Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Administration Guide

    Home FortiGate / FortiOS 7.4.3 Administration Guide
    7.4.3
    7.6.0
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.15
    6.4.14
    6.4.13
    6.4.12
    6.4.11
    6.4.10
    6.4.9
    6.4.8
    6.4.7
    6.4.6
    6.4.5
    6.4.4
    6.4.3
    6.4.2
    6.4.1
    6.4.0

    Diameter protocol inspection

    Diameter protocol inspection

    Diameter protocol inspection is supported on the FortiGate, which offers the following capabilities.

    • Diameter-based packet forwarding and routing: the FortiGate can forward and route Diameter packets that match a firewall policy with an enabled and assigned diameter-filter profile. These diameter packets traverse over SCTP or TCP on the reserved port 3868.

    • Packet sanity checking: this feature checks if the packet passing through the FortiGate conforms to the Diameter protocol standards as defined in RFC 3588.

      • This includes checking the release version field, error command flags, message length, reserved command flag bits, command code, and tracking the request and answer of the Diameter-based packets.

    • Logging: for network auditing purposes, the traffic for both dropped and forwarded Diameter-based packets of the supported commands can be logged. By default, these are disabled.

    Diameter protocol is particularly important on interfaces that are used to exchange information with roaming partners, through the Internetwork Packet Exchange (IPX) network.

    Note

    This feature requires a valid IPS license.

    		 
    config diameter-filter profile
    edit <name>
        set monitor-all-messages {enable | disable}
        set log-packet {enable | disable}
        set track-requests-answers {enable | disable}
        set missing-request-action {allow | block | reset | monitor}
        set protocol-version-invalid {allow | block | reset | monitor}
        set message-length-invalid {allow | block | reset | monitor}
        set request-error-flag-set {allow | block | reset | monitor}
        set cmd-flags-reserve-set {allow | block | reset | monitor}
        set command-code-invalid {allow | block | reset | monitor}
        set command-code-range <min-max>
    next
end

    monitor-all-messages {enable | disable}

    Enable/disable logging for all User-Name and Result-Code AVP messages.

    log-packet {enable | disable}

    Enable/disable packet log for triggered Diameter settings.

    track-requests-answers {enable | disable}

    Enable/disable validation that each answer has a corresponding request.

    missing-request-action {allow | block | reset | monitor}

    Set the action to be taken for answers without a corresponding request.

    • allow: allow or pass matching traffic.
    • block: block or drop matching traffic.
    • reset: reset sessions for matching traffic.
    • monitor: allow and log matching traffic.

    protocol-version-invalid {allow | block | reset | monitor}

    Set the action to be taken for an invalid protocol version.

    • allow: allow or pass matching traffic.
    • block: block or drop matching traffic.
    • reset: reset sessions for matching traffic.
    • monitor: allow and log matching traffic.

    message-length-invalid {allow | block | reset | monitor}

    Set the action to be taken for an invalid message length.

    • allow: allow or pass matching traffic.
    • block: block or drop matching traffic.
    • reset: reset sessions for matching traffic.
    • monitor: allow and log matching traffic.

    request-error-flag-set {allow | block | reset | monitor}

    Set the action to be taken for request messages with an error flag set.

    • allow: allow or pass matching traffic.
    • block: block or drop matching traffic.
    • reset: reset sessions for matching traffic.
    • monitor: allow and log matching traffic.

    cmd-flags-reserve-set {allow | block | reset | monitor}

    Set the action to be taken for messages with a command flag reserve bits set.

    • allow: allow or pass matching traffic.
    • block: block or drop matching traffic.
    • reset: reset sessions for matching traffic.
    • monitor: allow and log matching traffic.

    set command-code-invalid {allow | block | reset | monitor}

    Set the action to be taken for messages with an invalid command code.

    • allow: allow or pass matching traffic.
    • block: block or drop matching traffic.
    • reset: reset sessions for matching traffic.
    • monitor: allow and log matching traffic.

    set command-code-range <min-max>

    Set the valid range for command codes (min = 0, max = 16777215, default = 256-16777213).
    To configure Diameter protocol inspection:

    1. Configure the Diameter filter profile:

      config diameter-filter profile
    edit "diameter_profile"
        set monitor-all-messages disable
        set log-packet enable
        set track-requests-answers enable
        set missing-request-action block
        set protocol-version-invalid block
        set message-length-invalid block
        set request-error-flag-set block
        set cmd-flags-reserve-set block
        set command-code-invalid block
        set command-code-range 256-1677213
    next
end

    2. Apply the Diameter filter to a firewall policy:

      config firewall policy
    edit 1
        set srcintf "port1"
        set dstintf "port3"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "deep-inspection"
        set diameter-filter-profile "diameter_profile"
        set logtraffic all
        set auto-asic-offload disable
    next
end

      Note

      NTurbo does not fully support SCTP, so if the configuration includes Diameter-over-SCTP, the auto-asic-offload setting should be disabled in the firewall policy. Otherwise, IPS does not get the full session packets.

    Sample logs

    No matching request:
    1: date=2023-11-09 time=11:04:32 eventtime=1699556673071701052 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=163572 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Response.Message.No.Matching.Request.Found" direction="outgoing" attackid=52234 ref="http://www.fortinet.com/ids/VID52234" incidentserialno=60817776 msg="diameter_decoder: Diameter.Response.Message.No.Matching.Request.Found, command_code=317"
    Invalid protocol version:
    1: date=2023-11-08 time=20:20:54 eventtime=1699503655386037801 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=117419 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Invalid.Version" direction="outgoing" attackid=52229 ref="http://www.fortinet.com/ids/VID52229" incidentserialno=60817657 msg="diameter_decoder: Diameter.Invalid.Version, protocol_version=2"
    Incorrect message length:
    1: date=2023-11-08 time=19:18:10 eventtime=1699499890820325221 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=113487 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Incorrect.Message.Length" direction="outgoing" attackid=52230 ref="http://www.fortinet.com/ids/VID52230" incidentserialno=60817601 msg="diameter_decoder: Diameter.Incorrect.Message.Length, message_length=174, packet_length=164"
    Request error flag:
    1: date=2023-11-08 time=19:27:29 eventtime=1699500449951027175 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=114134 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Request.Message.Error.Flag.Set" direction="outgoing" attackid=52231 ref="http://www.fortinet.com/ids/VID52231" incidentserialno=60817619 msg="diameter_decoder: Diameter.Request.Message.Error.Flag.Set, command_flags=A0"
    Incorrect reserved bits:
    1: date=2023-11-08 time=19:31:10 eventtime=1699500670891359990 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="po/cdoc/ImplementationDoc5906/FGT_FileFilter_7-4_2512_202311090951_correct config.confrt3" dstintfrole="undefined" sessionid=114400 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Incorrect.Reserved.Bits" direction="outgoing" attackid=52232 ref="http://www.fortinet.com/ids/VID52232" incidentserialno=60817626 msg="diameter_decoder: Diameter.Incorrect.Reserved.Bits, command_flags=82"
    Out-of-range command code:
    2: date=2023-11-08 time=16:59:41 eventtime=1699491581561225681 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=106658 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Message.Command.Overlong" direction="outgoing" attackid=52233 ref="http://www.fortinet.com/ids/VID52233" incidentserialno=60817600 msg="diameter_decoder: Diameter.Message.Command.Overlong, command_code=255, range_min=256, range_max=1677213"
    Previous
    Next

    Diameter protocol inspection

    Diameter protocol inspection

    Diameter protocol inspection is supported on the FortiGate, which offers the following capabilities.

    • Diameter-based packet forwarding and routing: the FortiGate can forward and route Diameter packets that match a firewall policy with an enabled and assigned diameter-filter profile. These diameter packets traverse over SCTP or TCP on the reserved port 3868.

    • Packet sanity checking: this feature checks if the packet passing through the FortiGate conforms to the Diameter protocol standards as defined in RFC 3588.

      • This includes checking the release version field, error command flags, message length, reserved command flag bits, command code, and tracking the request and answer of the Diameter-based packets.

    • Logging: for network auditing purposes, the traffic for both dropped and forwarded Diameter-based packets of the supported commands can be logged. By default, these are disabled.

    Diameter protocol is particularly important on interfaces that are used to exchange information with roaming partners, through the Internetwork Packet Exchange (IPX) network.

    Note

    This feature requires a valid IPS license.

    		 
    config diameter-filter profile
    edit <name>
        set monitor-all-messages {enable | disable}
        set log-packet {enable | disable}
        set track-requests-answers {enable | disable}
        set missing-request-action {allow | block | reset | monitor}
        set protocol-version-invalid {allow | block | reset | monitor}
        set message-length-invalid {allow | block | reset | monitor}
        set request-error-flag-set {allow | block | reset | monitor}
        set cmd-flags-reserve-set {allow | block | reset | monitor}
        set command-code-invalid {allow | block | reset | monitor}
        set command-code-range <min-max>
    next
end

    monitor-all-messages {enable | disable}

    Enable/disable logging for all User-Name and Result-Code AVP messages.

    log-packet {enable | disable}

    Enable/disable packet log for triggered Diameter settings.

    track-requests-answers {enable | disable}

    Enable/disable validation that each answer has a corresponding request.

    missing-request-action {allow | block | reset | monitor}

    Set the action to be taken for answers without a corresponding request.

    • allow: allow or pass matching traffic.
    • block: block or drop matching traffic.
    • reset: reset sessions for matching traffic.
    • monitor: allow and log matching traffic.

    protocol-version-invalid {allow | block | reset | monitor}

    Set the action to be taken for an invalid protocol version.

    • allow: allow or pass matching traffic.
    • block: block or drop matching traffic.
    • reset: reset sessions for matching traffic.
    • monitor: allow and log matching traffic.

    message-length-invalid {allow | block | reset | monitor}

    Set the action to be taken for an invalid message length.

    • allow: allow or pass matching traffic.
    • block: block or drop matching traffic.
    • reset: reset sessions for matching traffic.
    • monitor: allow and log matching traffic.

    request-error-flag-set {allow | block | reset | monitor}

    Set the action to be taken for request messages with an error flag set.

    • allow: allow or pass matching traffic.
    • block: block or drop matching traffic.
    • reset: reset sessions for matching traffic.
    • monitor: allow and log matching traffic.

    cmd-flags-reserve-set {allow | block | reset | monitor}

    Set the action to be taken for messages with a command flag reserve bits set.

    • allow: allow or pass matching traffic.
    • block: block or drop matching traffic.
    • reset: reset sessions for matching traffic.
    • monitor: allow and log matching traffic.

    set command-code-invalid {allow | block | reset | monitor}

    Set the action to be taken for messages with an invalid command code.

    • allow: allow or pass matching traffic.
    • block: block or drop matching traffic.
    • reset: reset sessions for matching traffic.
    • monitor: allow and log matching traffic.

    set command-code-range <min-max>

    Set the valid range for command codes (min = 0, max = 16777215, default = 256-16777213).
    To configure Diameter protocol inspection:

    1. Configure the Diameter filter profile:

      config diameter-filter profile
    edit "diameter_profile"
        set monitor-all-messages disable
        set log-packet enable
        set track-requests-answers enable
        set missing-request-action block
        set protocol-version-invalid block
        set message-length-invalid block
        set request-error-flag-set block
        set cmd-flags-reserve-set block
        set command-code-invalid block
        set command-code-range 256-1677213
    next
end

    2. Apply the Diameter filter to a firewall policy:

      config firewall policy
    edit 1
        set srcintf "port1"
        set dstintf "port3"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "deep-inspection"
        set diameter-filter-profile "diameter_profile"
        set logtraffic all
        set auto-asic-offload disable
    next
end

      Note

      NTurbo does not fully support SCTP, so if the configuration includes Diameter-over-SCTP, the auto-asic-offload setting should be disabled in the firewall policy. Otherwise, IPS does not get the full session packets.

    Sample logs

    No matching request:
    1: date=2023-11-09 time=11:04:32 eventtime=1699556673071701052 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=163572 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Response.Message.No.Matching.Request.Found" direction="outgoing" attackid=52234 ref="http://www.fortinet.com/ids/VID52234" incidentserialno=60817776 msg="diameter_decoder: Diameter.Response.Message.No.Matching.Request.Found, command_code=317"
    Invalid protocol version:
    1: date=2023-11-08 time=20:20:54 eventtime=1699503655386037801 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=117419 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Invalid.Version" direction="outgoing" attackid=52229 ref="http://www.fortinet.com/ids/VID52229" incidentserialno=60817657 msg="diameter_decoder: Diameter.Invalid.Version, protocol_version=2"
    Incorrect message length:
    1: date=2023-11-08 time=19:18:10 eventtime=1699499890820325221 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=113487 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Incorrect.Message.Length" direction="outgoing" attackid=52230 ref="http://www.fortinet.com/ids/VID52230" incidentserialno=60817601 msg="diameter_decoder: Diameter.Incorrect.Message.Length, message_length=174, packet_length=164"
    Request error flag:
    1: date=2023-11-08 time=19:27:29 eventtime=1699500449951027175 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=114134 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Request.Message.Error.Flag.Set" direction="outgoing" attackid=52231 ref="http://www.fortinet.com/ids/VID52231" incidentserialno=60817619 msg="diameter_decoder: Diameter.Request.Message.Error.Flag.Set, command_flags=A0"
    Incorrect reserved bits:
    1: date=2023-11-08 time=19:31:10 eventtime=1699500670891359990 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="po/cdoc/ImplementationDoc5906/FGT_FileFilter_7-4_2512_202311090951_correct config.confrt3" dstintfrole="undefined" sessionid=114400 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Incorrect.Reserved.Bits" direction="outgoing" attackid=52232 ref="http://www.fortinet.com/ids/VID52232" incidentserialno=60817626 msg="diameter_decoder: Diameter.Incorrect.Reserved.Bits, command_flags=82"
    Out-of-range command code:
    2: date=2023-11-08 time=16:59:41 eventtime=1699491581561225681 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=106658 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Message.Command.Overlong" direction="outgoing" attackid=52233 ref="http://www.fortinet.com/ids/VID52233" incidentserialno=60817600 msg="diameter_decoder: Diameter.Message.Command.Overlong, command_code=255, range_min=256, range_max=1677213"
    Previous
    Next