Protection Profiles : Configuring SPP ACL service objects
 
Configuring SPP ACL service objects
You configure service objects identify the services that you want to match in SPP ACL policies.
Before you begin:
You must have Read-Write permission for Protection Profile settings.
To configure service objects:
1. Go to Protection Profiles > Service > Service Config.
2. Select the SPP you want to configure from the drop-down list.
3. Click Add to display the configuration editor.
4. Complete the configuration as described in Table 33.
5. Save the configuration.
 
Table 33: Service object configuration
Settings
Guidelines
Fragment
Fragment
No parameters. If you configure an ACL rule to match the Fragment service object, you are creating a rule to deny or accept fragmented packets.
Some Internet technologies, such as multimedia streaming, rely on fragmentation. Ensure that you understand your network and its packet behavior before you use the ACLs for fragmented packets.
Protocol
Protocol Start / End
When you configure a service object for protocols, you enter a range, even if you are specifying a single protocol.
For example, to configure a service object for protocol 6, enter 6 for both Protocol Start and Protocol End.
Networks use of some of the protocols, such as 1 (ICMP), TCP (6), and UDP (17), ubiquitously. Ensure that you understand your network and its packet behavior before you use the ACLs for protocols.
TCP Port
Port Start / End
When you configure a service object for ports, you enter a range, even if you are specifying a single port. For example, to configure a service object for port 8080, enter 8080 for both Port Start and Port End.
UDP Port
Port Start / End
When you configure a service object for ports, you enter a range, even if you are specifying a single port. For example, to configure a service object for port 53, enter 53 for both Port Start and Port End.
The user interface label for the ACL service setting shows "Destination Port." This is misleading. Beginning with release 4.1.6, the UDP service is identified when either the source or destination port is the well known port (0-1023) assigned by IANA. When you specify a well known service port, for example port 53 for DNS, the system identifies the service if either source or destination port is port 53.
However, we recommend you do not use an ACL for DNS. If you use an ACL policy to deny port 53, you are denying all DNS service traffic in the direction specified in your rule. If you want to deny inbound DNS service to an SPP, but the SPP has internal clients making outbound DNS queries to resolve addresses, we recommend that you not use the ACL (which would result in inbound DNS response traffic being dropped). Instead, use the SPP thresholds to rate limit inbound DNS.
For more information, see “How does FortiDDoS identify UDP services?”.
ICMP Types/Code
ICMP Type/Code
Start / End
The header of Internet Control Message Protocol packets include an 8-bit type field, followed by an 8-bit code field. The value of this field can be read as a hexadecimal number.
URL, Host, Referer, Cookie, User Agent
HTTP-Param
A matching value for the selected URL or HTTP header.
When you create a service that specifies a URL to allow or deny, enter the text that follows the protocol and the web address. For example, if you enter http://www.website.com/index.html in a browser to access a specific URL, enter /index.html.
Because the number of possible URLs is infinite, FortiDDoS stores these values in a hash table. Up to 32,767 such hash indexes are allowed. If there are duplicate hash-indexes, the most recent URL that corresponds to a hash index overwrites any previous URLs in the URL field. However, all the URLs affect the threshold and maximum packet rate calculations and all URLs that hash to the same index are denied if the hash index is blocked. Similarly, if there is an attack that corresponds to a hash index, all URLs that hash to the same location are dropped.
You can accept or deny traffic by specifying the following HTTP header field types: Host, Referer, Cookie, and User-Agent. This is useful when a specific hash-index is under attack. FortiDDoS allows the source to establish the TCP connection with the server. However, when FortiDDoS detects the specified hash-index, it denies the packet and sends an RST packet to the server to aggressively age the connection. The appliance treats all subsequent packets from the source on that TCP connection as foreign packets and blocks the source for the specified blocking period.
 
 
To configure with the CLI, use a command sequence similar to the following:
config spp
edit <spp_name>
config ddos spp service
edit <service_name>
set type {fragment | protocol | tcp-port | udp-port | icmp-type-code | url | host | referer | cookie | user-agent}
[set protocol-start <int_start>]
[set protocol-end <int_end>]
[set tcp-port-start <int_start>]
[set tcp-port-end <int_end>]
[set udp-port-start <int_start>]
[set udp-port-end <int_end>]
[set icmp-type <integer>[
[set icmp-code <integer>]
[set http-param <http_para_str>]
end