FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cgustave
Staff
Staff
Purpose
Presents pre-ips anomaly feature available on NP2 and NP4 accelerators.

NP2 and NP4 are 2 types of network accelerators. They may be either on the FortiGate board or within an interface module.

Example for NP2:

on board: FortiGate310B, FortiGate 620B...
on interface module: ASM-FB4, ADM-FB8

Example for NP4:

on board: FortiGate1240B, FortiGate3140B, FortiGate3950B...
on interface module: ADM-XD4, RTM-XD2, FMC-XD2...

Scope

FortiGate with Network Processor (build-in or with module)


Diagram

cgustave_FD33609_a_fd33609_diagram.jpg


Expectations, Requirements
Benefits

Efficient hardware accelerated protection against the following well known attacks:
  • icmp land (icmpland)
  • ip land (ipland)
  • ip with loose source record route option (iplsrr)
  • ip with record route (iprr)
  • ip with security option (ipsecurity)
  • ip with strict source source record option (ipssrr)
  • ip with stream option (ipstream)
  • ip with timestamp option (iptimestamp)
  • ip with unknown option (ipunknown_option)
  • ip with unknown protocol (ipunknown_prot)
  • tcp land (tcpland)
  • udp land (udplan)
  • tcp WinNuke attack (winnuke)
Expectations

  • fp_anomly are only defined on the physical interface, vlan interfaces all inherit from the physical port ( so protection on vlan sub-interfaces is possible)
  • attack can either be 'blocked and logged' (configuration keyword 'drop_') or justed 'logged' (configuration keyword 'pass_')
Limitations for NP4

  • on 4.3 code release: Available only on ADM-XD4, RTM-XD2 and FortiGate 1240B. Missing on 3950B, 3140B, 3040B, 600C, 1000C, 5001B, FMC-XD2. Bug #169706. Fixed in 5.0 code release
  • if fp_anomaly is configured on one port of an NP4, it would affect all other ports of the same NP4. Bug #171649. Hardware limitation, will not be fixed.

Configuration
fp_anomaly can only be configured through CLI.
config system interface
edit "port5"
set vdom "root"
set ip 10.96.0.191 255.255.252.0
set allowaccess ping https ssh http telnet
set type physical
set fp-anomaly drop_winnuke drop_tcpland drop_udpland drop_icmpland drop_ipland drop_iprr drop_ipssrr drop_iplsrr drop_ipstream drop_ipsecurity drop_iptimestamp drop_ipunknown_option
next

edit "port5_vlan93"
set vdom "root"
set ip 10.93.0.191 255.255.252.0
set allowaccess ping https ssh snmp http telnet
set interface "port5"
set vlanid 93
next
end
Refer also to the FortiGate CLI Guide.

Verification
Example of attack log detected by fp_anomaly:

cgustave_FD33609_a_fd33609.jpg


Raw log output sample:
2012-06-04 16:57:46 log_id=0420018432 type=ips subtype=anomaly pri=alert severity=critical carrier_ep="N/A" profilegroup="N/A" profiletype="N/A" profile="N/A" src=172.31.227.254 dst=172.31.227.254 src_int="N/A" dst_int="N/A" policyid=N/A identidx=N/A serial=0 status=dropped proto=6 service=smtp vd="root" count=303 attack_name=TCP.Land src_port=2832 dst_port=25 attack_id=100663404 sensor="N/A" ref=http://www.fortinet.com/ids/VID100663404 user="N/A" group="N/A" msg="anomaly: TCP.Land, repeats 303 times"

Notes:
  • attack log is triggered when an attack is seen
  • a log update is triggered every 30 seconds if the attacks remains
  • possible to count the packet rate of the attack from the "repeat" field (in this example 303/30 = 10.1 packets/sec)
  • the log does not mention the port where the attack was detected
  • ips sensor show "N/A" because it is not defined in IPS profile

Contributors