Fortigate 60E 6.0.2- NTP Pool (IPS and DDoS Projection)
I hope I'm posting in the right area of the forum and that someone may be able to offer some advice!
I've added an NTP server into the NTP Pool and the resulting NTP querries are being forward to my public static IP address, forward to the NTP server via my Fortigate 60E running 6.0.2 (It's on the end of an 80/20 VDSL line if that makes any difference).
I've got DoS protection on the WAN interface and have added an IPS filter with all current NTP signatures.
However, I'm still seeing:-
Moderate levels of DoS attacks (effectively blocking ocassional NTP Pool monitoring requests, reducing the NTP Pool score and hence amount of time the server is available in the pool).
Many many triggers of the "NTP.Zero.Transmit.Timestamp" IPS signature.[/ul]
I was hoping to refine the DoS protection setttings but I don't seem to be able to get this to work. I have a main "WAN" DoS interface profile which protects against general attacks. It seems to be working well.
However, I thought I would add a more "refined" DoS profile specifically for incoming NTP. But the signature I have created does not seem to be triggered at all.
It should be possible to have more than one DoS profile on an interface shouldn't it? The new NTP service specific profile has been moved to the top of the list but never seems to get triggered
The DoS attacks are blocking ocassional monitoring sessions from the NTP pool- which reduces the NTP server score effectively removing it from the NTP pool. Ideally I'd like to have a service specific NTP profile which is triggered at far lower rates than my standard profile (since NTP shouldn't require more than a few packets per second from any IP address I guess).
For the "NTP.Zero.Transmit.Timestamp" IPS signature I get hundreds of these flagged per day. I'm not sure if I should leave it enabled even given the volume of hits it triggers. It seems to be low a risk but at the moment I've set it to block. Can I change the "criticality" of that particular signature so it doesn't cause so many alerts? Any other ideas?
Laslty, how stable is FortiOS in terms of packet handling times? I guess for an NTP server any variation in packet handling time could be a problem. Anyone have any idea on that particular topic?
Thanks for your help. That's basically inline with what I thought/ expected too. The 60E isn't that heavily taxed- it seems to stroll along at about 60-70% CPU usage even with the external NTP connetions hitting it.
I'm more concerned about the DoS policies at the moment. As you suggested I expected to be able to have more than one, and to be able to order them and make them specific as you would do for a "regular" policy. I'll have a look in more detail but so far the new one I have created doesn't seem to be hit. Everything (including the incoming NTP sessions) is hitting the original WAN DoS policy.
I'll investigate and post some screenshots (and maybe raise a ticket) if I can't make sense of it.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.