Purpose
Scope
Diagram
Expectations, Requirements
Presents pre-ips anomaly feature available on NP2 and NP4 accelerators.
NP2 and NP4 are 2 types of network accelerators. They may be either on the FortiGate board or within an interface module.
Example for NP2:
on board: FortiGate310B, FortiGate 620B...
on interface module: ASM-FB4, ADM-FB8
Example for NP4:
on board: FortiGate1240B, FortiGate3140B, FortiGate3950B...
on interface module: ADM-XD4, RTM-XD2, FMC-XD2...
NP2 and NP4 are 2 types of network accelerators. They may be either on the FortiGate board or within an interface module.
Example for NP2:
on board: FortiGate310B, FortiGate 620B...
on interface module: ASM-FB4, ADM-FB8
Example for NP4:
on board: FortiGate1240B, FortiGate3140B, FortiGate3950B...
on interface module: ADM-XD4, RTM-XD2, FMC-XD2...
Scope
FortiGate with Network Processor (build-in or with module)
Diagram
Expectations, Requirements
Benefits
Efficient hardware accelerated protection against the following well known attacks:
Efficient hardware accelerated protection against the following well known attacks:
-
icmp land (icmpland)
-
ip land (ipland)
-
ip with loose source record route option (iplsrr)
-
ip with record route (iprr)
-
ip with security option (ipsecurity)
-
ip with strict source source record option (ipssrr)
-
ip with stream option (ipstream)
-
ip with timestamp option (iptimestamp)
-
ip with unknown option (ipunknown_option)
-
ip with unknown protocol (ipunknown_prot)
-
tcp land (tcpland)
-
udp land (udplan)
-
tcp WinNuke attack (winnuke)
Expectations
fp_anomly are only defined on the physical interface, vlan interfaces all inherit from the physical port ( so protection on vlan sub-interfaces is possible) attack can either be 'blocked and logged' (configuration keyword 'drop_') or justed 'logged' (configuration keyword 'pass_')
Limitations for NP4
on 4.3 code release: Available only on ADM-XD4, RTM-XD2 and FortiGate 1240B. Missing on 3950B, 3140B, 3040B, 600C, 1000C, 5001B, FMC-XD2. Bug #169706. Fixed in 5.0 code release if fp_anomaly is configured on one port of an NP4, it would affect all other ports of the same NP4. Bug #171649. Hardware limitation, will not be fixed.
Configuration
fp_anomaly can only be configured through CLI.
Refer also to the FortiGate CLI Guide.
config system interface
edit "port5"
set vdom "root"
set ip 10.96.0.191 255.255.252.0
set allowaccess ping https ssh http telnet
set type physical
set fp-anomaly drop_winnuke drop_tcpland drop_udpland drop_icmpland drop_ipland drop_iprr drop_ipssrr drop_iplsrr drop_ipstream drop_ipsecurity drop_iptimestamp drop_ipunknown_option
next
edit "port5_vlan93"
set vdom "root"
set ip 10.93.0.191 255.255.252.0
set allowaccess ping https ssh snmp http telnet
set interface "port5"
set vlanid 93
next
end
Verification
Example of attack log detected by fp_anomaly:
Raw log output sample:
2012-06-04 16:57:46 log_id=0420018432 type=ips subtype=anomaly pri=alert severity=critical carrier_ep="N/A" profilegroup="N/A" profiletype="N/A" profile="N/A" src=172.31.227.254 dst=172.31.227.254 src_int="N/A" dst_int="N/A" policyid=N/A identidx=N/A serial=0 status=dropped proto=6 service=smtp vd="root" count=303 attack_name=TCP.Land src_port=2832 dst_port=25 attack_id=100663404 sensor="N/A" ref=http://www.fortinet.com/ids/VID100663404 user="N/A" group="N/A" msg="anomaly: TCP.Land, repeats 303 times"
Notes:
attack log is triggered when an attack is seen a log update is triggered every 30 seconds if the attacks remains possible to count the packet rate of the attack from the "repeat" field (in this example 303/30 = 10.1 packets/sec) the log does not mention the port where the attack was detected ips sensor show "N/A" because it is not defined in IPS profile