FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
cgustave
Staff
Staff
Purpose
Presents the hardware accelerated SYN proxy feature available with SP modules from CE4, XE2, XG2 cards and FortiGate 3140B.
Scope
FortiGate with Service Processor (build-in or with module)
Modules: ADM-XE2, ASM-CE4, FMC-XG2
FortiGate: FortiGate 3140B (built-in SP)
Diagram

cgustave_33596_a_fd_33596_diagram.jpg


Expectations, Requirements
Requirements:

  • FortiGate with SP modules
  • syn-proxy is applied on SP based interface receiving the traffic

Benefits:
  •   Better protection against SYN/Flood attacks compared to DoS action=block
       => let legitimate connection passing while attack SYN are dropped.
  • Ingress port of the FortiGate must be SP based (but egress does not have to be)
  • Works also with vlan interface and spoofed source attack
Principle :

FortiGate is a proxy for 3-way handshake SYN, SYN/ACK, ACK packets
  •  no change in behavior when configured threshold is not reached.
  • once SYN threshold is reached :
    • SYN is transmitted to server side, only when client has sent the ACK
    • SYN proxy performed in SP hardware
=> DoS attacks only sent SYN and don't confirm with SYN/ACK, ACK  so theu can be blocked
=> Legitimate connections with syn/ack confirmations are allowed to go through

cgustave_33596_synproxy2.png


Configuration

config system interface

    edit "port9"
        set vdom "root"
        set ip 172.31.225.38 255.255.252.0
        set allowaccess ping https ssh http telnet fgfm
        set type physical
    next
    edit "port20_vlan150"
        set vdom "root"
        set ip 10.150.1.38 255.255.252.0
        set allowaccess ping https ssh snmp http telnet
        set interface "port20"
        set vlanid 150
    next
end

config ips DoS
    edit "syn_proxy"
            config anomaly
                edit "tcp_syn_flood"
                    set status enable
                    set log enable
                    set action proxy
                    set threshold 1
                next
    end
end

config firewall interface-policy
    edit 1
        set interface "port20_vlan150"
            set srcaddr "all"            
            set dstaddr "all"            
            set service "ANY"            
        set ips-DoS-status enable
        set ips-DoS "syn_proxy"
    next
end

config firewall policy
    edit 2
        set srcintf "port20_vlan150"
        set dstintf "any"
            set srcaddr "all"            
            set dstaddr "all"            
        set action accept
        set schedule "always"
            set service "ANY"            
        set nat enable
    next
end




Snapshots from the GUI:

cgustave_33596_a_fd33596_synproxy3.jpg


cgustave_33596_a_fd33596_synproxy4.jpg



Verification
Example of attack logs detected by syn-proxy:

Attack log during continuous SYN Flood from source 10.150.0.3

2012-05-29 20:59:15 log_id=0420018432 type=ips subtype=anomaly pri=alert severity=info carrier_ep="N/A" profilegroup="N/A" profiletype="N/A" profile="N/A" src=10.150.0.3 dst=172.31.227.254 src_int="N/A" dst_int="N/A" policyid=N/A identidx=N/A serial=0 status=reset proto=6 service=tcp vd="root" count=0 attack_name=tcp_syn_flood src_port=13398 dst_port=0 attack_id=100663396 sensor="syn_proxy" ref="http://www.fortinet.com/ids/VID100663396" user="N/A" group="N/A" msg="anomaly: tcp_syn_flood, NPU 14760 >= threshold 1 SYN PROXY, repeats 889144 times"

2012-05-29 20:58:14 log_id=0420018432 type=ips subtype=anomaly pri=alert severity=info carrier_ep="N/A" profilegroup="N/A" profiletype="N/A" profile="N/A" src=10.150.0.3 dst=172.31.227.254 src_int="N/A" dst_int="N/A" policyid=N/A identidx=N/A serial=0 status=reset proto=6 service=tcp vd="root" count=0 attack_name=tcp_syn_flood src_port=41758 dst_port=0 attack_id=100663396 sensor="syn_proxy" ref="http://www.fortinet.com/ids/VID100663396" user="N/A" group="N/A" msg="anomaly: tcp_syn_flood, NPU 14804 >= threshold 1 SYN PROXY, repeats 890823 times"




Notes:
  • Log is generated immediately when threshold is reached
  • Log update every minutes on the attack
  • Possible to count the SYN rate from “repeat”  ( in this example : 889144/60 = 14819 syn / sec)
  • Unlike 'block', no limit of valid TCP connections (even if threshold is reached)

cgustave_33596_synproxy5.png

Example of firewall sessions for a syn-proxyfied connection:

session info: proto=6 proto_state=01 duration=195 expire=3415 timeout=3600 flags=00000000 sockflag=00000000 sockport=0 av_idx=0 use=3
origin-shaper=
reply-shaper=
per_ip_shaper=
ha_id=0 hakey=58369
policy_dir=0 tunnel=/
state=may_dirty
statistic(bytes/packets/allow_err): org=4627/48/1 reply=4797/48/1 tuples=2
orgin->sink: org pre->post, reply pre->post dev=24->9/9->24 gwy=172.31.227.254/10.150.0.3
hook=post dir=org act=snat 10.150.0.3:54920->172.31.227.254:22(172.31.225.38:58892)
hook=pre dir=reply act=dnat 172.31.227.254:22->172.31.225.38:58892(10.150.0.3:54920)
pos/(before,after) 0/(0,0), 0/(0,0)
misc=0 policy_id=1 id_policy_id=0 auth_info=0 chk_client_info=0 vd=0
serial=00000382 tos=ff/ff ips_view=0 app_list=0 app=0
dd_type=0 dd_rule_id=0
per_ip_bandwidth meter: addr=10.150.0.3, bps=165
npu_state=0x000002 proxy

Troubleshooting
diagnose command: diagnose npu spm dos synproxy <sp_id>

FG3K1B-1 # diagnose npu spm dos synproxy 0
Number of proxied TCP connections                 : 9  (1)
Number of working proxied TCP connections         : 1  (2)
Number of retired TCP connections                 : 8  (3)
Number of valid TCP connections                   : 4294967290 (4)
Number of attacks, no ACK from client             : 1  (5)
Number of no SYN-ACK from server                  : 6  (6)
Number of reset by server (service not supportted): 2  (7)
Number of establised session timeout              : 1  (8)
Client timeout setting                            : 3 Seconds
Server timeout setting                            : 3 Seconds

(1):  received SYN
(2): Current established TCP connections
(3): removed connections (closed)
(4): available resources
(5): SYN packets detected as attacks where syn was received but not confirmed with a SYN/ACK
(6): SYN packets forwarded by SYN proxy to server but no response yet received from the server
(7): RST received from the server (ex: a syn was transmitted to a TCP port on the server were no daemon is listening
(8): Number of established sessions closed by the session idle timeout

Contributors