FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Presents pre-ips anomaly feature available on NP2 and NP4 accelerators.

NP2 and NP4 are 2 types of network accelerators. They may be either on the FortiGate board or within an interface module.

Example for NP2:

on board: FortiGate310B, FortiGate 620B...
on interface module: ASM-FB4, ADM-FB8

Example for NP4:

on board: FortiGate1240B, FortiGate3140B, FortiGate3950B...
on interface module: ADM-XD4, RTM-XD2, FMC-XD2...


FortiGate with Network Processor (build-in or with module)



Expectations, Requirements

Efficient hardware accelerated protection against the following well known attacks:
  • icmp land (icmpland)
  • ip land (ipland)
  • ip with loose source record route option (iplsrr)
  • ip with record route (iprr)
  • ip with security option (ipsecurity)
  • ip with strict source source record option (ipssrr)
  • ip with stream option (ipstream)
  • ip with timestamp option (iptimestamp)
  • ip with unknown option (ipunknown_option)
  • ip with unknown protocol (ipunknown_prot)
  • tcp land (tcpland)
  • udp land (udplan)
  • tcp WinNuke attack (winnuke)

  • fp_anomly are only defined on the physical interface, vlan interfaces all inherit from the physical port ( so protection on vlan sub-interfaces is possible)
  • attack can either be 'blocked and logged' (configuration keyword 'drop_') or justed 'logged' (configuration keyword 'pass_')
Limitations for NP4

  • on 4.3 code release: Available only on ADM-XD4, RTM-XD2 and FortiGate 1240B. Missing on 3950B, 3140B, 3040B, 600C, 1000C, 5001B, FMC-XD2. Bug #169706. Fixed in 5.0 code release
  • if fp_anomaly is configured on one port of an NP4, it would affect all other ports of the same NP4. Bug #171649. Hardware limitation, will not be fixed.

fp_anomaly can only be configured through CLI.
config system interface
edit "port5"
set vdom "root"
set ip
set allowaccess ping https ssh http telnet
set type physical
set fp-anomaly drop_winnuke drop_tcpland drop_udpland drop_icmpland drop_ipland drop_iprr drop_ipssrr drop_iplsrr drop_ipstream drop_ipsecurity drop_iptimestamp drop_ipunknown_option

edit "port5_vlan93"
set vdom "root"
set ip
set allowaccess ping https ssh snmp http telnet
set interface "port5"
set vlanid 93
Refer also to the FortiGate CLI Guide.

Example of attack log detected by fp_anomaly:


Raw log output sample:
2012-06-04 16:57:46 log_id=0420018432 type=ips subtype=anomaly pri=alert severity=critical carrier_ep="N/A" profilegroup="N/A" profiletype="N/A" profile="N/A" src= dst= src_int="N/A" dst_int="N/A" policyid=N/A identidx=N/A serial=0 status=dropped proto=6 service=smtp vd="root" count=303 attack_name=TCP.Land src_port=2832 dst_port=25 attack_id=100663404 sensor="N/A" ref= user="N/A" group="N/A" msg="anomaly: TCP.Land, repeats 303 times"

  • attack log is triggered when an attack is seen
  • a log update is triggered every 30 seconds if the attacks remains
  • possible to count the packet rate of the attack from the "repeat" field (in this example 303/30 = 10.1 packets/sec)
  • the log does not mention the port where the attack was detected
  • ips sensor show "N/A" because it is not defined in IPS profile