FortiDDoS
FortiDDoS protects from both known and zero day attacks with very low latency. It’s easy to deploy and manage, and includes comprehensive reporting and analysis tools.
arleniscg
Staff
Staff
Article Id 344378
Description This article describes what to consider on the FortiDDoS.
Scope FortiDDoS-F.
Solution

Step1:  Select a FortiDDoS that its interfaces (config Interface) can match the:

  • BW the ISP Providers provide IPS BW = Portx BW.
  • The native link rate. For example, an ISP may provide a capped 5Gbps rate on a 10GE link. It is necessary to select a 10GE FortiDDoS (size the FortiDDoS to the 'native' link speed from the ISP as FDD must work at the native rate).
  • Consider fiber type. At 10GE, ISP can provide MM(multi-mode:1500F) or SM(single-mode fiber 1500F-LR).

 

Validate Datasheets:
Serie-F p.9,.11 Data sheets FortiDDoS.
Serie-B p.5 FortiDDoS-Series.

More information link: Deployment topology.

 

Step 2. Set an SPP to protect the services provided. Example:

  1. SPP-default: will be to monitor and regulate the packets that do not match any policy rule on specific custom SPP.

  2. Custom(Config SPP :( For associate protected subnets under each SPP (all known traffic must be included in non-default SPPs).
  • SPP-FWs: Will be for subnets under the Firewall.
  • SPP-WEB Servers: Will be for subnets hosting the web servers or DMZ zone.
  • SPP-SMTP: Will be in case of hosting an internal email server.
  • SPP-DNS: Will be for Internet-accessible local Authoritative DNS Servers, if present.
  • SPP-FTP : Will be for FTP servers.
  • SPP-NTP: Will be for internal NTP servers.
  • SPP-VPN servers if separate IP/subnet from Firewall.

...

 

Note: To associate the custom security profiles for each custom SPP (**): 

Service Protection -> Edit SPP-Name   <-- Then add (IP, ICMP, TCP, HTTP, SSL/TLS, NTP, DNS, DTLS) custom Profiles.

 

Step 3: In the maintenance window set FortiDDoS on the network for the first time to learn traffic with SPPs in Detection/learning mode (the system is by default to Inline).

 

Step 4: Allow to learn traffic based on topology:
Small Networks as a minimum: 5 - 7 days.
Big Networks or ISP Providers as a minimum: 15 days.

 

Step 5: After learning mode time is met. Make the required adjustments to the FDD(**) and threshold(**) configuration and wait 3 days.

 

Step 6: Make any pending adjustments after 3 days and validate log reports to avoid false positives(**).

 

Step 7: After 3 days in a maintenance window validating that legitimate traffic is not blocked, move from Detection to Prevention mode.

 

Step 8: Monitoring logs and network services for a few days.

 

Important Note:

After FDD is in the production environment: If a manual entry is done, bypass and then return to inline mode (there will be about 5 seconds of traffic disruption when changed from bypass to inline). Be aware there is about 5-6s of traffic outage when doing that. When removing the bypass the system does not have TCP state information and if the SPPs are in Prevention with Foreign Packet Validation enabled (it should be), all TCP connections will be dropped.

* During an FDD reboot (there will be about 5 seconds of traffic disruption).

 

Related documents:
FortiDDoS
Introduction

 

(**) If it is required help with the implementation, it is possible to consult the professional services.