FortiDDoS 4.5.0 Study Guide-Online

DO NOT REPRINT
© FORTINET
FortiDDoS Study Guide

for FortiDDoS 4.5.0
DO NOT REPRINT
© FORTINET
Fortinet Training
http://www.fortinet.com/training
Fortinet Document Library
http://docs.fortinet.com
Fortinet Knowledge Base
http://kb.fortinet.com
Fortinet Forums
https://forum.fortinet.com
Fortinet Support
https://support.fortinet.com
FortiGuard Labs
http://www.fortiguard.com
Fortinet Network Security Expert Program (NSE)

https://www.fortinet.com/support-and-training/training/network-security-expert-program.html
Feedback
Email: courseware@fortinet.com
7/19/2018
DO NOT REPRINT
© FORTINET
TABLE OF CONTENTS
01 Introduction and Deployment 4

02 Initial Configuration 49
03 Monitoring and Reporting 91
04 Global Settings 128
05 Service Protection Profiles 165
Introduction and Deployment
DO NOT REPRINT
© FORTINET
In this lesson, you will learn about the basics of denial of service attacks, and what you can do to
reduce and avoid them.
FortiDDoS 4.5.0 Study Guide 4

DO NOT REPRINT
© FORTINET
In this lesson, you will explore the topics shown on this slide

DO NOT REPRINT
© FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide.
By demonstrating competence in defining DDoS and DDoS attacks, you will be able to describe what a
DDoS attack is, and be able to differentiate between volumetric and non-volumetric attacks.

DO NOT REPRINT
© FORTINET
A DDoS attack is defined as any attempt to exhaust network resources. If successful, resources
become unavailable, so legitimate users are denied access. Motivations for these attacks can include
political, financial, or retaliatory.

DO NOT REPRINT
© FORTINET
There are three primary groups of DDoS attacks, each characterized by a variety of specific attack
types.
Bulk volumetric (connectionless) attacks: also known as “floods”. The goal of this type of attack is to
cause congestion and send an excessive amount of traffic, enough to overwhelm the bandwidth of the
site. Attacks are typically executed using botnets: an army of computers infected with malicious
software and controlled as a group by the hacker. Attacks in this group include, UDP floods, ICMP
floods, and other spoofed-packet floods. The magnitude is measured in bits per second (bps).
Protocol attacks: focus on web servers, firewalls, and load balancers. These attacks are designed to
disrupt connections, resulting in the exhaustion of the finite number of concurrent connections that the
device can support. Attacks in this group include, SYN floods, fragmented packet attacks, Ping of
Death, Smurf DDoS, and more. The magnitude of the attack is measured in packets per second (pps).
Application Layer (connection-based) attacks: also known as Layer 7 attacks, target weaknesses in an
application or server. The goal of these attacks is to establish a connection and exhaust it by
monopolizing processes and transactions. These sophisticated threats are harder to detect because
not many machines are required to create the attack, generating a low traffic rate that appears to be
legitimate. Attacks in this group, include low-and-slow attacks, GET/POST floods, attacks that target
Apache, Windows or OpenBSD vulnerabilities and more.
An attack can also be a combination of the three types, which can be even more challenging for
organizations to combat.

DO NOT REPRINT
© FORTINET
Traditional attacks have focused on Layers 3 and 4 and have consisted of bulk volumetric attacks,
using IP address spoofing. These attacks tend to be large attacks.
Today, and in the future, attacks will focus on services at Layer 7. These attacks tend to be smaller
scale, more targeted attacks using a techniques that combine layer 3, 4, and 7, that mimics the
behavior of a large number of clients.
Defending against these newer attacks requires a new approach. Today’s defenses need to be able to:
• Use behavioral detection
• Provide service and port monitoring
• Detect any size of attack
• Be hardware assisted
• Provide automatic mitigation

DO NOT REPRINT
© FORTINET
Network behavior analysis (NBA) is an alternative to signature recognition. Rate-based systems must
provide detailed analysis and/or control of traffic flow.
A baseline of normal traffic patterns is estimated, usually during a learning mode in which the device
only listens without acting on any alarm conditions. Most systems will have default parameters set to
reasonable levels, but the listening period is required to learn the traffic behavior on your network. The
listening period should only be enabled during 'ypical traffic periods. For example, Saturday and
Sunday are probably not good days to build a baseline for a corporate server that is much busier
during the workweek. Periods of unusually high or low traffic also make bad listening intervals. For
example, Christmas vacation week is normally a low traffic period. Weeks when external events, such
as press releases, sales promotions, and others are taking place, are usually high traffic periods.
Once a baseline is estimated, the systems watch for deviations from the known traffic patterns to
detect anomalies.
NBA systems should be scrutinized for false positives, or instances of misidentifying legitimate
changes in traffic patterns as attacks. The analysis tools are equally important. Administrators should
be able to view their traffic patterns on a variety of levels, and use this information to tune their network
resources.

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET
Good job! You can now understand DDoS and DDoS attacks.
Now, lets examine ho to identify and prevent DDoS attacks.

DO NOT REPRINT
© FORTINET
By demonstrating competence in identifying and preventimg DDoS attacks, you will be able to
effectively explain when you would need a FortiDDoS and describe how thresholds are automatically
estimated and set.

DO NOT REPRINT
© FORTINET
FortiDDoS has a unique feature that allows it to promptly correlate attacks and verify if they are
initiated by a single host. When DDoS uses this feature to correlate attacks, particularly non-spoofed
attacks, it blocks the offending source for a longer period of time.
It is important to understand the differences between a stateful firewall and a stateful NBA system,
such as FortiDDoS. Here are the key differences:
• Conventional stateful firewalls have rules that allow or deny packets or individual connections based
on their individual characteristics.
• Conventional stateful firewalls do not remember packets in an aggregate way.
FortiDDoS operates on an aggregate basis. It looks at packet rates—typically within one second, over
a period of time. It measures packet rates for various Layer 3, 4, and 7 parameters. It compares those
packet rates against thresholds set for them. If the packet rate exceeds the threshold, FortiDDoS
blocks them for a configured period of time.
When configuring a firewall, the network administrator can set a rule that allows the UDP destination
port 1434, regardless of the rate of the packets traveling to that port. On the other hand, a FortiDDoS
administrator can set a rule that allows the UDP port 1434, only if the rate is within 10 packets per
second. When the traffic rate is beyond 10 packets per second, the UDP packets destined to that port
are dropped.
Some FortiDDoS features are similar to a firewall. Like a firewall, FortiDDoS allows you to configure
Layer 3, 4, and 7 blocking conditions. It is, therefore, important to learn how to migrate a firewall
security policy to a FortiDDoS security policy.

DO NOT REPRINT
© FORTINET
FortiDDoS is a rate-based NBA device that detects and blocks network attacks which are
characterized by excessive use of network resources. It uses a variety of methods, including anomaly
detection and statistical techniques, to detect and block malicious net work traffic. When FortiDDoS
detects an intrusion, it blocks traffic immediately, protecting the systems it is defending from being
overwhelmed. Unlike conventional content-based IPS, an NBA system does not rely on a predefined
attack “signature” to recognize malicious traffic. An IPS is vulnerable to “zero-day” attacks, or attacks
that cannot be recognized because no signature has been identified to match the attack traffic.
In addition, attack traffic that is compressed, encrypted, or effectively fragmented can escape many
pattern-matching algorithms in content-based IPS. As well, many rate-based attacks are based on
genuine and compliant traffic being sent at high rates, effectively evading the intrusion prevention
system (IPS).
An NBA provides a network with unique protection capabilities. It delivers security services not
available from traditional firewalls, IPS, or antivirus and spam detectors. The detection, prevention, and
reporting of network attacks is based on traffic patterns rather than individual transactions or packet-
based detection. This enables the FortiDDoS to serve a vital role in an effective security infrastructure.
Rather than replacing these elements, an NBA complements their presence to form a defense-in-depth
network security architecture.

DO NOT REPRINT
© FORTINET
FortiDDoS provides a number of attack mitigation tools that can be broken into four main categories.
These categories include administrative, preventative, detective, and reactive countermeasures.

DO NOT REPRINT
© FORTINET
Administrative countermeasures are the countermeasures that are used to limit or restrict
administrative access to, and administrative control of, the FortiDDoS. Determining how your
FortiDDoS will be managed, where it will be managed from, and who will have what levels of access
should be the first step in preparing to deploy or implement a FortiDDoS solution.

DO NOT REPRINT
© FORTINET
Preventative countermeasures are those tasks and settings that provide the foundation for your
security policies. This would include things like creating access control lists, implementing IP reputation
services, implementing domain reputation services, and preventing unwanted protocols from entering
the network.
Configuring preventative countermeasures should be your second step in the deployment of a

FortiDDoS solution.

DO NOT REPRINT
© FORTINET
Detective countermeasures are those tools that allow the FortiDDoS to monitor traffic patterns and
identify attacks based on those traffic patterns. Some of these traffic patterns could include header
anomalies, state anomalies, or rate anomalies.

DO NOT REPRINT
© FORTINET
Reactive countermeasures are those tools that take the necessary and appropriate actions required to
actively protect the network from the detected attacks. Some of these mechanisms include, rate
limiting, selective packet dropping, aggressive aging, anti-spoofing and source tracking.

DO NOT REPRINT
© FORTINET
FortiDDoS gives you the ability to defend against a variety of attack types, as part of its standard attack
mitigation functions.
To combat header anomalies, FortiDDoS can block anything that is not right, or does not match
expectations. To combat rate anomalies, FortiDDoS can enforce a defined set of rules for the expected
or accepted behaviours. ACLs allow FortiDDoS to once again block anything that is not right or does
not match expectations
Anti-spoofing tools allow FortiDDoS to ensure that traffic is from legitimate sources. Measures such as
geolocation and IP reputation help enforce basic network hygiene.
State anomaly detection allows FortiDDoS to clean up any misbehaviors. Application layer heuristics
provide for a common discipline.
Source tracking enables FortiDDoS to punish repeat offenders.

DO NOT REPRINT
© FORTINET
Along with traditional DDoS attack mitigations, FortiDDoS also provides DNS DDoS specific attack
mitigations.
To combat protocol anomalies, we are able to block junk traffic. To deal with rate anomalies,
FortiDDoS can implement rate controls. FortiDDoS can also implement DNS-specific ACLs to block
any traffic that is not expected.
To enforce anti-spoofing, FortiDDoS uses mechanisms that trigger a UDP retransmission and retry via
TCP when it receives a truncated UDP response. A TTL check allows FortiDDoS to enforce rules of
behavior for old connections.
DQRM allows FortiDDoS to block unsolicited responses and duplicated queries that occur within a very
short time period. FortiDDoS also has the ability to build a DNS legitimate query table where it can
store information about known good connections. FortiDDoS can also use a DNS cache to reduce the
workload on the physical servers.

DO NOT REPRINT
© FORTINET
Traffic is non-deterministic; therefore, the forecast cannot be exact. The extent to which an observed
traffic pattern is allowed to exceed its forecast, is determined by thresholds. Generally speaking, a
threshold is a baseline rate that the system uses to compare observed traffic rates to determine
whether a rate anomaly is occurring.
The FortiDDoS system maintains multiple thresholds for key Layer 3, Layer 4, and Layer 7 parameters,
called scalars and HTTP methods:
• Configured minimum threshold
• This is either the default threshold or the learned data rates, whichever is lower
• Estimated threshold
• Adaptive limit maximum threshold
For all other parameters, such as protocols, TCP and UDP ports, (all non-scalars), there is only one
threshold: the configured minimum threshold.

DO NOT REPRINT
© FORTINET
The configured minimum threshold is a baseline of normal counts or rates. The baseline can be
generated (based on statistics collected during the learning period) or stipulated (based on defaults or
manually configured settings).
The configured minimum threshold is a factor in setting rate limits, but it is not itself the rate limit for
scalars and HTTP methods. Rate limits are set by the estimated threshold, a limit that is subject to
heuristic adjustment based on average, trend, and seasonality.

DO NOT REPRINT
© FORTINET
The estimated threshold is a calculated rate limit, based on heuristic adjustments. The most recent
traffic is given higher weight in estimation and the weight of the past traffic reduces exponentially. Up to
1 year of past traffic is used in estimating the traffic for the next 5 minutes.
The system models an adjusted normal baseline based on average, trend, and seasonality. It uses
heuristics to distinguish attack traffic from increases in traffic volume that is the result of legitimate
users accessing protected resources. The minimum value of an estimated threshold is the configured
minimum threshold. In other words, if it is not predicting normal traffic becoming heavier than the
baseline, it allows a rate at least as high as the configured minimum threshold.
The maximum value of an estimated threshold is the product of the configured minimum threshold and
the adaptive limit. In other words, the system does enforce an absolute maximum threshold.

DO NOT REPRINT
© FORTINET
Unlike other NBA systems, FortiDDoS never stops learning. It continuously models inbound and out
bound traffic patterns for key Layer 3, Layer 4, and Layer 7 parameters.
FortiDDoS uses the following information to model normal and abnormal traffic:
• The historical base value, or the weighted average, of recent traffic (more weight is given to recent
traffic)
• The trend, or slope, of the traffic
• The seasonality of traffic over historical time periods
FortiDDoS uses these statistics to create a forecast for the next traffic period.

DO NOT REPRINT
© FORTINET
The adaptive limit is a percent age of the configured minimum threshold.
An adaptive limit of 100% means no dynamic threshold estimation adjustment takes place once the
configured minimum threshold is reached (that is, the threshold is a fixed value). The product of the
configured minimum threshold and adaptive limit is the absolute maximum rate limit. If the adaptive
limit is 150% (the default), the system can increase the estimated threshold up to 150% of the value of
the configured minimum threshold.
There are scenarios where FortiDDoS might drop legitimate traffic because it cannot adapt quickly
enough to a sudden change in traffic patterns. For example, when a news flash or other important
announcement increases traffic to a company’s website. In these situations, you can use the
Protection Profiles > Thresholds > Percent Adjust page to increase all configured thresholds by a
specific percent age.

DO NOT REPRINT
© FORTINET
This slide shows a visual representation of when traffic would be dropped based on the FortiDDoS’
configured thresholds.
Any time traffic peaks above the estimated threshold, that traffic is dropped (as indicated by the red
spike in traffic).
Once the traffic volume rises above the adaptive limit threshold, all traffic above that threshold is
dropped.

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET
Good job! You now understand how to identify and prevent DDoS attacks.
Now, lets examine how FortiDDoS fits in the network.

DO NOT REPRINT
© FORTINET
By demonstrating competence in the various FortiDDoS deployment options, you will better be able to
add effective DDoS protection to your network

DO NOT REPRINT
© FORTINET
Ports in a FortiDDoS are built as hard-wired pairs. The odd-numbered ports connect to protected
resources, such as web servers or database servers. Even-numbered ports are connected to the rest
of the network, usually the Internet facing direction; however, depending on your network design, the
connection to the Internet could be several layers deep within your corporate network.
Remember, the FortiDDoS is a transparent Layer 2 device. Since the port pairs are hard-wired, as far
as the traffic is concerned, the FortiDDoS does not exist. There is no switching capability and there are
no MAC or IP addresses involved in traversing the FortiDDoS. Traffic enters Port 1 and exits Port 2
(and vice versa) as if those ports were merely extensions of the wire.

DO NOT REPRINT
© FORTINET
You can use the Global Settings > Settings page to configure the internal bypass mechanism to fail
open or fail closed.
By default, the interfaces are configured to fail open. This means that interfaces pass traffic through
without performing any monitoring or prevention tasks. Packets that arrive at ingress ports are simply
transferred to the corresponding egress ports, just like a wire.
If you use an external bypass solution, you must configure the interfaces to fail closed. This means
traffic is not forwarded through the interfaces. An external bypass system can detect the outage and
forward traffic around the FortiDDoS.
If you deploy an active-passive cluster, configure the interfaces on the primary node to fail closed so
the adjacent switches can select the secondary node. The secondary unit can be set to fail closed or
fail open, depending on how you want to handle the situation if both FortiDDoS nodes are down.

DO NOT REPRINT
© FORTINET
Each TP2 processor maintains the following resources:
• Source table with 1,000,000 rows. This table tracks the packet rate for every source IP address and
is used to establish per-source thresholds.
• Destination table with 1,000,000 rows. This table tracks the packet rate for every destination IP
address and is used to establish per-destination thresholds.
• Connection (session) table with 1,000,000 rows. This table tracks the status of every active TCP
session, and is used for connection count and connection rate thresholds. Connections are
identified using source IP address, source port, protected IP address, and associated port.
• Legitimate IP address table with 2,000,000 rows. This table tracks every IP address that has
successfully created the TCP three-way handshake. Entries are timed out in order to maintain the
table as a source of recently validated source IP addresses.
• DNS query response match table with 1,900,000 rows. This table stores DNS queries so that it can
match DNS responses. DNS responses that do not have a corresponding query are considered
unsolicited response and are dropped. An entry is cleared when the matching response is received.
Stale entries are periodically cleaned up.
• DNS TTL table with 1,500,000 rows. This table stores DNS query details correlated with the client
IP address. During a flood, the system drops queries that have an entry in the table. It is not
expected that a client would send the same query before the TTL expires.
• DNS legitimate query table that can store 128k unique queries. This table stores DNS query details
for queries that have successful responses. An entry is cleared when the TTL expires. During a
flood, the system drops queries that do not have an entry in the table.
• DNS cache that can store 64k responses. During a flood, the DNS response to valid queries can be
served from the cache, reducing the load on the protected DNS server.

DO NOT REPRINT
© FORTINET
FortiDDoS 200B models have 1 TP2. Interfaces 1 to 8 are bound to the single TP2.

DO NOT REPRINT
© FORTINET
FortiDDoS 400B models have 1 TP2. Interfaces 1 to 16 are bound to the single TP2.

DO NOT REPRINT
© FORTINET
FortiDDoS 600B and 800B models have 2 TP2s. Interfaces 1 to 8 are bound to one TP2, and
interfaces 9-16 are bound to the other.
Be aware that there are some usage limitations with the ports split over the two TP2s. You need to be
very conscious of how you are connecting your physical links. Inbound and outbound traffic for an
individual device must be on the same TP2. For example, you cannot wire the ports for asymmetric
traffic where the inbound leg is on 1 to 2 and the outbound leg is on 9 to 10.
You can however take advantage of the two TP2s in LACP/LAG applications where two links are on 1
to 2 and 3 to 4 and two links are on 9 to 10 and 11 to 12, provided that inbound and outbound traffic
both traverse the same TP2. All FortiDDoS systems work with LACP; however, FortiDDoS ignores
VLAN packets. This is normally acceptable, but some ISP applications where the VLANs have identical
IP subnets may be problematic, because FortiDDoS cannot support such a configuration.

DO NOT REPRINT
© FORTINET
The FortiDDoS 900B and 1000B/1000B-DC each have three TP2s. Sessions are distributed among the
TP2s using a hash-based load balancing algorithm. For TCP/ UDP traffic, the hash includes Source
IP/Source Port/Protected IP/Destination Port/Protocol. For non-TCP/non-UDP traffic, the hash includes
Source IP/Protected IP/Protocol.
The only difference between the 1000B and 1000B-DC is the power source used. The 1000B is AC
powered, while the 1000B-DC is DC powered (-48VDC), for carrier grade applications.

DO NOT REPRINT
© FORTINET
The FortiDDoS 1200B has six TP2s. Sessions are distributed among the TP2s using a hash-based
load balancing algorithm. For TCP/UDP traffic, the hash includes Source IP/Source Port/Protected
IP/Destination Port/Protocol. For non-TCP/non-UDP traffic, the hash includes Source IP/Protected
IP/Protocol.
The FortiDDoS 1200B is a full-feature replacement for the FortiDDoS 2000B. The FortiDDoS 2000B is
no longer available for purchase, but may still be found in existing networks.
FortiDDoS 1200B has built-in 4x short range, multimode fiber bypass ports. These ports have no SFPs
(they are built inside the box behind the bypass fiber). They only work with standard multi-mode cable
and SFPs at the other ends of the cables. They cannot be used for long range, single mode
applications.

DO NOT REPRINT
© FORTINET
FortiDDoS is state aware and bidirectional. The data packet traffic is described as either incoming
(inbound), outgoing (outbound), or both.
FortiDDoS may be installed in asymmetric traffic situations where it sees only the inbound traffic for
some flows and only the outbound traffic for others. The settings must be configured for this mode.

DO NOT REPRINT
© FORTINET
This slide shows a basic deployment. The FortiDDoS appliance is positioned ‘inline’, meaning it is
installed between the Internet and the protected network. For networks with multiple servers, you can
provision a port pair to each server.

DO NOT REPRINT
© FORTINET
This slide shows a multiple service provider deployment scenario. In this case, the FortiDDoS is
connected to two different ISPs. This type of deployment would be used when a business has
redundant ISP connections.

DO NOT REPRINT
© FORTINET
In this example, load-balancing devices are deployed before and after a pair of FortiDDoS appliances.
For example, two 400B appliances to support a total throughput of 12 Gbps (6Gbps per FortiDDoS).
This same topology and throughput is possible using a single 800B appliance. This type of design
ensures the highest level of security because it physically separates the FortiDDoS interfaces using
multiple switches. Each load-balancing device balances traffic between IP address interfaces of the
peer device behind the FortiDDoS appliance.

DO NOT REPRINT
© FORTINET
Link Aggregation Control Protocol (LACP), a subcomponent of IEEE 802.3ad, provides additional
functionality for link aggregation groups (LAGs). Use the link aggregation feature to aggregate one or
more Ethernet interfaces to form a logical point-to-point link, known as a LAG, virtual link, or
bundle. FortiDDoS can be used within a multi-link LACP. Since FortiDDoS does not participate in the
LACP negotiation, nor parse any of the LACP PDUs, the device is essentially just an extension of the
physical cables.

DO NOT REPRINT
© FORTINET
You can use the REST API to integrate FortiDDoS with other appliances in your network. For example,
the API allows you to automate the following tasks:
• Change the configuration of FortiDDoS based on statistics generated by router and switch
technologies such as Net Flow, jFlow, and sFlow.
• Change the configuration of FortiDDoS based on an analysis of the FortiDDoS syslog by an internal
Network Management System (NMS).
• Add ACLs to the FortiDDoS that block traffic to an application server based on information from a
Web application firewall or an intrusion prevention system that monitors the server.
In this diagram, the NMS monitors a router in the service provider’s network. The NMS communicates
with FortiDDoS using the REST API.
You can access the FortiDDoS API from most browsers using the GET method. However, your
browser may require add-ons for extended operations such as PUT. You can make more complicated,
scripted queries using utilities such as cURL. Most scripting languages such as Perl or Python have
built-in library calls that can interact with a REST API. Using the REST API is an advanced task that
requires a high level of expertise.

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET
Congratulations! You have completed this lesson.
Now, you will review the objectives that you covered in this lesson.

DO NOT REPRINT
© FORTINET
This slide shows the objectives covered in this lesson.
By mastering the basics of DDoS attacks, you can learn how to avoid them and reduce the chances of
one happening in your network.

 Initial Configuration
DO NOT REPRINT
© FORTINET
In this lesson, you will learn how to perform the initial configuration of FortiDDoS.

DO NOT REPRINT
© FORTINET
In this lesson, you will explore the topics shown on this slide.

DO NOT REPRINT
© FORTINET
By demonstrating competence in using the GUI and CLI interfaces, you will be able to perform
firmware upgrades, and the basic configuration tasks of FortiDDoS.

DO NOT REPRINT
© FORTINET
This slide shows a simplified configuration workflow. In the next lessons, you will learn about each of
the elements in stages.

DO NOT REPRINT
© FORTINET
You can access FortiDDoS, like most Fortinet devices, using CLI and Web GUI Interfaces.
You can access the GUI using HTTP or HTTPS, or the CLI using the console port, SSH, Telnet, or
JavaScript-based console widget on the GUI.

DO NOT REPRINT
© FORTINET
The first time you connect to a new FortiDDoS, you will probably use the console port in order to
assign an appropriate IP Address your device, because the default address of 192.168.1.99/24 is
probably not within your existing network's address scheme.

DO NOT REPRINT
© FORTINET
You can configure the management port on the CLI using the config system interface command
followed by edit <mgmt1 | mgmt2>.
Set an appropriate IP address and netmask, as well as the desired access methods, such as https,
ssh, telnet, http, and ping

DO NOT REPRINT
© FORTINET
After you configure an appropriate IP address within your network's address scheme, you can access
FortiDDoS on the GUI. The GUI is your primary tool for configuring, monitoring, and managing
FortiDDoS.

DO NOT REPRINT
© FORTINET
Because FortiDDoS is a transparent network device, it does not require an IP address to pass traffic. It
does, however, require an IP address to allow you to manage the device. Therefore, you can assign IP
addresses only to the two management ports, MGMT1 and MGMT2.

DO NOT REPRINT
© FORTINET
In order for FortiDDoS to communicate with devices in other IP subnets, such as FortiAnalyzer,
FortiSIEM, FortiGuard services, or service provider devices, you must define both DNS and default
gateway information. Depending on your network configuration, you may also need to define some
static routes. You can complete both of these tasks under the System > Network menu.

DO NOT REPRINT
© FORTINET
Along with configuring the IP Address and access methods, you can configure the TCP ports for those
access methods. For example, by default HTTPS access is enabled on TCP port 443, but your network
might be using a proxy server, or some other NAT-type infrastructure that requires you to move HTTPS
access to TCP port 8443. You can do this on the GUI under the System > Admin menu on the
Settings tab.
Here you can adjust the TCP ports for HTTP, HTTPS, TELENT and SSH access.
You can also change the default language of the admin GUI, the idle timeout for the admin account and
the HTTPS certificate used for administrator access.

DO NOT REPRINT
© FORTINET
You can load firmware on two disk partitions. You can use the GUI to boot the firmware version stored
on the alternate partition or to upload and boot firmware updates (either upgrades or downgrades).
Important: Back up your configuration before beginning this procedure.
If you revert to an earlier firmware version, the running configuration is erased, and you must restore a
saved configuration. You should restore a configuration you knew to be working effectively on the
firmware version you revert to. Some 4.2 and later settings are incompatible with 4.1.x, so you should
not restore a 4.2 or later configuration to a 4.1.x system.
Make a note of configurations that are disabled in your active configuration. Configurations that are not
enabled are not preserved in the upgrade. For example, if a custom HTTP service port, log remote
port, or event log port have been configured and then disabled in 4.1.11, the port information is not
preserved in the upgrade t o 4.2.1.
You must have super user permission (the “admin” account) to upgrade firmware.
Important: The firmware upgrade can take 20 minutes or more. Allow the process to complete fully. It
is recommended to use a console port connection in order to monitor the status of the firmware
upgrade.

DO NOT REPRINT
© FORTINET
You must be able to use TFTP to transfer the firmware file to the FortiDDoS system. If you do not have
a TFTP server, download and install one, like tftpd, on a server located on the same subnet as the
FortiDDoS system.
Download the firmware file from the Fortinet Technical Support website. Copy the firmware image file
to the root directory of the TFTP server.
Back up your configuration before beginning this procedure.
If you revert to an earlier firmware version, the running configuration is erased, and you must restore a
saved configuration. You should restore a configuration you knew to be working effectively on the
firmware version you revert to. Some 4.2 and later settings are incompatible with 4.1.x, so you should
not restore a 4.2 or later configuration to a 4.1.x system.
Make a note of configurations that are disabled in your active configuration. Configurations that are not
enabled are not preserved in the upgrade. For example, if a custom HTTP service port, log remote
port, or event log port have been configured and then disabled in 4.1.11, the port information is not
preserved in the upgrade to 4.2.1.
You must have super user permission (the “admin” account) to upgrade firmware.

DO NOT REPRINT
© FORTINET
If FortiDDoS is deployed in an HA cluster, each device must be upgraded separately and manually. As
with most HA scenarios, you should upgrade the passive device first, and then the active device.
If you are downgrading the firmware to a previous version, and the settings are not fully backwards
compatible, FortiDDoS may either remove incompatible settings, or use the feature’s default values for
that version of the firmware. You may need to reconfigure some settings.
In some cases, the firmware version may require a different system partition size. In this case, you
might be required to re-image the boot device in order to set the correct partition size.

DO NOT REPRINT
© FORTINET
Link-down synchronization is configured in the Global Settings. There are two available options for
configuring link-down synchronization.
In wire mode, the paired ports are treated as part of the “wire”, so if the link state of the port is down,
then the paired port is disabled.
In hub mode, the ports remain active even when the paired port is in a link-down state.
Additional things to check during configuration, particularly on Cisco routers, are the router port
STP/RSTP settings which can cause long delays on link recovery. RSTP needs to be short or (better)
ports set as Edge ports, which suppress RSTP on initial link recovery. A careful look at the port’s
statistics on the Cisco router will show the port as up long before it starts sending or receiving if the
RSTP is long.

DO NOT REPRINT
© FORTINET
At this point, you have full administrative access to FortiDDoS, and have ensured that it is at the latest
firmware release.
The next step is to begin configuring FortiDDoS to provide the protection it is designed to provide. This
begins with configuring and customizing the Service Protection Profiles or SPPs and their associated
thresholds.

DO NOT REPRINT
© FORTINET
Each FortiDDoS supports up to a maximum of eight independent service protection profiles, or SSPs.
This allows you to divide one physical FortiDDoS into as many as eight logical devices, where each
logical device can provided protection to its own distinct IP subnet or IP device. Each SPP can have its
own unique security policies and thresholds defined.
You can assign each SPP to its own administrator. It is also possible to associate multiple SPPs with a
single administrator account.

DO NOT REPRINT
© FORTINET
This slide shows that a single FortiDDoS can protect multiple, separate datacenters through the use of
multiple SPPs.
Each team is in its own subnet, and is associated with its own unique SPP. The SPPs provide specific
security policies and thresholds based on each team’s unique requirements.

DO NOT REPRINT
© FORTINET
You can add SPPs under Global Settings > Service Protection Profiles > Config GUI.
SPP 0 is the default profile and you can’t delete it. It serves as a “catch all” profile and therefore it
should not have any protected resources assigned to it.
Using the +Add button, you can create up to seven additional SPPs.

DO NOT REPRINT
© FORTINET
When adding service protection profiles, you must define the policies.
The SPP policy includes a policy name, pubnet ID, IP Version (IPv4 or IPv6), IPv4 address (or subnet)
and subnet mask of protected device(s), the associated SPP, enabling of alternate SPP, and a
comments field.
The policy Name is simply a unique identifier used to distinguish different policies. The Subnet ID is an
automatically generated value in the range of 1 to 2047 to identify the subnet along with the new data,
on the timeline. The IP Version is used to identify whether the protected address or subnet is an IPv4
network/device. The IP Address/Subnet mask field identifies the protected device or subnet.
Selecting Alternate SPP allows you to identify a secondary SPP for the policy to use.
FortiDDoS uses a mechanism called Binary Search Mode (BSM) to identify which SPP Policy (subnet)
the traffic belongs to. This in turn identifies which SPP should be used for that traffic. In the past, you
needed to order the subnets from smallest to largest, since it searched down the table looking for first
match, so subnet order was critical. Now, thanks to BSM, you can add subnet policies in any order and
FortiDDoS will automatically determine the best policy to use.

DO NOT REPRINT
© FORTINET
After you add a service protection profile, the next step is to identify or create the administrator account
for that profile under System > Admin.
Adding a new Administrator involves first creating an Access Profile. This creates a permissions profile
that defines the level of access individual users assigned to this profile have to the system.
After you create an access profile, you can create individual administrator accounts. The administrator
account identifies which service protection profile the administrator has control over, or access to, as
well as which access profile the account belongs to. As mentioned, the access profile is what identifies
the level of permissions the administrator has within the defined SPP for the administrator account.
The Trusted Hosts field defines which specific host device or subnet the administrator is able to
connect from. If left at the default value of 0.0.0.0/0 ::/0, then it allows the administrator to log in from
any host device.

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET
Good job! You now understand how to perform a basic system configuration.
Now, you will examine how to build a baseline.

DO NOT REPRINT
© FORTINET
After completing this section, you should be able to achieve the objectives shown on this slide. By
demonstrating competence in building a baseline, you will be able use learning, detection and
prevention modes to define and set thresholds and prevent attacks on your network.

DO NOT REPRINT
© FORTINET
In detection mode, FortiDDoS logs events and builds traffic statistics for SPPs, but it does not take
actions; it does not drop or block traffic, and it does not aggressively age connections. Packets are
passed through the system to and from protected subnets. Any logs and reports that show drop or
block activity are actually simulations of drop or block actions the system would have taken if it were
deployed in prevention mode.
After you set the statistical baseline and evaluated the configured minimum thresholds, you can put
FortiDDoS in prevention mode. In prevention mode, the system uses the configured minimum
threshold in its calculations that determine the estimated thresholds. The estimated thresholds are rate
limits that are enforced by packet drops. The estimated thresholds are also the triggers for reporting
flood attacks and entering SYN flood attack mitigation mode.
As needed, you can repeat the tuning: monitor observed throughput , estimated thresholds, and drops;
adjust the configured minimum thresholds; monitor; adjust.

DO NOT REPRINT
© FORTINET
When you add FortiDDoS to your network, you deploy it in detection mode for 2-14 days so that the
FortiDDoS system can learn the baseline of normal inbound and outbound traffic. The length of the
initial learning period depends upon the seasonality of traffic (its predictable or expected variations)
and how representative of normal traffic conditions the learning period is. Ensure that there are no
attacks during the initial learning period and that it is long enough to be a representative period of
activity. If activity is heavier in one part of the week than another, ensure that your initial learning period
includes periods of both high and low activity. Weekends alone are an insufficient learning period for
businesses that have substantially different traffic during the week. Thus, it is better to start the learning
period on a weekday. In most cases, seven days is sufficient to capture the weekly seasonality in
traffic.
At the end of the initial learning period, you can adopt system-recommended thresholds (usually lower
than the factory default) and continue to use detection mode to review logs for false positives and false
negatives. As needed, you repeat the tuning: adjust thresholds and monitor the results. When you are
satisfied with the system settings, change to prevention mode. In prevention mode, FortiDDoS drops
packets and blocks sources that violate ACL rules and DDoS attack detection thresholds.
Important: In detection mode, the FortiDDoS system forwards all packets, but a simulated drop might
be recorded. TCP session control options depend on the true TCP state, and simulated drops when the
appliance is in detection mode can lead to unexpected results. For example, if the system records a
(simulated) drop for a TCP connection, when subsequent packets arrive for the connection, the system
treats them as foreign packets because the state table entry indicates the session has already been
closed.

DO NOT REPRINT
© FORTINET
At this point, you have completed the basic configuration. After FortiDDoS completes the desired
learning period, it is time to use the collected data to set the thresholds and place FortiDDoS into
detection mode, at which point it will start actively protecting your network.

DO NOT REPRINT
© FORTINET
To begin, operate FortiDDoS in detection mode.
In this mode, the FortiDDoS will not protect your network, but will actively monitor the traffic in the
network. By using the data collected in this learning phase, you will be able to build a baseline data set
and define the initial thresholds that best suit your network's usual traffic patterns.
The setting of prevention mode or detection mode is a per-SPP setting. This means that each SPP is
independent of the others, allowing an individual SPP to be in one mode, while the remaining SPPs are
in another mode.
After the learning period is complete, as defined by your network engineer/architect/designer, you can
change the Inbound and/or Outbound Operating Mode to detection.

DO NOT REPRINT
© FORTINET
The main considerations during the learning period are that the traffic must be normal traffic. That is,
you do not want to learn a traffic pattern during an attack, because that will skew the thresholds. The
other key consideration is that the learning period must be long enough to gather an accurate reflection
of both peak, high-traffic patterns as well as the lowest-level traffic patterns. This will help you more
accurately set your initial thresholds.

DO NOT REPRINT
© FORTINET
When the designated learning period has passed, the next step is to generate a traffic statistics report.
This report will help you define your initial thresholds.
In order to generate the report, you must first enable the Generate option, then select the time Period,
and click the Save button. After the report is complete, you will be able to download the report using
the Save As CSV link in the upper-right corner.
Ideally, you should use a one-week period to cover weekends and weekday traffic.

DO NOT REPRINT
© FORTINET
FortiDDoS can use statistical results from the detection period to generate recommended configured
minimum thresholds. The values generated represent the maximum packets per second during the
observation period.
For example, during each 1-hour period, there are 12, 5-minute observation periods.
FortiDDoS captures a maximum-per-second rate for each 5-minute interval. The
maximum packets per second specifies the maximum value across these 12 periods
of 5-minute intervals.

DO NOT REPRINT
© FORTINET
When setting the thresholds, you can set thresholds for traffic at OSI Layers 3 (IP addresses), 4 (UDP
or TCP ports) and 7 (applications).
For each OSI layer, you can specify:

• Percentage: Recommended threshold is the maximum packet rate observed multiplied by this
percentage
• Low Traffic Threshold: FortiDDoS will use this value instead for the configured minimum threshold if
it is higher than the recommended threshold This value should not be changed unless
recommended by Fortinet support.

DO NOT REPRINT
© FORTINET
Specify a minimum threshold to use instead of the recommended rate when the recommended rate is
lower than this value. This setting is helpful when you think that the generated maximum rates are too
low to be useful. The default threshold is 500 with the following exceptions:
• Most active source scalar and all UDP ports <9999 have their outbound 'low' traffic threshold
automatically set to system maximum rates, no matter what their traffic statistics rate is. If
necessary, expert users can modify these thresholds after creation.
• Changing the low traffic threshold from the default of 500 is not usually recommended, but doing so
will not impact the exceptions noted.
• Changes to the low traffic threshold are persistent and will not revert to defaults after use as was the
case in previous releases.
For example, if the generated maximum packet rate for inbound Layer 4 TCP packet s is 2,000 and the
outgoing rate is 3,000. The value of Layer 4 percentage is 400 (percent ) and the value of Layer 4 low
traffic threshold is 10,000. In this example:
• The recommended threshold for inbound packets is 8,000 (2,000 *400%= 8,000). However,
because 8,000 is less than the low traffic threshold of 10,000, the system sets the threshold to
8,000.
• The recommended threshold for outbound packets is 12,000 (3,000 *400% = 12,000). Because
12,000 is greater than the low traffic threshold of 10,000, the system sets the threshold to 12,000.

DO NOT REPRINT
© FORTINET
After you define the thresholds and put the FortiDDoS into prevention mode, the next step is to
continue to monitor attack statistics and adjust thresholds as needed. This phase of the configuration
process is an ongoing process.

DO NOT REPRINT
© FORTINET
The first step following the learning period is to adjust the thresholds following the data recorded. The
SPP should then remain in Detection mode for a few more days, in order to ensure that traffic patterns
are being detected properly. Double check to ensure there are no false positives being detected, and
that all legitimate traffic is being treated as legitimate traffic. Adjust the thresholds as needed if any
unexpected results are seen.

DO NOT REPRINT
© FORTINET
After you verify that the defined thresholds are working as expected, put the SPP into Prevention
mode. Now, FortiDDoS is protecting your network. FortiDDoS will continue to learn and adjust to
legitimate traffic, thanks to the adaptive thresholds capability.
Your work however is not finished. Monitoring FortiDDoS and adjusting to changing traffic patterns is
an ongoing process.

DO NOT REPRINT
© FORTINET
You use the backup procedure to save a copy of the configuration. You can create a backup of a
specific SPP configuration or the whole system configuration (including all SPPs). The backup file
created by the web UI is a text file with the following naming convention: FDD-<serialnumber>-<YYYY-
MM-DD>[ -SPP<Number>] . If you use the CLI to create a backup, you specify the filename.
Selecting either the Back Up or Restore radio buttons allows you to switch the tool from backup to
restore functionality and will also change the label on the button to either Back Up or Restore.
Click the Back Up button to start the backup procedure. Likewise, click the Restore button to start the
restore procedure.
Your web browser uploads the configuration file and the system reboots with the new configuration.
The time required to restore varies by the size of the file and the speed of your network connection.
Your web UI session is terminated when the system reboots. To continue using the web UI , refresh
the web page and log in again. If the restored system has a different management interface
configuration than the previous configuration, you must access the web UI using the new management
interface IP address.
WARNING: Restoring a full system configuration will result in a system reboot which can interrupt
traffic if your traffic links do not have fail-open capability.

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET
NOTE Leave this diagram up for Students to reference during the lab

 Monitoring and Reporting
DO NOT REPRINT
© FORTINET
In this lesson, you will learn about the monitoring and reporting tools available on the FortiDDoS.

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET
By demonstrating competence in configuring local and remote logging, email alerts and customizable
reports, you will be able to collect data, trigger alerts to attacks, and generate reports to better analyze
and identify attack sources, targets, and types.

DO NOT REPRINT
© FORTINET
Log messages often contain clues that can help you determine the cause of a problem.
Depending on the type, log messages may appear in either the system event logs or the DDoS attack
logs. To enable logging of different categories of system events, click Log & Report >
Log Configuration > Local Log Settings. All DDoS attack log categories are enabled automatically
and cannot be disabled.

DO NOT REPRINT
© FORTINET
During troubleshooting, you might find it useful to lower the logging severity threshold for more verbose
logs, to include more information on less severe events.
To configure the log level, go to Log & Report > Log Configuration > Local Log Settings.

DO NOT REPRINT
© FORTINET
The local log is a datastore hosted on the FortiDDoS system. The local log disk configuration applies to
both the system event log and the DDoS attack log. Typically, you use the local log to capture
information about system health and system administration activities, to verify that your configuration
and tunings behave as expected, and to understand threats in recent traffic periods.
Local log disk settings are configurable. You can select a subset of system events. The DDoS attack
log events are not configurable.

DO NOT REPRINT
© FORTINET
The DDoS log configuration applies to security data. The DDoS Attack Log table which you can
access by clicking:
• Log & Report > Log Access > Logs (logged by time)
• FortiView > Logs > DDoS Attack Log tab (logged by time)
• Executive Summary > Attack Logs (provides summary and detail logs)
In each logging location, you can display attack event records for the selected SPP or all SPPs. The
DDoS Attack Log table is updated every few seconds, or from one to five minutes, depending on the
attack event type. There are two types of attack events:
• Periodic: items such as anomaly drops, where the system will display as few as 1 drop. These are
displayed every five minutes. On larger systems, they may take 2 additional minutes to appear
• Interrupt: items such as floods. These are displayed every minute.
It contains a default maximum of 1 million events, but this can be increased to 2 million events in Log
Purge Settings. If the number of events exceeds the value configured in the Log Purge Settings, the
system deletes the 200,000 oldest events. Logs can also be purged by date.

DO NOT REPRINT
© FORTINET
It is both standard practice and best practice to send security log data to secure remote servers where
it can be stored long term and analyzed using preferred analytic tools. A remote log server is a system
provisioned specifically to collect logs for long-term storage and analysis with preferred analytic tools,
for example FortiAnalyzer or FortiSiem.
The system has two configurations to support sending logs to remote log servers:
• Remote log server settings for system event logs
• Remote log server settings for DDoS logs
The system event log configuration applies to system-wide data, such as system health indicators and
system administrator activities. You can configure up to three log remote or remote event log servers.

DO NOT REPRINT
© FORTINET
You can configure individual remote log server configurations for each SPP, and each SPP can be
configured for up to two remote DDoS attack log remote syslog servers.

DO NOT REPRINT
© FORTINET
The FortiDDoS SNMP agent supports a few management information blocks (MIBs).
To communicate with the FortiDDoS SNMP agent, you must first compile these MIBs into your SNMP
manager. If the standard MIBs used by the SNMP agent are already compiled into your SNMP
manager, you do not have to compile them again. The FortiDDoS SNMP implementation is read-only.
To view a trap or query’s name, object identifier (OID), and description, open its MIB file in a plain text
editor. All traps sent include the message, the FortiDDoS appliance’s serial number, and host name.
You can obtain the Fortinet MIB files from the Fortinet Service & Support website in the same section
where you download firmware images.

DO NOT REPRINT
© FORTINET
Alert emails can be sent to the configured addresses when specified events are triggered. You can
specify whether event severity or event category is the basis for your alerts configuration.

DO NOT REPRINT
© FORTINET
Customizable reports can be periodically generated. When configuring a report you must specify:
• How frequently the report will be generated, or if the report will be generated when a drop count
threshold is exceeded
• If the report will include data for:
• all SPPs
• Single SPP
• Subnet (SPP Policy)
• SPP Policy Group (group of subnets)
• Default subnet (subnet that has not been defined in an SPP Policy)
• The collected time period for the data
• The type of events to include
• The output format (such as HTML, TXT or PDF)
New reports can be automatically delivered by email each time they are generated

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET
Good job! You now understand how to configure logging, alerts and reports.
Now, lets examine how to understand the data.

DO NOT REPRINT
© FORTINET
By demonstrating competence in understanding the dashboard, FortiView, and logs, you will be able to
use all the tools available to identify the source, destination, and characteristics of any DDoS attacks
your network might experience.

DO NOT REPRINT
© FORTINET
The Dashboard contains table and graph summaries of system information or system status. You can
use the dashboard to check system status at-a-glance or to quickly find system information, like the
hardware serial number, firmware version, license status, or interface status. For a deeper look at
attack traffic, use the Monitor and Log & Report menus.
The default dashboard set up includes the following tables and graphs:
• System Information
• System Status
• License Information
• Aggregate SPP Traffic, which updates every 30 seconds
• Count of Unique Sources
• Top Attacked SPPs
• System Resources (core system resources only, not the TP2s)
• Top SPPs with Denied Packets
• Recent Event Logs
For any graph, you can select either Linear (default) or Logarithmic scale using the link from the top
right corner. If there is a range of data where one or a few points are much larger than the bulk of the
data, select Logarithmic scale to reduce the outputs skewing towards large values.

DO NOT REPRINT
© FORTINET
FortiView provides a comprehensive network monitoring system that integrates real-time and historical
data into a single view. It can log and monitor threats to networks, filter data on multiple levels, keep
track of administrative activity, and more.
The two main tools that FortiView offers are the threat map, which provides a visual representation of
current and historical attack traffic, and the tree view of SPPs and protected subnets, which shows
traffic and attack drop information.

DO NOT REPRINT
© FORTINET
The FortiView threat map displays a map view of attacks, including source and destination geo-
locations (when identifiable), with a single day view of information. The attacks can be from various
geo-locations and will be classified in one of three categories:
• Internal: Identified public source IPs from the same country geolocation as the FortiDDoS protected
IPs.
• Identified: Identified public source IP from other geo-locations.
• Unknown: Spoofed or otherwise unidentifiable source IPs

DO NOT REPRINT
© FORTINET
The tree view displays a top-level view of all the configured SPPs and SPP policies (subnets). The first
node branching out from FortiDDoS represents the configured SPPs with the corresponding SPP traffic
statistics and aggregate drops graphs. The SPP nodes branch out to SPP policies or subnets
corresponding to that SPP, displaying the subnet traffic statistics graph.
You can adjust the display using the top-right parameters for time period of 1 hour to 1 year, inbound or
outbound traffic, and drops per SPP.

DO NOT REPRINT
© FORTINET
Each TP2 processor has source tables, session tables and destination tables. Each of these tables is
capable of storing up to 1 million entries.

DO NOT REPRINT
© FORTINET
You can use the session diagnostic report to check the session counters. The count applies to current
traffic. You can correlate the count with source IP address, protected IP address, associated port, or
TCP state. You can also filter the records to include or exclude matching expressions.
You can use the source diagnostic report to check the connection and drop counters for each source IP
address. The count applies to current traffic. You can select either the source IP or direction to filter the
results. You can also filter the records to include or exclude matching expressions.

DO NOT REPRINT
© FORTINET
Packets drops happen for a number of reasons, such as:

• Rate (Flood) attacks, which are identified by a Violation in the thresholds.
• Access list (ACL) violations, such as Geo-location, source or IP reputation
• Header or TCP state anomalies which include Layer 3, 4 or 7 headers with content that violates the
protocol’s standards and Violations found in packets during a TCP session.
Statistics related to dropped packets can be reviewed by clicking the Monitor menu and a drop type.
For each type of drop, you can review the aggregate number of drops, or review drops by Layer 3,
Layer 4, or Layer 7 specific details.

DO NOT REPRINT
© FORTINET
Packets drops happen when hash attacks or out of memory issues occur.
For hash attack indexing purposes, a hash of the IP addresses is stored in each TP2 tables. Packets
are dropped when the number of IP addresses with the same hash goes above a certain threshold.
Out of memory issues occur when there are no more entries available in one of the TP2 tables to store
the packet information. This is usually an indication that the unit is undersized or not properly
configured.

DO NOT REPRINT
© FORTINET
All of the logging and notification tools that you have configured allow you to identify when your
network is being attacked, how it is being attacked, and where it is being attacked from. The elements
that you must be identify during an attack analysis are as follows:
• The attack destination and source IP addresses – source IP address is rarely shown since most
DDoS attacks used spoofed IP addresses.
• The type of attack
• The size of the attack
• The attack parameters at each of the OSI layers
• The reason for the dropped packets
• Confirmation that you are not getting a false positive

DO NOT REPRINT
© FORTINET
Most of the statistics graphs identify the SPP and the direction of the attack so, if there is only one
subnet in the attacked SPP, you can easily determine the attack destination. If the SPP contains more
than one subnet, you can use the Execute Summary report, Attack Graph dashboard, or DDoS Attack
Logs tools to determine the attack destination.

DO NOT REPRINT
© FORTINET
When investigating a DDoS attack, one of the key steps is to determine the type of packet drops you
have experienced. The drop types include flood drops, ACL drops, and anomalous drops.
There are several tools that you can use to determine the type of attack and the attack source. These
tools include the Executive Summary report, the Attack Graphs dashboard, and the DDoS Attack Logs.
Keep in mind that in the case of spoofed attacks, the source information is not provided because it is
irrelevant for these scenarios.

DO NOT REPRINT
© FORTINET
You can access the DDoS Attack Log from either the Executive Summary menu or the FortiView
menu. Each of the tables summarizes the top attacks, ranked by drop count (highest to lowest).
The data is filtered by, SPP or all SPPs, time period of 1 hour to 1 year, and inbound or outbound
drops. You can also filter based on Attacked TCP and UDP ports. You should review this page
frequently.

DO NOT REPRINT
© FORTINET
The DDoS Attacks Graph dashboard, like the DDoS Attack Log, is accessible from either the
Executive Summary menu or from the FortiView menu. This dashboard contains graphs that
summarizes the top attacks. The data is filtered by SPP, so this dashboard gives you insight into the
attacks that have been thwarted by that SPP’s security posture.
The dashboard provides over 20 attack graphs, including Top Attacked SPPs, Top SPPs With
Denied Packets, Top Attacks, Top ACL Drops, and many more.

DO NOT REPRINT
© FORTINET
The Port Statistics > Packets graph compares the volume of traffic ingressing and egressing each
interface pair, in each traffic direction. The difference between these values determines the amount of
traffic dropped, and the size of the attack.

DO NOT REPRINT
© FORTINET
When investigating an attack, start by using the following graphs to identify the layer at which the
attack is happening:
• Aggregate Flood Drops
• Aggregate ACL Drops
• Anomaly Drops statistics
You can then begin to drill down further by accessing statistics specific to each attack type and layer.
The DDoS Attack Logs also provides information about the attack parameters, and can provide more
information beyond what the graphs show you.

DO NOT REPRINT
© FORTINET
Each graph allows you to dig slightly deeper into the attack. Start by looking at the Aggregate Drops
graph. This will show you a graph of all attacks at each of the 3 layers.
Note that in the lower left corner of the window, you can clear selected layers to filter them out of the
graph. Filtering our layers allows you to focus in on an individual layer.

DO NOT REPRINT
© FORTINET
After you have identified which layer is the primary concern for a specific attack period, you can go to
that layer’s specific graph. In the layer-specific graph, you can see additional, information about the
attack. In the lower left corner there are filters that allow you to focus in on specific statistics for this
layer. The filter options include:
• Protocols
• Fragmented Packets
• Source Flood
• Destination Flood

DO NOT REPRINT
© FORTINET
NOTE: To display Source IPs in slowloris attacks customer must have Source Blocking for Slow
Connections enabled.

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET
This slide shows all the objectives that you covered in this lesson.
By mastering the objectives covered in this lesson, you learned how to configure alerts and reports,
and understand the associated data.

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET
NOTE Leave this diagram up for students to reference during the lab.

 Global Settings
DO NOT REPRINT
© FORTINET
In this lesson, you will learn about the global settings of FortiDDoS.

 Global Settings
DO NOT REPRINT
© FORTINET

 Global Settings
DO NOT REPRINT
© FORTINET
By demonstrating competence in advanced detection features, you will be able to avoid, identify, and
solve common reporting issues.

 Global Settings
DO NOT REPRINT
© FORTINET
Blocking periods can help to minimize false positives. For example, if the system sees a fragment
threshold being crossed, it blocks all the source IPs sending fragments for the initial blocking period,
while evaluating all the sources.
By default, if a source is sending at a lower fragment rate than the source tracking rate, it will be
released after no longer than 15 seconds, by default, and usually much sooner.
Sources identified by source tracking as over threshold will immediately be blocked for the duration of
the blocking period for identified sources, by default, 60s.
At the end of that period, if those sources have fallen below the drop threshold count, they will be
unblocked. If they exceed the drop threshold count, they will be blocked for the duration of the
extended blocking period by default, 60s and evaluated again, remaining blocked until their drop rate
declines below the drop threshold count.

 Global Settings
DO NOT REPRINT
© FORTINET
When an attack is detected, FortiDDoS Source Tracks up to 6 million source IPs. It finds and blocks
sources that are sending the offending traffic. For example, if the Fragment Threshold is crossed,
FortiDDoS starts looking for all Sources sending fragments, while continuing to monitor all other
detections. As it finds Sources sending fragments it applies the Source Multiplier to the data rate for
that Source and compares it to the Most Active Source Threshold already configured. If the Multiplied
rate from the Source is lower than the MAS, the source is allowed to continue (and continues to be
monitored). If the rate is higher than MAS, the source is blocked for 60 seconds default and
reevaluated continuously until its rate drops below the threshold. Evaluation of up to 6Million Sources
takes between 2 and 15 seconds (usually closer to 2 than 15).
Packet count multipliers are adjustments to counters that are applied to traffic associated with an attack
so that the thresholds that control drop and block responses are triggered sooner. You can configure
multipliers for the following types of traffic:
• Source floods: Traffic from a source that the system has identified as the source of a flood.
• Layer 7 floods: Traffic for attacks detected based on a URL or host, referer, cookie, or user-agent
header field.
You can use the Protection Profiles > Settings page to specify packet count multipliers. When both
Source flood and Layer 7 flood conditions are met, the packet count multipliers are compounded.
For example, when there is a user-agent flood attack, a source is sending a user-agent that is
overloaded. If the source multiplier is 4 and the Layer 7 multiplier is 64, the total multiplier that is
applied to such traffic is 4 x 64 = 264. In effect, each time the source sends a Layer 7 packet with that
particular user-agent header, FortiDDoS considers each packet to be the equivalent of 256 packets.

 Global Settings
DO NOT REPRINT
© FORTINET
This slide shows where and how to configure the blocking periods.

 Global Settings
DO NOT REPRINT
© FORTINET
You can use the Global Settings > Settings > General tab to enable detection for the following HTTP
anomalies:
• Known Method Anomaly — Drops HTTP traffic that uses one of the eight known methods: GET,
HEAD, OPTIONS, PUT, POST, CONNECT, DELETE, or TRACE. By default, all the methods are
treated as valid and therefore no Monitor graphs are provisioned, even if there are drops.
• Unknown Method Anomaly — Drops HTTP traffic that uses a method other than one of the
following: GET, HEAD, OPTI ONS, PUT, POST, CONNECT, DELETE, or TRACE. For example,
TEST or PROPFIND. The dropped packets will be shown in the monitor graphs as well as in the
attack log.
• Invalid HTTP Version Anomaly — Drops HTTP traffic with an HTTP version other than one of the
following: 0. 9, 1. 0, or 1. 1. The dropped packets will be shown in the Monitor Graphs as well as in
the Attack Log.
• Do Not Parse HTTP 0.9 — Drops sessions when the HTTP request includes the HTTP range
header. The range header can be abused by attackers to exhaust HTTP server resources. There
are no drops associated with this feature and the default setting is to treat HTTP 0.9 packets as
HTTP packets and further parse.

 Global Settings
DO NOT REPRINT
© FORTINET
By default, FortiDDoS only inspects HTTP traffic on port 80. If your web server or servers are on non-
standard ports, you must manually identify that port number in order to ensure the FortiDDoS is
properly able to protect the devices.

 Global Settings
DO NOT REPRINT
© FORTINET
The FortiGuard IP Reputation Service is a licensed subscription service that maintains data on IP
addresses and network IP ranges that pose a threat to your network. After you purchase IP Reputation,
you register the FortiDDoS appliance serial number. Then, you can download the IP reputation list or
schedule updates. After you have enabled the feature, the FortiDDoS system downloads the most
recent definitions file and then maintains updates for it according to the schedule you configure.
To use over-the-wire updates, the management port must be able to access the Internet. Alternatively,
you can obtain the IP reputation definitions file and upload it using the dashboard license information.
The license information portlet displays the status of the most recent update. If the download is
successful and new definitions are available, the lists are replaced; otherwise, the previous list remains
in use. You can configure how the FortiDDoS system receives scheduled updates.

 Global Settings
DO NOT REPRINT
© FORTINET
The IP Reputation configuration allows you to configure multiple options:

• Status - Enable to scheduled updates.
• Override Server IP - Enable to specify the override server IP address.
• Schedule Type – Can be set to either Daily to schedule daily updates, or Weekly to schedule
weekly updates.
• Category - Select an IP reputation subscription category. You can select from DDoS or
Anonymous Proxies. DDoS is the recommended option.
• Tunnel - Enable to use a web proxy server IP address. If enabled, you can set the Tunneling IP
address, Web proxy server IP address, Port for the web proxy server, Administrator user name
for the web proxy server, and Password for the web proxy server.
Not all options are visible until the parent option has been configured. For example, the various options
under Tunnel are not displayed until you enable Tunnel.

 Global Settings
DO NOT REPRINT
© FORTINET
The FortiGuard Domain Reputation service is a licensed subscription that maintains a database of
DNS domain names that pose a threat to your network and clients. After you purchase Domain
Reputation, you register the service contract to the FortiDDoS appliance serial number. Then, you can
schedule updates to the Domain Reputation list.
After you have enabled the feature, the FortiDDoS system downloads the most recent definitions file
and then maintains updates for it according to the schedule you configure. To use over-the-wire
updates, the management port must be able to access the Internet. If the system is behind a web
proxy, enable and set up Tunnel (proxy) in Global Settings > IP Reputation (even if IP Reputation is
not enabled). The license information portlet displays the status of the most recent update. If the
download is successful and new definitions are available, the lists are replaced; otherwise, the previous
list remains in use.
Note: Because a domain name is seen in both the query and response, Domain Reputation will drop
any responses it sees containing blacklisted domains, even if FortiDDoS does not see the query. This
can happen in two circumstances:
• Asymmetric traffic where FortiDDoS is seeing the inbound traffic link only (does not see outbound
queries).
• Reflected response floods may use malicious FQDNs, in which case Domain Reputation may see
the flood before DQRM sees it .

 Global Settings
DO NOT REPRINT
© FORTINET
The Domain Reputation configuration is similar to the IP Reputation configuration.

• Domain Reputation Status - Enable to scheduled updates.
• Override Server IP and Domain Reputation IP Address – Enable to override the server IP and
enter a domain reputation IP address. You should ONLY do this if you cannot use the default FQDN
of FortiGuard .
• Domain Reputation Schedule Type - Select the schedule type, either Daily or Weekly

 Global Settings
DO NOT REPRINT
© FORTINET
FortiDDoS can take in to account the possibility that a source IP address might be a proxy I P address,
and adjust the threshold triggers accordingly. If a source IP address is determined to be a proxy IP
address, the system adjusts thresholds for Most Active Source, SYN per source, Concurrent
Connections per source, HTTP Method per source, and DNS Query per source by a multiplier that
you specify.
You can configure either, or both, of the following methods to determine whether the source IP address
is a proxy IP address:
• Concurrent connection count: This is used when there are many users behind a web proxy or NAT
device like an enterprise firewall.
• HTTP headers: This is used when there are many users behind a content delivery network (CDN),
such as Akamai.

 Global Settings
DO NOT REPRINT
© FORTINET
Concurrent Connections Per Source: Every 5 minutes, the system records the IP addresses of
sources with more than this number of concurrent connections to test whether those sources might be
using a proxy IP address. The default is 100 concurrent connections.
Proxy IP Percent Present: Determines whether the source IP address is regarded as a proxy IP
address. For example, the default is 30. After the observation period, the IPs whose numbers of
concurrent connections have been 30% of the time above 100 are identified as proxy IPs.
Observation period
• Past Week — Uses data from the previous week to determine whether a source IP address is a
proxy IP address.
• Past Month — Uses data from the previous month.
Download List: Select this to generate the list of detected proxy IP addresses. This list is useful for
identifying IP addresses that the system has treated as a proxy but are actually attackers. You can add
these kinds of IP addresses to an ACL to block their traffic.

 Global Settings
DO NOT REPRINT
© FORTINET
When configuring proxy IP settings for concurrent connections, select the Detect Proxy IP By Number
of Connections check box.. You must then define the number of Concurrent Connections Per
Source, the Proxy IP Threshold Factor, and Proxy IP Percent Present.
Every 5 minutes, the FortiDDoS records the IP addresses of sources that have more than this number
of concurrent connections to test whether those sources might be using a proxy IP address. The
default is 100 concurrent connections.
The Proxy IP Threshold Factor specifies a multiplier that is applied when the source IP address is
identified as a proxy IP address. For example, if you specify 32, and the Most Active Source threshold
is 1000, then the Most Active Source threshold applied to proxy IP addresses is 32 x 1000 or 32,000.
The default for this setting is 128, and the maximum is 32,768.
The Proxy IP Percent Present value is a threshold that determines whether the source IP address is
regarded as a proxy IP address. For example, the default is 30. After the observation period, the IPs
whose numbers of concurrent connections have been above 100 30 percent of the time are identified
as proxy IPs.
Optionally, you can define the Observation Period as either Past Week, or Past Month. You can also
select the Download List check box to download the list of IP addresses.

 Global Settings
DO NOT REPRINT
© FORTINET
Proxy HTTP Header type allows you to select the HTTP headers that indicate a proxy address might
be in use.
The HTTP headers can be either true-client-IP or x-forwarded-for. Selecting the x-

forwarded-for option also enables parsing of x-true-client-ip and x-real-ip headers.

 Global Settings
DO NOT REPRINT
© FORTINET
You can choose to use header inspection instead of, or in addition to, concurrent connections. If you
enable Detect Proxy IP Using Headers, you will be able to select the HTTP headers that indicate a
proxy address might be in use. You can select either True-Client-IP, X-Forwarded-For or both.
Selecting the X-Forwarded-For option also enables parsing of x-true-client–ip and x-real-ip
headers.

 Global Settings
DO NOT REPRINT
© FORTINET

 Global Settings
DO NOT REPRINT
© FORTINET
Good job! You now understand advanced detection options.
Now, you will examine other control options.

 Global Settings
DO NOT REPRINT
© FORTINET
By demonstrating competence in report troubleshooting, you will be able to avoid, identify, and solve
common reporting issues.

 Global Settings
DO NOT REPRINT
© FORTINET
In order to create a global access control list or do not track list, you must first create address objects
to identify the IPv4 addresses and subnets that you want to match in those policy rule bases.
When adding an item to the Address list, you can add based on IP Netmask, IP Address, or Geo
Location. If you select Geo Location, the detail field changes form a text entry box to a drop down list
where you can select a specific country.

 Global Settings
DO NOT REPRINT
© FORTINET
You can specify IP addresses that FortiDDoS does not restrict or track. Packets matching the Do Not
Track Policy are forwarded without inspection.
Do Not Track Action

• Do not Track — Packets are never dropped nor included in the statistics for threshold estimation.
• Track and Allow — Packets are never dropped, but are included in the statistics for threshold
estimation.

 Global Settings
DO NOT REPRINT
© FORTINET
The global ACL policy establishes allow and deny rules for traffic based on the source IP address.
Packets from IP addresses that are denied or allowed by ACLs do not affect the statistics for
continuous learning for source addresses. However, other characteristics of the packets, such as
protocols and ports, are included in the corresponding statistics. Information about packets denied by
the global ACL policy is reported in the following graphs and reports:
• Graphs - Monitor > ACL Drops > Layer 3 and Monitor > Layer 3 > Address Denied
• Executive Summary dashboard - Log & Report > Executive Summary
• Reports - Log & Report > Report Configuration

 Global Settings
DO NOT REPRINT
© FORTINET
In a deployment with a bypass bridge, the bridge passes heartbeat packets to test the health of the
FortiDDoS traffic interfaces. If the heartbeat packets are not passed, bypass mode is triggered.
In most cases, the bypass bridge will expose the MAC addresses of its monitor ports that are sending
the heartbeat packets. You should enter these MAC addresses in the FortiDDoS bypass MAC address
list to ensure that packets from these MAC addresses are never blocked by FortiDDoS.
Each FortiDDoS model supports the following number of bypass MAC addresses:
• 200B – 8
• 400B/ 600B/ 800B/ 900B/ 1000B – 16
• 1200B/ 2000B – 20

 Global Settings
DO NOT REPRINT
© FORTINET
Border Gateway Protocol (BGP) flow specification (flowspec) describes a new BGP Network Layer
Reachability Information (NLRI) format that you can use to distribute traffic flow specification rules. The
fundamental purpose of BGP flowspec is to automate the distribution of traffic filter lists to routers from
a single point of control, specifically for the mitigation of DDoS attacks. While routers could originally
block DDoS attacks based only on the destination or source of the attack, BGP flowspec allows
mitigation using a BGP NLRI type, which may include several components, such as destination prefix,
source prefix, protocol, ports, and so on.
Because FortiDDoS is deployed very close to networks under attack, it not only has full visibility of an
attack, but it can also detect attacks at Layers 3, 4, and 7 within a few seconds.

 Global Settings
DO NOT REPRINT
© FORTINET
Because of its granular capability to identify attacks, it also uncovers detailed visibility into them. It then
summarizes these attacks using most of the NLRIs. As a result, rather than using the typical broad
brush approach that essentially blocks all traffic, FortiDDoS is able to send very specific attack
information that can be used to block very specific attack traffic, while leaving the rest of the traffic
alone.
An important point to note here is that until an attack grows beyond the capacity of FortiDDoS, all
DDoS attacks are mitigated by FortiDDoS itself. A FortiDDoS administrator, upon notification from
FortiDDoS of imminent link saturation, can generate the flowspec data that can be exported to a
peering router. This can be done for a chosen destination under attack, with a drop threshold above a
given number. FortiDDoS can then generate a flowspec that is compatible with the Cisco or Juniper
routers managing the affected traffic. The BGP router to which FortiDDoS BGP flowspec information is
applied converts the flowspec route into an ACL, and then applies it to its selected interfaces. At the
same time, either the router or the FortiDDoS administrator can configure an appropriate action to
drop, redirect, or rate limit the traffic.

 Global Settings
DO NOT REPRINT
© FORTINET
Fortinet is a Verisign OpenHybrid partner. FortiDDoS uses the Verisign REST API to signal to Verisign
that FortiDDoS has detected an attack, the destination subnet, the attack type, and the attack size. This
cloud signaling feature enables small and medium businesses and enterprises that have deployed
FortiDDoS in the CPN to work with Verisign to divert traffic during large attacks to the Verisign
scrubbing station. Clean traffic that is not dropped at the scrubbing station is forwarded to its
destination.
A hybrid solution like this leverages the power of FortiDDoS to mitigate attacks granularly until the
upstream network pipe reaches its limits. When that occurs, the Verisign overcapacity and scrubbing
techniques can be used to mitigate network layer attacks. Depending on the size of the network and
the type of attack, Verisign might use BGP-based diversion or DNS-based diversion. Discuss with
Verisign the requirements for these options and make a plan best suited to your deployment.

 Global Settings
DO NOT REPRINT
© FORTINET
Configuring the hybrid solution is a two-step process. The first step is to register with a service
provider. The second step is to configure the FortiDDoS to communicate with the service provider.
First, in Global Settings > Settings > Settings, in the Deployment tab, you must ensure the
Signalling Mode is set to Customer Premises. This is the default setting for this option, but you
should always verify it, especially when configuring a device that is already in service.
Next, in Global Settings > Settings > Signalling, add a new configuration. Configure the following
settings:
• Name – Unique identifier for administrator reference only
• Enable – Select to enable feature
• SP Device Type – Identifies the type of device providing the service as FDD (FortiDDoS) or
ThirdParty.
• Select ThirdParty
• Shared Secret – Passphrase shared between FortiDDoS and ThridParty device, similar to
a RADIUS shared secret
• Account ID – Third-party account information to identify yourself
• SP URL – The URL address of the service provider.
You will also need to ensure that your SPP switching policy is configured correctly, as you learned
earlier.

 Global Settings
DO NOT REPRINT
© FORTINET
FortiDDoS appliances can be deployed as standalone devices or as members of a high availability

(HA) pair.
FortiDDoS supports active-passive cluster pairs. In an HA pair, one node is the active node, and the
other is the passive node.
The two devices in an HA cluster pair must be identical. They must have the same hardware model
and same firmware version.

 Global Settings
DO NOT REPRINT
© FORTINET
By default, you use MGMT2 port to connect the HA devices directly or through a Layer 2 switch. The
HA port can be changed, but be aware of the settings on the System > Network > Interface page
before changing from the default settings. Heartbeat and synchronization traffic between cluster nodes
occurs over the physical network ports that you specify. If switches are used to connect heartbeat
interfaces between nodes, the heartbeat interfaces must be reachable by Layer 2 multicast. HA traffic
uses multicast UDP on port numbers 6065 (heartbeat) and 6056 (synchronization). The HA multicast
IP address is 239.0.0.1; it is hard coded, and cannot be configured. When using MGMT2 for HA,
ensure it is set to the default mode with 0.0.0.0/0 entered and showing in the GUI. Adding an IP
address to MGMT2 will stop the HA traffic.
The cluster uses the connection of MGMT2 ports for two types of HA communication:
• Heartbeats: A cluster node indicates to other nodes in the cluster that it is up and available. The
absence of heartbeat traffic indicates the node is not up and is unavailable.
• Synchronization: During initialization and periodically thereafter, the active node pushes its
configuration (with noted exceptions) to the secondary nodes.
You can log in to the management interface (MGMT1) of either node, but you actively manage the
configuration of the active node only.
Although one device is deemed active and one passive, the ports are not turned off on the passive
node. It can receive traffic, mitigate attacks, and forward traffic. Since traffic is evenly distributed, the
thresholds learned and implemented in the active node will work equally well in the passive node.
However, each system graphs data, logs, and creates reports independently. These logs can be
aggregated by FortiAnalyzer or FortiSIEM.

 Global Settings
DO NOT REPRINT
© FORTINET
It is also possible to enhance the HA capabilities of the FortiDDoS by having each member of the HA
pair connected to an independent service provider. This not only provides redundancy of the
FortiDDoS, but also of the WAN/Internet connection to the outside world.
In the example shown on the slide, the primary FortiDDoS is connected to ISP2. The secondary
FortiDDoS is connected to ISP1. As we saw in the previous slide, even though the FortiDDoS is in
secondary mode, its ports are still active. As a result, the secondary FortiDDoS is still performing attack
mitigation on the secondary ISP connection (ISP1).

 Global Settings
DO NOT REPRINT
© FORTINET
Synchronization occurs immediately when a device joins the cluster, and then every 30 seconds after.
In an active-passive cluster, these settings are read-only on the slave node. All other system
configuration, network and interface configuration, HA configuration, and log and report configuration
are not synchronized.
You should not perform the following actions on the active node. You need to switch to standalone
mode to modify these settings:
• Time zone change
• Configuration restore
• TAP mode change
The HA passive node does not synchronize the time and date from the HA active node. Settings that
are not synchronized should be configured before the HA active-passive setting is enabled because all
of these settings, except HA settings, become read-only on the passive node when HA is enabled. HA
settings are read-write on all nodes in all modes so that you can switch from HA to standalone mode,
as needed. Collected data is also not synchronized. The following data is not synchronized:
• Session data
• Estimated thresholds
• Log messages
• Generated reports

 Global Settings
DO NOT REPRINT
© FORTINET
When the active node goes down, the passive node becomes the active node. When the active node
comes back online, the system selects the active node based on the following criteria:
• Lowest device priority number (1 has greater priority than 2)
• Highest up-time value (If you disable the HA Override setting, then up-time will have precedence
over device priority.)

 Global Settings
DO NOT REPRINT
© FORTINET
Configuring both devices before physically connecting them is suggested, as it avoids some reboots. If
the slave sees major changes on the master it will reboot to download the entire config instead of
updates. Generally, configure both devices in standalone, connect them, and then change master to
Master and slave to slave.
Note: Before beginning any configuration, be sure to review the Online Help for FortiDDoS regularly as
this resource is frequently updated with new or revised information.

 Global Settings
DO NOT REPRINT
© FORTINET

 Global Settings
DO NOT REPRINT
© FORTINET

 Global Settings
DO NOT REPRINT
© FORTINET
This slide shows the objectives that you covered in this lesson.

 Service Protection Profiles
DO NOT REPRINT
© FORTINET
In this lesson, you will learn more about service protection profiles.

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET
By demonstrating competence in configuring SYN flood mitigation, you will be able to configure your
FortiDDoS to take effective action during periods of SYN floods, whether those floods are merely high
traffic, or an actual attack.

DO NOT REPRINT
© FORTINET
A SYN flood attack on a server exploits how the server maintains the TCP connection state for the
three-way handshake in the TCB table. In a spoofed attack, the attacker sends a large number of SYN
packets from spoofed IP addresses to the server; or in a zombie attack, the attacker uses a virus to
gain control of unwitting clients and sends a large number of SYN packets from legitimate IP addresses
to the server.
Each SYN packet that arrives creates an entry in the table. The spoofed addresses make it impossible
to resolve the three-way handshake, and the TCP connection state in the TCB table remains half-open
instead of completing the cycle. It never transitions to established and, ultimately to closed’. As a result,
TCB table entries are not cleaned up by the expected life cycle, resources can be exhausted, and there
can be system failure and outages.
The best known example of this type of attack, using a zombie attack, was the October 2016 DYN
attack in which DYN was subjected to a DDoS attack originating from more than 100,000 IoT devices.

DO NOT REPRINT
© FORTINET
When FortiDDoS detects a SYN flood attack, it enters SYN flood mitigation mode. In this mode, the
system acts as a proxy for TCP connection requests and uses the legitimate IP (LIP) table to validate
new connections. New SYN packets coming from addresses in the LIP table are presumed legitimate
and are allowed, while the FortiDDoS takes a guarded approach to other SYN packets. Those packets
are processed according to the configured mitigation mode.
SYN flood mitigation has three operating modes:

• ACK cookie
• SYN cookie
• SYN retransmission
The SYN flood mitigation mode behavior applies only when FortiDDoS has detected a SYN flood with
either of the following thresholds:
• syn: When total SYNs to the subnet exceeds the threshold, the SYN flood mitigation mode tests are
applied to all new connection requests.
• syn-per-dst : When the per-destination limits are exceeded for a particular destination, the SYN
flood mitigation mode tests are applied to all new connection requests to that particular destination.
Traffic to other destinations is not subject to the tests.

DO NOT REPRINT
© FORTINET
To prepare for SYN flood attacks, FortiDDoS maintains a table of IP addresses that have completed a
three-way handshake. This is called the legitimate IP address (LIP) table. Entries in the LIP table
expire after one minute.

DO NOT REPRINT
© FORTINET
This slide illustrates the SYN cookie mitigation mode option. FortiDDoS sends a SYN/ACK with a
cookie value in the TCP sequence field. If it receives an ACK back with the right cookie, a RST/ACK
packet is sent and the IP address is added to the LIP table. If the client then retries, it succeeds in
making a TCP connection.
Fortinet recommends this option if you cannot use ACK cookie mode and you anticipate high-volume
attacks.

DO NOT REPRINT
© FORTINET
In ACK cookie mitigation mode, FortiDDoS sends the client two ACK packets: one with a correct ACK
number and another with a wrong number.
A RST of the bad ACK only, indicates a good source and FortiDDoS adds the IP to the Legitimate IP
(LIP). The automatic retransmission of the original SYN by that same Source IP is allowed to pass to
the server and create a connection.
Fortinet no longer recommends this option, as some client firewalls and DDoS devices will block the
foreign ACKs resulting in no response to either ACK. As a result, the source IP is never added to the
LIP table. Also, this method generates two responses for every SYN, and therefore, a 1 Gbps SYN
flood will generate 2 Gbps reverse traffic.

DO NOT REPRINT
© FORTINET
The example on this slide shows the SYN Retransmission mitigation mode option. FortiDDoS drops
the initial SYNs to force the client to send a SYN again. If a pre-configured number of retransmitted
SYNs arrive within a predefined time period, as detailed in the RFCs, the FortiDDoS considers the
source to be legitimate. FortiDDoS adds the source IP to the legitimate IP address table and allows the
SYN through to the server to start the session. Fortinet only recommends this option if you cannot use
SYN cookie or ACK cookie mode and you anticipate primarily low-volume attacks.

DO NOT REPRINT
© FORTINET
You can enable or disable the features shown on this slide in one or both traffic directions.
A SYN packet with payload is an anomaly that indicates an attack known as a tsunami SYN flood. We
recommend you enable this feature for inbound traffic. The only reason to disable this is if you are
running tests with tools that generate SYN packets with payload. Drops caused by this anomaly are
logged as L4 anomaly events and included in the Layer 4 anomaly graphs.

DO NOT REPRINT
© FORTINET
Select one or more of the following options to detect TCP state anomalies:
• Sequence Validation: The FortiDDoS TCP state machine ensures that TCP sequence numbers for
the packets within a session are valid. Note that some third party devices have been known to
cause false positives when this option is used.
• SYN Validation: Required to support SYN flood mitigation. If SYN Validation is not enabled,
packets are not dropped during a SYN flood. If SYN Validation is enabled, during a SYN flood, the
TCP state machine allows only TCP SYNs from IP addresses in the legitimate IP address (LIP)
table (sources that have done a three-way handshake in the recent past). SYNs from source IP
addresses that do not have an entry in the LIP table must pass a SYN flood mitigation challenge to
be added to the LIP table.
• State Transition Anomalies Validation: The TCP state machine ensures that TCP state
transitions follow the rules. For example, if an ACK packet is received when FortiDDoS has not
observed a SYN/ACK packet, it is a state transition anomaly.
• Foreign Packet Validation: The TCP state machine drops TCP packets without an existing TCP
connection and reports them as a foreign packet. In most cases, the foreign packet validation is
useful for filtering out junk, but enabling it is not important. The number of foreign packets can be
high, so the system does not store the source and destination of each packet. Therefore, you might
not be able to determine the origin of a foreign packet. Foreign packet drops are logged in the
DDoS Attack Log (state anomalies event).

DO NOT REPRINT
© FORTINET
A SYN flood attack is still a common type of DDoS attack. Therefore, you should enable mitigation in
the inbound direction. If you have enough bandwidth in the reverse direction of the attack, you should
enable ACK cookie mode, otherwise, for protection against low-volume DDoS attacks, use SYN
retransmission mode, and for protection against high-volume DDoS attacks, use SYN cookie mode.

DO NOT REPRINT
© FORTINET
FortiDDoS has the following protection modules for DNS (transport over TCP or UDP):
• ACL rules: You can use the do not track and global ACL allow policies to whitelist trusted
IP addresses. For example, to permit DNS query type ALL or Zone Transfer from specified
hosts, you can whitelist them and then create rules that deny those types of queries from
all other sources.
• Protocol anomaly rules: Built-in and user-enabled rules filter malformed traffic and known
protocol exploits. There is a special set of anomalies that can be detected in DNS traffic.
• Rate meters and flood mitigation mechanisms: For TCP, the DNS rate meters enforce rate
limits (drops). For UDP, the DNS rate meters trigger flood mitigation responses that drop
illegitimate queries but continue DNS services for legitimate user queries.
• DNS query response matching (DQRM): Blocks unsolicited responses and throttles
duplicate queries (regardless of flood state).

DO NOT REPRINT
© FORTINET
FortiDDoS mitigates DNS threats by applying tests to determine whether queries and responses are
legitimate. These methods minimize illegitimate traffic from reaching protected DNS servers and
maximize the availability of DNS services for legitimate queries during a flood. Under normal
conditions, FortiDDoS builds a baseline of DNS traffic statistics and stores DNS query and response
data in tables. At all times, the tables are used to validate response traffic. During UDP floods, the
tables are used to test queries and responses.
You can enable a variety of specific feature controls for an SPP. You should create an SPP
configuration exclusively for DNS traffic.
On the DNS Anomaly Feature Controls tab, you should enable detection for all anomalies and only
disable those that generate false positive results, which are highly unlikely.

DO NOT REPRINT
© FORTINET
On the DNS Feature Controls tab, you should enable all features initially, and gradually disable only
those features that are not suitable for your network environment.
For asymmetric DNS environments, you can configure multiple combinations of settings for the
following controls:
• Force TCP Or Forward To Server When No Cache Response Available
• DNS Mitigation Mode Inbound
• DNS Mitigation Mode Outbound
• DNS UDP Anti-spoofing Method

DO NOT REPRINT
© FORTINET
This slide shows settings you should configure on the DNS Feature Control tab in an asymmetric
DNS configuration.
Notice that all features are disabled. In the example shown on this slide, the four required controls are
set as follows:
• Force TCP Or Forward To Server When No Cache Response Available: Forward to Server
• DNS Mitigation Mode Inbound: TC Equal One
• DNS Mitigation Mode Outbound: TC Equal One
• DNS UDP Anti-spoofing Method: Inbound Outbound

DO NOT REPRINT
© FORTINET
As with all other traffic, after the DNS settings are configured, you should spend at least one week
gathering data to build a baseline. During that week, use the graphs and log data on the Monitor
menus to help you set the appropriate thresholds for your environment.

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET
Good job! You now understand mitigation options.
Now, you will examine thresholds.

DO NOT REPRINT
© FORTINET
By demonstrating competence in defining thresholds, you will be able to define the actions FortiDDoS
will take and when, during a SYN Flood attack.

DO NOT REPRINT
© FORTINET
Adaptive mode:
• Fixed: Does not use the adaptive limit. The configured minimum thresholds are the maximum limits.
• Adaptive: Uses the adaptive limit. The configured minimum thresholds multiplied by the adaptive
limit are the maximum limits.
Adaptive limit:
A percentage of the configured minimum threshold that establishes the upper limit of the estimated
threshold. The adaptive limit is an upper rate-limit beyond which the system blocks all traffic. The valid
range is 100% to 300%.
For example, the default limit is 150%. The system uses the dynamic threshold estimation algorithm to
raise the calculated threshold up to 150% of the value of the configured minimum threshold. Thus, if
the inbound threshold for Protocol 17 (UDP) is 10,000, the threshold never falls below 10,000 and
never exceeds 15,000. When the adaptive limit is 100, the system does not use dynamic threshold
estimation to adjust thresholds.

DO NOT REPRINT
© FORTINET
Use the Source Tracking tab to configure packet count multipliers for identified source attackers and
Layer 7 HTTP and DNS attacks.
Source Multiplier Inbound and Source Multiplier Outbound apply the specified multiplier to the packet
count for traffic with a source IP address that the system has identified as the source of a flood. In
effect, the multiplier makes traffic from the source violate thresholds sooner. The default multiplier is 2.
Layer 7 Multiplier Inbound and Layer 7 Multiplier Outbound apply the specified multiplier to the packet
count for traffic that the system has detected is related to a Layer 7 HTTP flood. The system tracks
HTTP headers (URL or Host, Referrer, Cookie or User-Agent header) and associates traffic with
matching headers with the attack. The default multiplier is 2.

DO NOT REPRINT
© FORTINET
The TCP tab allows administrators to define which TCP state anomalies will be used to detect attacks.
These anomalies include:

• Incorrect sequence order
• Incorrect TCP state transition
• Foreign packets
• Tuple reuse
• Duplicated SYN packets
• SYN, SYN/ACK, ACK, RST, and FIN anomalies
• Aggressive aging
• TCP session timeouts

DO NOT REPRINT
© FORTINET
When configuring minimum thresholds, you can adjust them using five different methods.
You can adjust the thresholds manually using the Thresholds tool.
You can adjust the thresholds on the Factory Defaults menu, which provides high threshold values.
You should adjust these threshold values before starting the learning period.
The third option is to set the thresholds using the Percent Adjust option. You should use this option
when a drastic traffic increase is expected in an SPP.
You should use the Emergency Setup option when the unit must be deployed during an attack and a
learning period is not possible. This option allows you to define thresholds quickly based on empirical
knowledge (personal experience).
The last, and most accurate option, is the System Recommendation. This method is based on a
traffic statistics report and is recommended when a learning period is possible.

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET
Good job! You can now define DDoS and DDoS attacks.
Now, you will examine how to identify and prevent DDoS Attacks.

DO NOT REPRINT
© FORTINET
By demonstrating competence in advanced control options, you will be able to implement additional
advanced features of FortiDDoS, such as aggressive aging, SPP-specific access control lists, and
service provider signalling.

DO NOT REPRINT
© FORTINET
Slow connection attacks are Layer 7 attacks that aim to make a service unavailable or increase latency
to a service. These attacks are not detected by Layer 4 detection methods because they create
legitimate TCP connections. It is difficult to distinguish between the attacker and legitimate users during
slow connection attacks.
A variation of the Slowloris attacks involves opening a legitimate TCP connection and not doing
anything at all. Such idle connections fill up the connection tables on the firewall and servers.
FortiDDoS can detect slow connection attacks and combat them by aggressively aging idle
connections.

DO NOT REPRINT
© FORTINET
When you enable slow connection detection, the system monitors TCP ports 21, 22, 23, 25, 80, and
443, as well as user-configured HTTP service ports, for slow connection anomalies. If the traffic
volume for a connection is below a specified byte threshold during an observation period, the
connection is deemed a slow connection attack and FortiDDoS can take the following actions:
• The session entry in the FortiDDoS TCP state table is timed out .
• If you enable the SPP aggressive aging track-slow-tcp-connections option, FortiDDoS
sends a RST packet to the server so that the server can remove the connection from its connection
table.
• If you enable the SPP TCP state anomaly detection foreign-packet-validation option,
subsequent packets for the connection are treated as foreign packets and dropped. The event is
logged as a “State Anomalies: Foreign packet” event and drops are reported on the Monitor >
Anomaly Drops > TCP State Anomalies page.
• If you enable the SPP source blocking option, FortiDDoS applies the “Blocking Period for Identified
Sources” configured on the Global Settings > Settings page. Drops based on this blocking period
action are also logged as "Slow Connection: Source flood" events and reported on the Monitor >
Flood Drops > Layer 4 page.

DO NOT REPRINT
© FORTINET
FortiDDoS maintains its own massive TCP connection table. To reserve space in this table for active
traffic, FortiDDoS periodically uses aggressive aging to reset inactive connections. You cannot
configure this behavior, and it generates no logs.

DO NOT REPRINT
© FORTINET
In addition to the slow connection detection, you can use the SPP aggressive aging TCP connection
feature control options to reset the connection (instead of just dropping the packets) when the following
rate anomalies are detected:
• high-concurrent-connection-per-source
• layer7-flood

DO NOT REPRINT
© FORTINET
In most use cases, you should enable both the Track Slow TCP Connections and High Concurrent
Connections per Source aggressive aging modes. Additional modes can be enabled if required.
If your network has FTP or SSL-VPN services, then you should not enable the Source Blocking For
Slow Connections option because this can cause problems for those types of connections.

DO NOT REPRINT
© FORTINET
Any IP assigned an extended timeout policy will override both slow connections settings and TCP idle
timeouts when connected to servers in the SPP.
You should not apply an extended timeout policy to outside subnets or protected subnets. Use it only
for specific outside Source IPs
The extended timeout feature allows a specific user to remain connected to a server even if that SPP
had slow connections and idle timeout set.

DO NOT REPRINT
© FORTINET
The Slow Connection tab allows you to specify slow connection detection settings (threshold and
observation period). Options for the Slow Connection Type field include:
• None: Do not monitor for slow connection attacks.
• Moderate: Uses predefined thresholds to detect slow connection attacks.
• Aggressive: Uses more aggressive (lower) thresholds to detect slow connection attacks.
• User-Defined: Enables advanced users to specify custom thresholds to detect slow connection
attacks.

DO NOT REPRINT
© FORTINET
An SPP access control list policy establishes allow and deny rules for traffic that matches data types.
SPP ACLs provide more flexibility and greater granularity than global ACLs. The data types that can be
used to configure the SPP ACL are:
• Source IP address
• Fragmentation
• IP protocol
• TCP port
• UDP port
• ICMP type/code
• URL
• Specific HTTP header fields (Host, Referrer, Cookie, User-Agent)
• DNS (All, Fragment, MX, Zone-Transfer)

DO NOT REPRINT
© FORTINET
When you apply the SPP access control lList to source IP addresses, there are three actions that can
be taken.
The first action is to deny the traffic, in which case you drop the packet (blacklist). The second option is
to track and allow, in which case you allow the packet to exceed the thresholds (whitelist). The third
action is to restrict DNS queries to specific subnets, which restricts DNS queries from unwanted
sources from the Internet. By restricting the DNS queries to specific subnets, the ISP can avoid
responding to unwanted queries, thereby protecting its DNS infrastructure from getting overloaded.
When you apply the SPP access control list to a service, there are only two simple deny or accept
actions. If the action is to deny, then the SPP will drop the packet (blacklist). If the action is to accept,
then the packet is allowed to exceed the thresholds (whitelist)

DO NOT REPRINT
© FORTINET
In the Address Config section you define the list of IPs, subnets and geo-location addresses that will
be used in your SPP access control lists.

DO NOT REPRINT
© FORTINET
On the Service Configuration tab you can define the list of IP protocols, TCP/UDP ports, ICMP type
codes, URLs and HTTP field values that you want to use in your SPP access control lists.

DO NOT REPRINT
© FORTINET
To create an SPP ACL, first give the ACL a configuration name. The name cannot contain spaces.
The next step is to select one of three ACL Types. The options are IPv4 Address, Service, or IPv6
Address. If selecting either IPv4 or IPv6 Address, the next step is to select an Address Object from
the drop down list, and one of the following address action:
• Track and Allow: Allows traffic into the network, but tracks it.
• Deny: Drop traffic that matches the address object.
• Restrict DNS Queries to Specific Subnets: Restrict DNS queries from unwanted sources from the
Internet.
If you use a service-based ACL, then you can select a deny action. However, using a service-based
ACL offers you the option to enable detection in the Inbound, Outbound, or both, directions.

DO NOT REPRINT
© FORTINET
An SPP switching policy allows you to automatically switch from a profile that is designed to handle low
levels of traffic to another, more stringent profile when traffic exceeds a specified threshold.
Alternatively, you can switch from an SPP running in detection mode to one that uses prevention mode
when traffic crosses a threshold.

DO NOT REPRINT
© FORTINET
You can use the SPP switching policy option to enable the FortiDDoS system to switch to the alternate
profile when the traffic rate exceeds a packet-per-second threshold that you specify in the SPP policy
configuration. For example, you can:
• Use the SPP switching policy to toggle automatically between a primary profile that handles low
levels of traffic and a secondary profile that enforces stringent thresholds.
• Pair a primary profile that is deployed in detection mode with a secondary profile that is deployed in
prevention mode.
• Pair an SPP to itself, if the only goal is to have an alarm or other signaling action as a result of the
threshold breach.
When the system switches to the secondary profile, it monitors and regulates traffic for the subnet
using the secondary profile as long as the packet-per-second rate remains above the switching policy
threshold. After traffic has remained steadily below the threshold for a timeout period that you specify,
the system switches back to the primary profile.
Note that the switching policy is also used for on-premise and cloud hybrid solutions which we
discussed previously.

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET
This slide shows the objectives that you covered in this lesson.

DO NOT REPRINT
© FORTINET

DO NOT REPRINT
© FORTINET
NOTE Leave this diagram up for Students to reference during the lab

DO NOT REPRINT
© FORTINET
No part of this publication may be reproduced in any form or by any means or used to make any
derivative such as translation, transformation, or adaptation without permission from Fortinet Inc.,
as stipulated by the United States Copyright Act of 1976.
Copyright© 2018 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations,and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

FortiDDoS 4.5.0 Study Guide-Online

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

FortiDDoS 4.5.0 Study Guide-Online

Uploaded by

Copyright:

Available Formats

DO NOT REPRINT

FortiDDoS Study Guide

Fortinet Network Security Expert Program (NSE)

01 Introduction and Deployment 4

FortiDDoS 4.5.0 Study Guide 4

FortiDDoS 4.5.0 Study Guide 5

FortiDDoS 4.5.0 Study Guide 6

FortiDDoS 4.5.0 Study Guide 7

FortiDDoS 4.5.0 Study Guide 8

FortiDDoS 4.5.0 Study Guide 9

FortiDDoS 4.5.0 Study Guide 10

FortiDDoS 4.5.0 Study Guide 11

Now, lets examine ho to identify and prevent DDoS attacks.

FortiDDoS 4.5.0 Study Guide 12

FortiDDoS 4.5.0 Study Guide 13

FortiDDoS 4.5.0 Study Guide 14

FortiDDoS 4.5.0 Study Guide 15

FortiDDoS 4.5.0 Study Guide 16

FortiDDoS 4.5.0 Study Guide 17

Configuring preventative countermeasures should be your second step in the deployment of a

FortiDDoS 4.5.0 Study Guide 18

FortiDDoS 4.5.0 Study Guide 19

FortiDDoS 4.5.0 Study Guide 20

Source tracking enables FortiDDoS to punish repeat offenders.

FortiDDoS 4.5.0 Study Guide 21

FortiDDoS 4.5.0 Study Guide 22

FortiDDoS 4.5.0 Study Guide 23

FortiDDoS 4.5.0 Study Guide 24

FortiDDoS 4.5.0 Study Guide 25

FortiDDoS 4.5.0 Study Guide 26

The adaptive limit is a percent age of the configured minimum threshold.

FortiDDoS 4.5.0 Study Guide 27

FortiDDoS 4.5.0 Study Guide 28

FortiDDoS 4.5.0 Study Guide 29

Now, lets examine how FortiDDoS fits in the network.

FortiDDoS 4.5.0 Study Guide 30

FortiDDoS 4.5.0 Study Guide 31

FortiDDoS 4.5.0 Study Guide 32

FortiDDoS 4.5.0 Study Guide 33

Each TP2 processor maintains the following resources:

FortiDDoS 4.5.0 Study Guide 34

FortiDDoS 4.5.0 Study Guide 35

FortiDDoS 4.5.0 Study Guide 36

FortiDDoS 4.5.0 Study Guide 37

FortiDDoS 4.5.0 Study Guide 38

FortiDDoS 4.5.0 Study Guide 39

FortiDDoS 4.5.0 Study Guide 40

FortiDDoS 4.5.0 Study Guide 41

FortiDDoS 4.5.0 Study Guide 42

FortiDDoS 4.5.0 Study Guide 43

FortiDDoS 4.5.0 Study Guide 44

FortiDDoS 4.5.0 Study Guide 45

FortiDDoS 4.5.0 Study Guide 46

Congratulations! You have completed this lesson.

FortiDDoS 4.5.0 Study Guide 47

This slide shows the objectives covered in this lesson.

FortiDDoS 4.5.0 Study Guide 48

FortiDDoS 4.5.0 Study Guide 49

FortiDDoS 4.5.0 Study Guide 50

FortiDDoS 4.5.0 Study Guide 51

FortiDDoS 4.5.0 Study Guide 52

FortiDDoS 4.5.0 Study Guide 53

FortiDDoS 4.5.0 Study Guide 54