TCP Profile
Use the TCP Profile to configure various TCP parameters. A TCP Profile should be used for ALL SPPs, even ones that host primarily UDP service.
Some TCP Profile parameters CANNOT be used with asymmetric traffic. Be aware of your routing environment and Global Protection > Deployment > Asymmetric Mode setting.
You can create a maximum of 64 TCP Profiles.
Note 1: It is IMPORTANT that SYN Validation is enabled when this profile is used for any SPP in Prevention Mode. If SYN Validation is NOT enabled, the SYN Thresholds are ignored and there is is no protection from SYN floods.
Note 2: SYN Flood Mitigation requires interaction with the sending Client which will not happen if the SPP is in DETECTION Mode. You should create a TCP-Detection mode Profile with SYN Validation disabled and TCP-Prevention mode Profile with SYN Validation enabled and change this profile when you change Detection/Prevention Modes for the SPP.
Field/Selection |
Description |
Recommendations |
||
---|---|---|---|---|
Detection Mode
|
Prevention Mode |
|||
Symmetric Traffic |
Asymmetric Traffic |
|||
Name | 1-35 characters (a-Z, 0-9, "-", "_" only) | |||
SYN Flood Protection | ||||
SYN Flood Mitigation Mode |
|
SYN Cookie | ||
SYN Flood Mitigation Direction | Inbound Recommended Outbound not normally required - Expert use | Inbound | ||
SYN With Payload |
SYN with Payload blocks SYN packets that are tno header-only packets - they have additional, usually-malicious payload. Attackers use SYN with Payload to increase the size of their attacks. However, a draft IETF standard (Fast Open) allows payload with SYNs and some Hosting companies are experimenting with it. If you see SYNwithPayload drops, investigate the Protected IPs. Inbound Recommended Outbound not normally required - Expert use |
Inbound | ||
TCP Slow Connection Protection |
Use this section to specify:
Note the following:
|
Expert - Many servers allow logins or allow long idle times. These will trigger TCP Slow Connections and unexpectedly drop legitimate connections. Use FortiWeb of FortiADC to manage slow connections on these types of servers. | No | |
|
Select one of the following options from the drop-down:
Note: To reduce false positives, Fortinet recommends you to initially set the option to moderate and switch to aggressive only if required. When the 'User Defined' option is selected, the defaults are set to 1 Byte per 15 seconds which allows lower rates than the default 'moderate' setting. We recommend to use the predefined moderate and Aggressive values as guidelines to help you specify your own settings. Thresholds are triggered when a session sends or receives data at a SLOWER rate than the number of Bytes over the Observation Threshold. |
Expert | No | |
|
Normally enabled if above Slow Connection Type is not None. This results in an attack log called 'Slow Connection: Source flood'. this log includes the Source IP of the Slow Connection, which is useful for analysis and potentially ACLing the Source. Use this option with care. Using Block Sources will block all traffic from those Sources. For example, if one client behind a firewall is creating a Slow Connection, all traffic from the firewall will be blocked. Disabling this option results in an attack event called Foreign Packets (Aggressive Aging and Slow Connections) which is shared with other Aggressive Aging events (see Aggressive aging.) |
Expert |
No |
|
|
The number of Bytes that must be seen within the Observation Period below to prevent triggering Slow Connection Mitigation. Note, this number is pre-filled for Types: Moderate or Aggressive and can be customized for Type: User Defined. If Type: None is selected, numbers are shown in the Byte Threshold but are ignored. |
Expert |
No |
|
|
The time period (in seconds) during which Bytes are counted. Once the Byte threshold above is crossed, the Observation Period is reset and the Byte count starts again. Note, this number is pre-filled for Types: Moderate or Aggressive and can be customized for Type: User Defined. If Type: None is selected, numbers are shownin the Observation Period but are ignored. |
Expert |
No |
|
TCP Packets Validation |
||||
TCP Session Feature Control: |
|
|||
|
Drops packets with invalid TCP sequence numbers. Note: Some vendors intentionally use non-standard sequence numbers for end-to-end signaling between WANop devices. If you see large numbers of OUTBOUND Sequence Validation Drops, disable the feature. |
Enable |
Enable |
Disable |
|
Enables SYN Flood validation using the method selected above. If this is NOT enabled, SYN Thresholds are ignored and SYN Floods are not mitigated. If this feature is enabled in DETECTION Mode and there is a SYN Flood, the system is unable to send validation packets, resulting in unusual logging. This feature should be disabled while in DETECTION Mode. |
Disable |
Enable |
|
|
Drops packets with TCP state transitions that are invalid. For example, if an ACK packet is received when FortiDDoS has not observed a SYN/ACK packet, it is a state transition anomaly. FortiDDoS features can be used in Asyymetric Mode, provided Allow Inbound SYN-ACK is also enabled. See Global Protection features. |
Enable |
Enable |
|
|
Drops TCP packets without an existing TCP connection and reports them as a foreign packet. In most cases, the foreign packets validation is useful for filtering out junk. Note: Inbound Foreign Packets will be passed in DETECTION Mode and may result in matching outbound Foeign Packets. If in doubt, disable Foreign Packet Validation when the SPP is in DETECTION mode. |
Disable |
Enable |
|
|
Allows a new connection with the same 5-tuple (Sooure IP:port, Protocol, Destination IP:Port) while the existing connection is in the closed or close-wait, fin-wait, time-wait states. |
Enable |
||
|
Allows duplicate TCP SYN packets during the SYN-SENT state. It allows this type of packet even if the sequence numbers are different. |
Enable |
Optional but not necessary |
|
|
Allows duplicate TCP SYN packets during the SYNRECV state. It allows this type of packet even if the sequence numbers are different. |
Disable |
||
|
Allows duplicate TCP packets during any other state even if the sequence numbers are different from the existing connection entry. This is equivalent to allowing the packet without updating an existing connection entry with the new information from the allowed packet. |
Use on Fortinet recommendation only |
||
|
||||
|
||||
|
||||
|
||||
|
Drops various TCP Header Anomalies including:
|
Enable |
||
TCP Session Settings |
||||
Aggressive Aging Feature Control |
Controls sending RSTs to servers |
|
|
|
High Concurrent Connection per Source |
Sends TCP RSTs to the protected destination server(s) to reset connections from the identified Source IP when the Concurrent Connection per Source threshold is crossed. |
Optional. System cannot send RSTs in Detection mode which may result in unusualy logging. |
Enable |
|
Slow TCP Connections |
Sends TCP RSTs to the protected destination server(s) to reset connections from the identified source depending on the Slow Connection settings above. |
Optional. System cannot send RSTs in Detection mode which may result in unusually logging. |
Expert |
No |
TCP Session Idle Timeout |
Idle timeout period for any TCP session. The default value is 528 seconds. Use this timer to age idle TCP sessions (sessions with no traffic for long periods), for all connections and ports. This timer should match other idle timers in your infrastructure such as firewalls. |
Always monitored |
This setting is ignored in Asymmetric Mode |
|
TCP Session Idle Timeout Unit |
Seconds, Minutes, Hours. |
|
|
|
TCP Session Extended Timeout |
Extended timeout value for specific IP addresses (IPv4 only) where the timeout should be longer than the idle timeout period. For example, this setting can be configured for specific IP addresses in environments where persistent SSH/TELNET/HTTP connections are used. This timer should be longer than the TCP Session Idle Timeout. See also, Session timeout precedence and application, below. |
Always monitored |
This setting is ignored in Asymmetric Mode |
|
TCP Session Extended Timeout Unit |
Seconds, Minutes, Hours. |
|
|
|
TCP Session Extended Source Type |
IPv4 Address or IPv4 Address Group |
Always monitored |
This setting is ignored in Asymmetric Mode |
|
TCP Session Extended Source Address IPv4 |
Select from the Global IP address / IP Address Group definitions |
|
Example Settings:
TCP Detection Mode
TCP Prevention Mode