Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
daniloulbrecht
New Contributor

DoS attack - Unable to access firewall via Console, https and CLI.

Hello everyone, My name is Danilo, and I work as a Network analyst for a datacenter provider here in Brazil.

A few days ago, we've faced a huge problem with fortigate 200B, we've lost management access (http and cli).

So I went to Datacenter, and connected myself through the fortigate by console cable, anyway, I couldn't run almost anything (fortigate was busy and CPU utilization was high). Disconnecting the cables, one by one, we found where the attack was comming from, So I put the wireshark on network and found the source and destination IP of attack (was an internal DoS attack to internet). We discovered that fortigate was droppping the packets, but the amount of packets was so big that was consuming CPU.

So, my question is, is there a way to preserve resources (CPU and memory) in order to never lose access via ssh console and HTTP? I know is possible apply traffic shapping, but in my case it doen't works, because traffic was not being forwarding, just processed by CPU and after being dropped.

 

Thank you!

3 REPLIES 3
pcraponi
Contributor II

Danilo,

 

On Fortigate 200B no (It's a "small" and "old" model).

In new and larger models running FortiOS 5.2, you can dedicate a CPU Core to management system/GUI to avoid this kind of issue.

 

 

Regards,

Paulo Raponi

Regards, Paulo Raponi

Regards, Paulo Raponi
thiago_FTNT

Hi Danilo,

 

Just to complete the answer, the command for this is:

config system npu      set dedicated-management-cpu [enable | disable> end

(http://kb.fortinet.com/kb/documentLink.do?externalID=FD35377 )

 

Regards,

Thiago Takayama

ede_pfau
Esteemed Contributor III

Depending on the firmware used you might be able to create a DoS policy, probably from CLI only. This is checked way before the regular routing-policy-UTM chain and should save ressources. As the throughput is limited anyway by the speed of the interface you have chances that this might save enough CPU power so that you still can manage the FGT.

You could test that yourself using e.g. iperf/jperf.


Ede

"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Labels
Top Kudoed Authors