What’s New

• Source blocking for slow connection attacks was removed from Global Settings in 4.1.7. In 4.1.8, it has been added to the SPP settings configuration. See “Slow connection attacks” and “Configuring SPP settings”.

• Option to purge Reports automatically by size or manually by date range, similar to the functionality for Attack Logs. The Report Configuration > Purge Settings displays Log Disk Status information giving total, used, and available space. See “Configuring report purge settings”.

• Option to back up and restore a single SPP configuration. See “Backing up and restoring the configuration”.

• Built-in bypass for copper ports and FDD-2000B fiber bypass ports 17-20 is now configurable as fail-open or fail-closed. See “Built-in bypass”.

• The system now supports TAP mode, compatible with FortiBridge-3000-series and other external Bridge/TAP products. In TAP mode, FortiDDoS monitors ingress traffic on both WAN- and LAN-side ports but does not pass traffic to the egress port. TAP mode also does not pass external bridge heartbeats. For an overview, see “Tap Mode deployments”. Contact your sales representative for details on interoperation with FortiBridge.

• Changed features:

• The Monitor > Specific Graphs section has been removed. The graphs formerly included in this section have been moved to Monitor > Layer 3, Monitor > Layer 4, or Monitor > Layer 7, as appropriate. See “Using Traffic Monitor Graphs”.

• Beginning with release 4.1.6, the UDP service is identified when either the source or destination port is a well known port (the IANA assigned ports 0-1023). See “How does FortiDDoS identify UDP services?”.

• New anti-spoofing ACL that drops traffic that matches local addresses when the addresses appear to be spoofed. See “Configuring Local addresses”.

• New table to track up to 2^32 IPv4 ACLs. The table includes rules from the Local Address Anti-Spoofing, IP address, Geolocation, and IP Reputation lists. You can use a new Monitor graph called Address Denied to monitor drops. See “Using the Layer 3 graphs”.

• New HTTP header options for detecting proxy IP addresses: X-Real-IP, X-True-Client-IP. See “Configuring proxy IP settings”.

• New option to drop sessions when packets contain the HTTP Range header. See “Configuring global settings”.

• Asymmetric mode configurable through the web UI. New configuration options are available to ease setup in networks with asymmetric traffic. See “Understanding FortiDDoS Asymmetric Mode”.

• Tap Mode. System now supports Tap Mode as a Beta feature. Tap Mode is designed to work with FortiBridge-300xS/L in Bypass/Tap mode to allow continuous offline monitoring of network traffic. See “Tap Mode deployments”.

• FortiDDoS now supports attack logging to FortiAnalyzer. See “Using FortiAnalyzer to collect DDoS attack logs”.

• On the dashboard System Status portlet, unconfigured SPPs are now represented by a gray circle.

• Improved Monitor graph workflow. New Aggregate Drops graph showing Flood, ACL, Anomaly, Hash, and Memory Drops all on one graph. Organization of the graphs below this is more logical. See “Using Traffic Monitor Graphs”.

• Added an event log and SNMP trap to notify when a link goes up or down. See “Appendix A: Management Information Base (MIB)” for information about the required MIB.

• Added a CLI command to back up Event logs and other diagnostic data. See “execute backup diag_info”.

• Added the diagnose debug RRD commands to verify the integrity of RRD (reporting) files. See “diagnose commands” for a list of commands.

• Changed features:

• The SPP ACL Drops portlet is now called Top SPPs with Denied Packets; and the SPP Attacks portlet is now called Top Attacked SPPs. See “Using Logs and Reports”.

• Source penalty factor is now called Source multiplier; and Application penalty factor is now called Layer 7 multiplier. See “Configuring global settings”.

• The Aggressive Aging TCP Feature Control URL-Flood option was mislabelled. It is now the layer7-flood option. See “Configuring SPP settings”.

• The system recommended threshold values for TCP/UDP ports and ICMP types/codes are based on a new and improved heuristic algorithm. See “Using system recommended thresholds”.

• Separate Subnet attack logs and reports have been removed and subnet information integrated into the DDoS Attack Log. See “Using the DDoS Attack Log table”.

• Syslog format changes to better interoperate with FortiAnalyzer. See “Configuring remote log server settings for the DDoS attack log”.

• Removed features:

• The DDoS Attack Log no longer includes the frequent Most Active Source and Most Active Destination notifications that were sent when the Most Active Source / Destination data points were recorded. These logs had been sent to give details on the recorded data point even when the effective rate limit was not met, causing confusion. When these thresholds are exceeded, however, the events are logged as a Source Flood and a Destination Flood, respectively.

• Syslog and SNMP traps also no longer include the Most Active Source and Most Active Destination notifications.

• Destination penalty factors have been removed to prevent rate-limiting of all users to a specific destination.

• Thresholds, logs, and graph plots for URL Scan events have been removed. URL Scan events included the HTTP request anomalies related to sequential requests and HTTP mandatory header counts.

• The System Dashboard system Reset button. You can use CLI commands to completely reset the system. See “Resetting the system”.

• Support for administrator authentication against an external RADIUS server.

• Asymmetric Mode — We recommend that you enable Asymmetric Mode if the FortiDDOS appliance is deployed in a network path where asymmetric routes are possible. An example of an asymmetric route is one in which the client request traverses the FortiDDOS system, but the server response takes a route that does not.

• Enhanced IPv6 support — FortiDDoS now supports both Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) by default.

If your appliance is deployed on a network with IPv6 traffic, specify the IPv6 prefix settings before you configure SPPs that monitor and protect IPv6 subnets.

SPPs can now monitor and protect IPv4 and IPv6 traffic simultaneously. Use either IPv4 or IPv6 address formats to specify the subnet in an SPP policy, and then apply policies that use either format to the same SPP

• Enhanced slow connection configuration — To simplify configuration, FortiDDoS now provides a global setting that allows you to switch from moderate to aggressive slow connection attack protection, as well as settings you apply to individual SPPs.

• FortiDDoS 200B — This new model supports a total appliance throughput of 2 Gbps full duplex through 4 LAN interfaces (copper/SFP) and 4 WAN Interfaces (copper/SFP). (Available Q4 2014. Contact your Fortinet representative if you need early access to this model.)

• Logging & report enhancements

• SNMP traps & MIBs for attack logs — You can now configure FortiDDoS to send attack log information to SNMP managers.

• DDoS Subnet Attack Log — The new DDoS Subnet Attack Log displays events associated with a specific SPP policy, with counts updated every five minutes.

• Subnet Executive Summary dashboard — The new Subnet Executive Summary dashboard displays all attacks in the Top Attacked Subnet and Top ACL Subnet Drops report categories.

• Destination tracking — For all attack log event categories, FortiDDoS now provides the IP address of the first destination it identifies as the target of the attack activity. Information that is organized by this destination is available as a report type and widgets on the Executive Summary and Attack Graphs dashboards.

• Filter report information by SPP or subnet — When you create a report configuration, you can now restrict the information in the report to a specific SPP or subnet.

• Enhanced blocking by geolocation — The Geo Location Policy setting allows you to either permit traffic from all geographic locations and add exceptions or deny access to all locations with exceptions.

• Access dropped packet and other statistics via API — You can now use the FortiDDoS REST API to access dropped and blocked traffic statistics and traffic graph information. See the FortiDDoS REST API Reference.

• MySQL access to DDoS attack log — You can now access the DDoS attack log with read-only permission using a third-party tool such as the MySQL command-line tool or MySQL Workbench.

• Alert email message for SPP switching — You can now configure FortiDDoS to generate a system event log and send a corresponding email message whenever the appliance switches a subnet to its alternative SPP. Improved dual-stack IPv6 support — Additional settings and functionality that make it easier to deploy FortiDDoS in networks with IPv6 traffic.

• Double VLAN (DVLAN) detection — FortiDDoS now tracks traffic with an additional 802.1Q tag (for example, VLAN Q-in-Q).

• No design changes. Bug fixes only.

• Additional data ports — 16 physical LAN and WAN ports are configured as linked pairs. Odd-numbered ports are LAN connections that have a corresponding even-numbered port, which is the associated WAN connection. That is, Port 1/Port 2 behaves as LAN 1/WAN 1, Port 3/Port 4 as LAN 2/WAN 2, Port 5/Port 6 as LAN 3/WAN 3, and so on. These port pairs enable you to protect up to 8 links with a single appliance.

• Increased throughput — Each WAN/LAN link pair has a maximum throughput of 1 Gbps full duplex. Each model has the following total appliance throughput:

• Configuration synchronization — High Availability (HA) configuration allows you to synchronize configuration information between two FortiDDoS appliances to create a secondary appliance that always has an up-to-date configuration.

• Automatic bypass for copper links — For Ethernet links (copper, RJ-45), the FortiDDoS appliance automatically passes traffic through when the appliance is not powered up, its FortiASIC processor or integrated switch fabric fail, or it is booting up and all services are not yet available.

• Link down synchronization — The appliance has two options for Link Down Synchronization: Wire and Hub. When Wire is selected, FortiDDoS monitors the link state of both ports in a port pair. If the link goes down on either port, it disables the other port. The appliance re-enables the port when it detects that the link for other port in the pair is up again. When Hub is selected, FortiDDoS does not disable both ports in a port pair if the link goes down on one of the ports.

• Redesigned web UI— The graphical user interface is organized by component and tasks. Many of its system settings and options are shared with other Fortinet products.

• Management via command-line interface — You can perform all appliance configuration from a Secure Shell (SSH) or Telnet terminal or from the JavaScript CLI Console widget in the web UI.

• RESTful web API configuration — Use a web API that uses HTTP and REST principles to perform tasks such as allowing or denying sources, setting thresholds and changing SPP (formerly VIDs) configuration.

• BIOS-based signed appliance certificate — The validation mechanism for the appliance’s identity is built into its hardware.

• Faster threshold report generation — FortiDDoS now takes less time to generate the traffic statistics it uses to calculate system-recommended thresholds.

• Save reports as PDF — Many FortiDDoS system events and attack activity reports and graphs have a Save as PDF option that exports information in a format that is suitable for printing and sharing.

• Attack activity at a glance dashboard — Access the most popular attack activity reports information on a single web page and in table format using the Executive Summary. Context-sensitive help — Click Help to open the HTML help information for the current content pane.

• Filter and sort log information — For system event and DDoS attack logs, you can use the column headers to sort log information or arrange the columns. The filter feature allows you to select items to include or exclude based on date, category, or other criteria.

• Enhanced reports — New features include the ability to generate reports as HTML, text, PDF and customize reports with a logo.

• Built-in DoS control — FortiDDoS blocks packets with a pre-defined set of anomalies before they reach the appliance's processor. Traffic graphs and reports do not report the packets that this feature drops.

• Block protocols on subnets (Distress ACL) — The distress ACL feature helps to block brute force protocol attacks on a specified subnet or IP address. It allows you to block packets that can flood the pipe before they reach the appliance's processor. Traffic graphs and reports do not report the packets that this feature drops.

• Bypass fiber ports for 2000B model — Two physical port pairs on the FortiDDoS 2000B have built-in bypass capability. Built-in bypass works during a power failure, critical component failure and during startup and shutdown.

• IP Reputation update using file upload — You can update the addresses in the IP Reputation Service list by uploading a .pkg file.