Introduction
Product features
Architecture
Scope
What’s new
Documentation enhancements
Key concepts
Network behavior analysis (NBA)
Consequences of attacks
Distributed denial of service (DDoS) attacks
Strategies for protection
Firewalls
Router access control lists
Antivirus software
Application protection
Intrusion detection systems
Host-based intrusion detection and prevention systems
Content-based intrusion prevention systems
Network behavior analysis
Differences & similarities with conventional firewalls
Comparing FortiDDoS to conventional intrusion prevention systems (IPS)
Comparing FortiDDoS to conventional network behavior analysis (NBA)
Configuration workflow
Anomalies that FortiDDoS blocks
Continuous learning & adaptive threshold estimation
Thresholds for traffic
Traffic prediction
Fixed vs. adaptive thresholds
Configured minimum thresholds
Estimated thresholds
Adaptive limit
Hierarchical nature of protocols & implication on thresholds
Granularity of traffic, corresponding rates and thresholds
Benefits of granularity
Using ACLs to block known attacks
Proxy IP addresses
Analyzing, interpreting, & preventing attacks
Attack analysis workflow
Effects of crossing a threshold
Example 1: A network receives too many packets with a specified protocol
Example 2: Too many mail messages coming to an SMTP server
Example 3: A web server receives too many SYN packets
Example 4: A source has excessive concurrent connections
Reducing false positives
Events by layer
Analyzing attacks
Working with attack reporting
Why does FortiDDoS not report the destination for some types of attacks?
Why does FortiDDoS not report the source of a SYN flood?
Why does FortiDDoS report some attack events every 5 minutes instead of when they happen? Why does it not generate an audible alert or other type of alarm?
Service Protection Profiles (SPPs)
Benefits of virtualization
How to use the web UI
System requirements
URL for access
Permissions
Trusted hosts
Global web UI & CLI settings
Buttons, menus, & the displays
Deleting entries
Renaming entries
Shutdown
How to set up your FortiDDoS
Registering your FortiDDoS
Planning the network topology
Basic topology for FortiDDoS
Basic web hosting deployment
External bypass switches for maintenance & failover
Using an optical bypass switch with heartbeat
Configuring the optical bypass switch
Connecting the optical bypass switch to the network and FortiDDoS
Configuring MAC addresses for bypass switch heartbeat packets
Load balancing
Sandwich topology for load balancing
Switch configuration for load balancing using FortiSwitch
Traffic diversion
Traffic diversion using separate divert-from and inject-to routers
Traffic diversion using a single divert-from and inject-to router and a switch
Router & switch configuration for diversion
Setting thresholds for diverted traffic
Topology for synchronizing the configuration of two FortiDDoS appliances
Heartbeat link and synchronization
Data and configuration settings that are not synchronized by HA
Configuration settings
Log messages and generated reports
How HA chooses the active appliance
Configuring configuration synchronization
Feature availability in a one-way traffic configuration
Connecting to the web UI or CLI
Connecting to the web UI
Connecting to the CLI
Updating the firmware
Testing new firmware before installing it
Installing firmware
Updating firmware on an HA pair
Installing alternate firmware
Booting from the alternate partition
Changing the “admin” account password
Setting the system time & date
Configuring network interfaces, gateway, and DNS
Configuring the network interfaces
Adding a gateway
Configuring DNS settings
Enabling Internet Protocol version 6 (IPv6) support
Configuring the IPv6 prefix and prefix length settings
IPv6 prefix length
IPv6 prefix
Identifying IP addresses and subnets to protect (SPP creation)
SPP Policy configuration
SPP Policy rule priority
Default SPP
SPP and subnet names and IDs
Switching SPPs automatically
Create a service protection profile (SPP)
Creating an SPP for UDP traffic
Setting FortiDDoS to detection mode
Detection mode
Prevention mode
Customizing protection features for protected subnets
Preset access control
Access control lists (ACLs)
Blocking dark and bogon addresses
Specify addresses that can exceed thresholds (whitelist)
Blocking addresses from a specific geographic location, anonymous proxies, and satellite providers
Blocking specific protocols
Add addresses or locations to the global ACL
Access and tracking control for Service Protection Profiles
Allow or deny protocols and ports
Allow or deny URL
Allow or deny HTTP header field
Creating an IP address item to use with ACLs
Creating a service item to use with ACLs
Add an address or service to a profile’s ACL
Blocking a protocol for a specified subnet
FortiGuard IP Reputation Service
Enabling higher thresholds for proxy server IP addresses
Viewing the current list of proxy IP addresses
Do Not Track Policy list
SYN flood and zombie flood prevention
Configuring SYN flood mitigation feature controls
Configuring blocking periods
Configuring the adaptive limit
Testing your installation
Generating and reviewing a traffic statistics report
Generating a traffic statistics report
Viewing a traffic statistics report
Setting thresholds to system recommended values
System Recommendation options
Preparing to use System Recommendation
Thresholds that are not set by System Recommendation
Set thresholds to system recommended values
Monitoring attack statistics
Adjusting thresholds
Choosing threshold values
Avoiding disruptions while adjusting thresholds
Adjusting multiple thresholds at one time
Set to factory defaults (high values)
Set to a percentage of current thresholds
Set using Emergency Setup
Adjusting thresholds individually
Specifying Protocols, TCP Ports, and UDP Ports thresholds
Index numbers for URLs and HTTP header fields
ICMP type/code threshold and “Echo groping”
Backups
Backing up configuration
Restoring a previous configuration
Administrators
Restricting permissions
Changing an administrator’s password
Service Protection Profile settings
Setting penalty factors
Set the mandatory HTTP header count
Configuring TCP session feature control
Configuring aggressive aging feature controls
Tracking slow data connections that FortiDDoS has aged out
MAC address for aggressive aging
Advanced/optional system settings
Changing the FortiDDoS appliance’s host name
Global Settings dialog box
Configuring bypass mode
Configuring link down synchronization or link state propagation
Configuring HTTP anomaly features
Certificate configuration
Generating a certificate signing request
Uploading a certificate
How to export/back up certificates & private keys
Monitoring attack activity and other system information
The dashboard
System Information widget
License Information widget
CLI Console widget
SPP Attacks widget
Event Log Console widget
System Status widget
Count of Unique Sources widget
System Resources widget
Traffic graphs
Dropped and blocked traffic statistics
Aggregate drops
Typical packet traffic graph
Working with graphs: Aggregate Flood Drops
Working with graphs: Aggregate ACL Drops
Traffic graphs for other counts
Port Statistics graphs
My Graphs
Specific Graphs
Aggregate Flood Drops graphs
Aggregate Flood Drops graph (all layers)
Layer 3 Aggregate Flood Drops graph
Layer 4 Aggregate Flood Drops graph
Layer 7 Aggregate Flood Drops graph
Aggregate ACL Drops graphs
Aggregate ACL Drops graph (all layers)
Layer 3 Aggregate ACL Drops graph
Layer 4 Aggregate ACL Drops graph
Layer 7 Aggregate ACL Drops graph
Anomaly Drops graphs
Layer 3 Anomaly Drops graph
Layer 4 Header Anomalies drop graph
TCP State Anomalies drop graph
HTTP Header Anomalies drop graph
Hash Attack Drops and Out of Memory Drops graphs
Layer 3 graphs
Layer 4 graphs
Layer 7 graphs
Logging
DDoS Attack Log and DDoS Subnet Attack Log
Backing up the DDoS attack log
Deleting DDoS attack log events
Accessing the DDoS attack log using SQL
System event logs & logging
System event log severity levels
Configuring system event logging
Selecting which system events to log
Configuring logging to a remote logging server
Viewing log messages
Displaying & arranging log columns
Filtering log messages
Alert email
SNMP traps & queries
Configuring SNMP settings for system alarms and event messages
Configuring SNMP settings for attack log messages
MIB support
Reports
Viewing report information on a dashboard (Executive Summary)
Configuring a report
Customizing the report’s headers, footers, & logo
Restricting the report’s scope
Choosing the type & format of a report profile
DDoS Attack Activity report types
Scheduling reports
Selecting the report’s file type & email delivery
Viewing & downloading generated reports
Attack Graphs dashboard
Diagnostics
TCP session statistics
Source statistics
Troubleshooting
Solutions by issue type
Connectivity issues
Checking hardware connections
Data path connectivity
Verifying the path between client and server
Testing data path routes & latency with traceroute
Management network interface connectivity
Checking routing
Examining the routing table
Resource issues
Login issues
When an administrator account cannot log in from a specific IP
Resetting profile data or the appliance configuration
Restoring firmware (“clean install”)
Appendix A: Port numbers
Appendix B: Switch & router configuration
Switch configuration for load balancing
Configuring the routers & switch for traffic diversion
Router configuration
Switch configuration
Introduction
Switch configuration
admin_setting
bypass_mac
high_availability
time
interface_list
router_static_list
dns
spp_config
switching_policy
create_spp
global_address_config
global_address_config_ipv6
global_access_control_list
global_access_control_list_ipv6
spp_address_config
service_config
spp_access_control_list
ip_reputation
proxy_ip
do_not_track
do_not_track_ipv6
traffic_stats_generate
traffic_stats_details
system_recommendation
factory_defaults
percent_adjust
easy_setup
thresholds
backup_restore
administrator_list
access_profile_list
spp_settings
host_name_edit
global_settings
certificates_local
system_status
license_information_widget
port_stats_packets
port_stats_bytes
my_list_details
specific_graphs
aggregate_flood_all
aggregate_flood_layer_3
aggregate_flood_layer_4
aggregate_flood_layer_7
aggregate_acl_all
aggregate_acl_layer_3
aggregate_acl_layer_4
aggregate_acl_layer_7
layer_3_anom_drops
layer_4_header_anom
tcp_state_anom
http_header_anom
hash_attack_drops
layer_3_graphs
layer_4_graphs
layer_7_graphs
ddos_attack_log
log_backup
purge_settings
enabling_event_log
configuring_log_destinations
viewing_log_messages
alert_email
snmp
snmp_receivers
executive_summary
report_configuration
report_browse
attack_graphs
diagnostics_sessions
diagnostics_sources
factory_reset