 (internal) interface.
Set the following information, and select OK.

Alias	internal
IP/Netmask	2002:A0B:6566::/0
Administrative Access	HTTPS SSH PING
Description	Internal RnD network
Administrative Status	Up

Edit port2 (ISP) interface.
Set the following information, and select OK.

Alias	ISP
IP/Netmask	2002:AC14:7866::/0
Administrative Access	HTTPS SSH PING
Description	ISP and internet
Administrative Status	Up

To configure system information on Router2 – CLI:

config system global set hostname Router2 set gui-ipv6 enable

end config system interface edit port1

set alias internal set allowaccess https ping ssh set description “Internal RnD network” config ipv6

set ip6-address 2002:a0b:6566::/0

end

next edit port2

set alias ISP set allowaccess https ping ssh set description “ISP and internet” config ipv6 set ip6-address 2002:AC14:7866:: end

end

Configuring RIPng on FortiGate units

Now that the interfaces are configured, you can configure RIPng on the FortiGate units.

There are only two networks and two interfaces to include — the internal network, and the ISP network. There is no redistribution, and no authentication. In RIPng there is no specific command to include a subnet in the RIP broadcasts. There is also no information required for the interfaces beyond including their name.

As this is a CLI only configuration, configure the ISP router and the other FortiGate unit as neighbors. This was not part of the previous example as this feature is not offered in the web-based manager. Declaring neighbors in the configuration like this will reduce the discovery traffic when the routers start up.

Since RIPng is not supported in the web-based manager, this section will only be entered in the CLI.

To configure RIPng on Router1 – CLI:

config router ripng config interface edit port1 next edit port2 end

config neighbor

edit 1 set interface port1 set ipv6 2002:a0b:6566::/0

next edit 2 set interface port2 set ipv6 2002:AC14:7805::/0

end

To configure RIPng on Router2 – CLI:

config router ripng config interface edit port1 next edit port2 end

config neighbor

edit 1 set interface port1 set ipv6 2002:a0b:6565::/0

next edit 2 set interface port2 set ipv6 2002:AC14:7805::/0 end

Configuring other network devices

The other devices on the internal network all support IPv6, and are running RIPng where applicable. They only need to know the internal interface network addresses of the FortiGate units.

The ISP routers need to know the FortiGate unit information such as IPv6 addresses.

Testing the configuration

In addition to normal testing of your network configuration, you must also test the IPv6 part of this example.

For troubleshooting problems with your network, see the FortiOS Handbook Troubleshooting chapter.

Testing the IPv6 RIPng information

There are some commands to use when checking that your RIPng information is correct on your network. These are useful to check on your RIPng FortiGate units on your network. Comparing the output between devices will help you understand your network better, and also track down any problems.

diagnose ipv6 address list

View the local scope IPv6 addresses used as next-hops by RIPng on the FortiGate unit.

diagnose ipv6 route list

View ipv6 addresses that are installed in the routing table.

get router info6 routing-table

View the routing table. This information is almost the same as the previous command (diagnose ipv6 route list) however it is presented in an easier to read format. get router info6 rip interface external

View brief output on the RIP information for the interface listed. The information includes if the interface is up or down, what routing protocol is being used, and whether passive interface or split horizon are enabled.

get router info6 neighbor-cache list

View the IPv6/MAC address mapping. This also displays the interface index and name associated with the address.

Debugging IPv6 on RIPng

The debug commands are very useful to see what is happening on the network at the packet level. There are a few changes to debugging the packet flow when debugging IPv6.

The following CLI commands specify both IPv6 and RIP, so only RIPng packets will be reported. The output from these commands will show you the RIPng traffic on your FortiGate unit including RECV, SEND, and UPDATE actions.

The addresses are in IPv6 format.

diagnose debug enable diagnose ipv6 router rip level info diagnose ipv6 router rip all enable These three commands will:

Turn on debugging in general

Set the debug level to information, a verbose reporting level

Turn on all RIP router settings

Part of the information displayed from the debugging is the metric (hop count). If the metric is 16, then that destination is unreachable since the maximum hop count is 15.

In general, you should see an update announcement, followed by the routing table being sent out, and a received reply in response.