Introduction
Product features
Deployment topology
Scope
What’s New
Key Concepts
DDoS attack overview
DDoS mitigation techniques overview
Firewalls
Router access control lists
Antivirus software
Application protection
Intrusion detection systems
Network behavior analysis
FortiDDoS compared with conventional firewalls
FortiDDoS compared with conventional intrusion prevention systems
FortiDDoS compared with conventional network behavior analysis
Understanding FortiDDoS rate limiting thresholds
Granular monitoring and rate limiting
Source tracking table
Destination tracking table
Continuous learning and adaptive thresholds
Traffic prediction
Configured minimum thresholds
Estimated thresholds
Adaptive limit
Adjustments for proxy IP addresses
Packet count multipliers applied to traffic associated with an attack
Hierarchical nature of protocols and implication on thresholds
Using FortiDDoS ACLs
Understanding FortiDDoS protocol anomaly protection
TCP/IP anomalies
TCP session state anomalies
HTTP anomalies
Understanding FortiDDoS Detection Mode
Understanding FortiDDoS Prevention Mode
SYN flood mitigation mode
Aggressive aging
Slow connection attacks
Rate anomalies and aggressive aging
Idle connections and aggressive aging
Rate limiting
Blocking
Example 1: Too many packets with a specified protocol
Example 2: Too many mail messages to an SMTP server
Example 3: Too many SYN packets to a web server
Example 4: Too many concurrent connections from a single source
Reducing false positives
Understanding FortiDDoS Asymmetric Mode
Using FortiDDoS SPPs
Working with the FortiDDoS Monitor graphs
Working with the FortiDDoS attack log
A typical workflow for investigating FortiDDoS attack events
Step 1: Identifying the destination and source
Step 2: Identifying the type of attack
Step 3: Identify the attack size
Step 4: Analyze attack parameters in each OSI layer
Getting Started
Step 1: Install the appliance
Step 2: Configure the management interface
Step 3: Configure basic network settings
Step 4: Test connectivity to protected servers
Step 5: Complete product registration, licensing, and upgrades
Step 6: Deploy the system in Detection Mode
Step 7: Generate traffic statistics and set the configured minimum thresholds
Step 8: Monitor the system and become familiar with logs and reports
Step 9: Deploy the system in Prevention Mode
Step 10: Back up the configuration
Global Settings
Configuring SPP policy settings
SPP basics
SPP configuration overview
Configuring SPP IDs
Configuring the SPP switching policy
Configuring an SPP policy
Configuring global settings
Configuring HTTP service port settings
Configuring IP reputation settings
Configuring proxy IP settings
Configuring address objects for global ACLs
Configuring Local addresses
Configuring IPv4 addresses
Configuring IPv6 addresses
Configuring Geolocation addresses
Configuring a Do Not Track policy
Configuring a global ACL policy
Using the global ACL to block dark and bogon addresses
Using a whitelist to reduce false positives
Configuring a global ACL policy
Configuring a distress ACL to block protocol traffic to a destination subnet
Configuring a bypass MAC address list
Using the preset anomaly detection setting
Protection Profiles
Configuring SPP settings
Managing baseline traffic statistics
Baseline traffic statistics overview
Generating baseline traffic statistics
Displaying baseline traffic statistics
Managing thresholds
Using system recommended thresholds
Modifying threshold settings
Restoring factory default threshold settings
Adjusting minimum thresholds by percentage
Configuring an emergency setup
Configuring SPP ACL address objects
Configuring SPP ACL service objects
Configuring an SPP ACL policy
Performing a factory reset of SPP settings
FAQ: SPP Settings
Service Ports
How does FortiDDoS identify UDP services?
Using Traffic Monitor Graphs
Monitor graphs overview
Using the Port Statistics graphs
Using the Aggregate Drops graph
Using the Flood Drops graphs
Using the Flood Drops Aggregate graphs
Using the Flood Drops Layer 3 graphs
Using the Flood Drops Layer 4 graphs
Using the Flood Drops Layer 7 graphs
Using the ACL Drops graphs
Using the ACL Drops Aggregate graphs
Using the ACL Drops Layer 3 graphs
Using the ACL Drops Layer 4 graphs
Using the ACL Drops Layer 7 graphs
Using the Anomaly Drops graphs
Using the Anomaly Drops Aggregate graph
Using the Anomaly Drops Layer 3 Anomalies graph
Using the Anomaly Drops Layer 4 Header Anomalies graph
Using the Anomaly Drops TCP State Anomalies graph
Using the Anomaly Drops HTTP Header Anomalies graph
Using the Hash Attack Drops graphs
Using the Out of Memory Drops graphs
Using the Layer 3 graphs
Using the Layer 4 graphs
Using the Layer 7 graphs
Using Logs and Reports
Logs and reports overview
Configuring local log settings
Configuring remote log server settings for event logs
Configuring remote log server settings for the DDoS attack log
Using FortiAnalyzer to collect DDoS attack logs
Configuring SNMP for system event reporting
Configuring SNMP trap receivers for DDoS attack reporting
Configuring alert email settings
Configuring log purge settings
Using the Event Log table
Using the DDoS Attack Log table
Downloading collected logs
Using SQL to query the DDoS Attack Log
Configuring reports
Configuring report purge settings
Using the report browser
Using the System Status dashboard
Customizing the dashboard
System Information portlet
License Information portlet
System Status portlet
System Resources portlet
CLI Console portlet
Top SPPs with Denied Packets portlet
Top Attacked SPPs portlet
Unique Sources portlet
Event Log Console portlet
Using the Executive Summary dashboard
Using the Attack Graph dashboard
Using the Session Diagnostic report
Using the Source Diagnostics report
FAQ: Logs and Reports
Attack log
Why is destination not reported for some types of attacks?
Why is source not reported for a SYN flood?
Why are some attack events not reported in real time?
Reports
Where can I find information about the attack types listed in reports?
Why do I see records for SPP-0 in a report filtered by SPP-1?
System Management
Configuring network interfaces
Configuring DNS
Configuring static routes
Configuring RADIUS authentication
Managing administrator users
Administrator user overview
Configuring access profiles
Creating administrator users
Changing user passwords
Configuring administration settings
Viewing the local certificate
Backing up and restoring the configuration
Updating firmware
Upgrade considerations
Updating firmware using the web UI
Updating firmware using the CLI
Downgrading firmware
Configuring system time
Configuring the hostname
Rebooting, shutting down, and resetting the system
Rebooting the system
Shutting down the system
Resetting the system
Basic and Advanced Network Topologies
Basic enterprise deployment
Basic multi-tenant deployment
Built-in bypass
External bypass
Using an optical bypass switch
Configuring the optical bypass switch
Connecting the optical bypass switch to the network and FortiDDoS
Configuring MAC addresses for bypass switch heartbeat packets
Tap Mode deployments
Load balancing
Sandwich topology for load balancing
Switch configuration for load balancing using FortiSwitch
Traffic diversion deployment
Traffic diversion using separate divert-from and inject-to routers
Traffic diversion using a single divert-from and inject-to router and a switch
Router and switch configuration for diversion
Setting thresholds for diverted traffic
High Availability Deployments
HA feature overview
HA system requirements
HA synchronization
Configuring HA settings
Monitoring an HA cluster
Updating firmware on an HA cluster
Deploying an active-passive cluster
Overview
Basic steps
Best practice tips
Troubleshooting
Troubleshooting case: Adjusting time to failover
Troubleshooting case: Both cluster members appear as main
Troubleshooting
Logs
Tools
execute commands
diagnose commands
Special Fortinet Support commands
execute backup diag_info
execute backup hw_reg
get system sensors
Solutions by issue type
Connectivity issues
Checking hardware connections
Data path connectivity
Verifying the path between client and server
Testing data path routes and latency with traceroute
Checking routing
Examining the routing table
Trouble with IPv6 settings
Resource issues
Resetting profile data or the system configuration
Restoring firmware (“clean install”)
Additional resources
Appendix A: Management Information Base (MIB)
Appendix B: Port Numbers
Appendix C: Switch and Router Configuration
Switch configuration for load balancing
Configuring the routers & switch for traffic diversion
Router configuration
Switch configuration
Introduction
Switch configuration
spp_config
switching_policy
create_spp
global_settings
http_service_ports
ip_reputation
proxy_ip
global_address_config
global_local_address_config
do_not_track
global_access_control_list
spp_settings
traffic_stats_generate
traffic_stats_details
system_recommendation
thresholds
factory_defaults
percent_adjust
easy_setup
spp_address_config
service_config
spp_access_control_list
factory_reset
port_stats_packets
port_stats_bytes
aggregate_drops
aggregate_flood_all
aggregate_flood_layer_3
aggregate_flood_layer_4
aggregate_flood_layer_7
aggregate_acl_all
aggregate_acl_layer_3
aggregate_acl_layer_4
aggregate_acl_layer_7
agg_anomaly_drops
layer_3_anom_drops
layer_4_header_anom
tcp_state_anom
http_header_anom
hash_attack_drops
agg_hash_attack_drops
out_of_memory_attack_drops
agg_out_of_memory_attack_drops
layer_3_graphs
layer_4_graphs
layer_7_graphs
enabling_event_log
configuring_log_destinations
remote_log_ddos_attack
snmp
snmp_receivers
alert_email
purge_settings
viewing_log_messages
ddos_attack_log
log_backup
report_configuration
report_purge_settings
report_browse
system_status
executive_summary
attack_graphs
diagnostics_sessions
diagnostics_sources
interface_list
dns
router_static_list
radius
access_profile_list
administrator_list
admin_setting
certificates_local
backup_restore
time
bypass_mac
high_availability