Configuring a global ACL policy
This section describes usage and configuration steps for the global access control list (ACL) policy. It includes the following information:
Using the global ACL to block dark and bogon addresses
A bogon is an informal name for an IP packet on the public Internet that claims to be from an area of the IP address space that is reserved but not yet allocated or delegated by the Internet Assigned Numbers Authority (IANA) or a delegated Internet registry. The areas of unallocated address space are called “bogon space” or “dark address space”.
The term “bogon” stems from hacker jargon, where it is defined as the quantum of “bogosity”, or the property of being bogus. A bogon packet is frequently bogus both in the conventional sense of being forged for illegitimate purposes, and in the hackish sense of being incorrect, absurd, and useless.
In a private network, this could mean undefined private addresses should not be expected as source or destination. For example, if an enterprise uses only the 192.168.3.x range within its private domain, and then any other private addresses such as 192.168.1.x, 192.168.2.x and 192.168.4.x through 92.168.254.x are illegal. Use of these addresses usually means stealth activity that is mostly performed by worms.
In a public network, this would mean all bogon-prefixes should not appear as source or destination. A bogon prefix is a route that should never appear in the Internet routing table. A packet routed over the public Internet (not including over VPN or other tunnels) should never have a source address in a bogon range. These are commonly found as the source addresses of DDoS attacks.
Bogon prevention is a component of anti-spoofing. The following site is informative:
You can configure FortiDDoS to block these types of addresses by adding them to its global ACL policy or to the SPP ACL policy.
Examples:
• To deny spoofing packets from the Internet with the source address 192.168.x.x, create an address object and global ACL rule to block 192.168.0.0/16.
• To deny outbound spoofing packets (that is, to deny addresses that are not in your inside LAN) with the source address as private addresses 172.16.x.x, create an address object and global ACL rule to block 172.16.0.0/16.
• To deny the address range 10.x.x.x altogether because it is “dark” both inside and outside your network, create an address object and global ACL rule to block 10.0.0.0/8.
Using a whitelist to reduce false positives
You can create a whitelist that includes IP addresses that are known to be acceptable, even if they exceed set thresholds. For example, devices that perform backups have a high traffic profile because they need to establish many connections or send a large number of packets to perform their tasks.
FortiDDoS does not track connections for items that are allowed by the global ACL. However, it does track the source and associated traffic for items that are configured as Track & Allow in the SPP ACL.
Configuring a global ACL policy
The global ACL policy establishes allow and deny rules for traffic based on source IP address.
Packets from IP addresses that are denied or allowed by ACLs do not affect the statistics for continuous learning for source addresses. However, other characteristics of the packets, such as protocols and ports, are included in the corresponding statistics.
Information about packets denied by the global ACL policy is reported in the following graphs and reports:
• Graphs (Monitor > ACL Drops > Layer 3, Monitor > Layer 3 > Address Denied)
• Executive Summary dashboard (Log & Report > Report Browse > Executive Summary)
• Reports (Log & Report > Report Configuration > Report Configuration)
Before you begin:
• You must have Read-Write permission for Global Settings.
To configure a global ACL policy:
1. Go to Global Settings > Access Control List > [Access Control List | Access Control List IPv6].
2. Click Add to display the configuration editor.
3. Complete the configuration as described in
Table 24.
4. Save the configuration.
Table 24: Access control list configuration
Settings | Guidelines |
Name | Configuration name. Must not contain spaces. |
Source address | Select an address object. |
Action | • Deny—Block traffic from traffic matching the address object. • Accept—Allow the traffic. You can add “allow” rules for only one address at a time. You cannot select an address object that is a subnet address. Note: The action for Geolocation source addresses depends on the Geolocation Policy option on the Global Settings > Settings page. The user interface restricts the action you specify here to the logical action given the Global Settings setting. |
Configuring a distress ACL to block protocol traffic to a destination subnet
In some cases, it is expedient to configure the system to block specific protocols to a specified destination subnet (regardless of SPP). For example, to prevent large-scale, brute force attacks using UDP or ICMP, you can use the distress ACL to block protocol traffic to a specified destination subnet. This ACL is enforced before SPP processing.
Drops based on the distress ACL are not included in traffic graphs or reports.
You cannot use the Web UI to configure the distress ACL. You must use the CLI.
To block a protocol for a specified destination subnet:
Enter the following commands:
config ddos global distress-acl
edit <No.>
set ip-netmask <destination_address_ipv4mask>
set protocol <protocol_int>
next
edit <entry_index>
set ip-netmask <destination_address_ipv4mask>
set protocol <protocol_int>
end
• <No.> is index number of the item in the ACL. You can enter a maximum number of 512 items.
• <destionation_address_ipv4mask> is a dotted decimal IPv4 address and netmask separated by a space, such as 192.168.1.99 255.255.255.0, that specifies the destination subnet to which the restriction applies.
• <protocol_int> is the protocol number.
To restore access for all protocols that are blocked from specified subnets:
1. Enter the following commands:
config ddos global distress-acl
purge
The following message is displayed.
This operation will clear all table!
Do you want to continue? (y/n)
2. Enter y (yes).
To restore access for a protocol to a specified subnet:
Enter the following commands:
config ddos global distress-acl
edit <entry_index>
unset ip-netmask
unset protocol
end