This section includes the following information:
You create SPP ACL address configuration objects to identify IP addresses and subnets that you want to match in SPP ACL policies.
Before you begin:
Settings | Guidelines |
---|---|
Name | Configuration name. Must not contain spaces. |
Address | Specify an IP address. |
To configure with the CLI, use a command sequence similar to the following:config spp edit <spp_name> config ddos spp {address | address6} <address_name> spp-source-ip-address {<address_ipv4> | <address_ipv6} edit <name> ... end |
You configure service objects identify the services that you want to match in SPP ACL policies.
Before you begin:
Settings | Guidelines |
---|---|
Fragment | |
Fragment | No parameters. If you configure an ACL rule to match the Fragment service object, you are creating a rule to deny fragmented packets. Some Internet technologies, such as multimedia streaming, rely on fragmentation. Ensure that you understand your network and its packet behavior before you use the ACLs for fragmented packets. |
Protocol | |
Protocol Start / End | When you configure a service object for protocols, you enter a range, even if you are specifying a single protocol. For example, to configure a service object for protocol 6, enter 6 for both Protocol Start and Protocol End. Networks use of some of the protocols, such as 1 (ICMP), TCP (6), and UDP (17), ubiquitously. Ensure that you understand your network and its packet behavior before you use the ACLs for protocols. |
TCP Port | |
Port Start / End | When you configure a service object for ports, you enter a range, even if you are specifying a single port. For example, to configure a service object for port 8080, enter 8080 for both Port Start and Port End. |
UDP Port | |
Port Start / End | When you configure a service object for ports, you enter a range, even if you are specifying a single port. For example, to configure a service object for port 53, enter 53 for both Port Start and Port End. |
ICMP Types/Code | |
ICMP Type/Code Start / End |
The header of Internet Control Message Protocol packets include an 8-bit type field, followed by an 8-bit code field. The value of this field can be read as a hexadecimal number. |
URL, Host, Referer, Cookie, User Agent | |
HTTP-Param | A matching value for the selected URL or HTTP header. When you create a service that specifies a URL to deny, enter the text that follows the protocol and the web address. For example, if you enter http://www.website.com/index.html in a browser to access a specific URL, enter /index.html .Because the number of possible URLs is infinite, FortiDDoS stores these values in a hash table. Up to 32,767 such hash indexes are allowed. If there are duplicate hash-indexes, the most recent URL that corresponds to a hash index overwrites any previous URLs in the URL field. However, all the URLs affect the threshold and maximum packet rate calculations and all URLs that hash to the same index are denied if the hash index is blocked. Similarly, if there is an attack that corresponds to a hash index, all URLs that hash to the same location are dropped. You can deny traffic by specifying the following HTTP header field types: Host, Referer, Cookie, and User-Agent. This is useful when a specific hash-index is under attack. FortiDDoS allows the source to establish the TCP connection with the server. However, when FortiDDoS detects the specified hash-index, it denies the packet and sends an RST packet to the server to aggressively age the connection. The appliance treats all subsequent packets from the source on that TCP connection as foreign packets and blocks the source for the specified blocking period. |
DNS | |
DNS-All |
No parameters. If you configure an ACL rule to match the DNS-All service object, you are creating a rule to deny DNS queries for all DNS records (QTYPE=255). This DNS QTYPE is a query for all resource records. Some references, such as Wireshark, call this an "any" query. Most users should not be permitted to do all/any queries. |
DNS-Fragment | No parameters. If you configure an ACL rule to match the DNS-Fragment service object, you are creating a rule to deny fragmented packets. |
DNS-MX | No parameters. If you configure an ACL rule to match the DNS-MX service object, you are creating a rule to deny DNS queries for MX records. |
DNS-Zone-Transfer |
No parameters. If you configure an ACL rule to match the DNS-Zone-Transfer service object, you are creating a rule to deny DNS zone transfer (AXFR) queries (QTYPE=252). This DNS QTYPE is a query that initiates transfer of an entire zone file from the master name server to secondary name servers. Most users should not be permitted to do zone transfers. |
To configure with the CLI, use a command sequence similar to the following:config spp edit <spp_name> config ddos spp service edit <service_name> set type {cookie | dns-all | dns-fragment | dns-mx | dns-zone-xfer | fragment | host | icmp-type-code | protocol | referer | tcp-port | udp-port | url | user-agent} [set dns-rcode-start <int_start>] [set dns-rcode-end <int_end>] [set protocol-start <int_start>] [set protocol-end <int_end>] [set tcp-port-start <int_start>] [set tcp-port-end <int_end>] [set udp-port-start <int_start>] [set udp-port-end <int_end>] [set icmp-type <integer>[ [set icmp-code <integer>] [set http-param <http_para_str>] end |
An SPP ACL policy establishes allow/deny rules for traffic that matches the following data:
ACL rules match a single data point, not multiple conditions. Rules are evaluated from the top of the table to the bottom. If a rule matches, it is applied and subsequent rules are not consulted. In most cases, you should order deny rules before allow rules.
Information about packets denied by an SPP ACL policy is reported in the following graphs and reports:
Before you begin:
Settings | Guidelines |
---|---|
Name | Configuration name. Must not contain spaces. |
Type |
|
Address / Address IPv6 | |
Source Address | Select an address configuration object. |
Address Action |
|
Service | |
Direction |
Tip: Shift-click to select multiple items. |
Service | Select a service configuration object. |
Service Action |
|
To configure with the CLI, use a command sequence similar to the following:config spp edit <spp_name> config ddos spp acl edit <No.> set type {v4address | v6address | service} set direction {outbound inbound} set source-address <address_name> set v6address <address_name> set address-action {deny | track-and-allow | restrict DNS to specific subnets} set service <service_name> set service-action deny end |