Fortinet black logo

Release Notes

Home FortiDDoS-F 6.1.2 Release Notes
6.1.2
7.0.0
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.2
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.5
6.1.4
6.1.3
6.1.2
6.1.1
6.1.0

What's new

What's new

FortiDDoS-F 6.1.2 offers the following new features:

  • Support for KVM hypervisor
FortiDDoS-F Series New features

FortiDDoS-F series is built on the feature base of FortiDDoS B/E-Series with these notable additions:

  • VMware support with SR-IOV support where available
  • NTP from E-Series on all models
  • Additional SSL DDoS Mitigation settings
  • 16x SPPs in1500F and 4/8/16x SPPs in VM04/VM08/VM16
  • DNS Rcode Scalars are included in Traffic Statistics and System Recommendation
  • NTP Scalars are included in Traffic Statistics and System Recommendations
  • Split System Recommendation for Layer 4 Scalars/ICMP, TCP Ports and UDP Ports included from B/E 5.4.0
  • Common UDP Source Reflection Ports are pre-populated in Global Service definitions for use with Global or SPP ACLs
  • Service port definitions support Source Port or Destination Port. Source Port ACLs are very useful for permanently blocking kown UDP reflection ports.
  • IP Address / Subnets definitions are created in the System menu and then assigned to Global or SPP ACLs, reducing multiple entries.
  • Bogons IPs and/or Multicast IPs can be ACLed with option selection in any SPP.
  • SPPs replace feature tabs with multiple Profiles for IP, ICMP, TCP, HTTP, SSL/TLS, NTP and DNS. One Profiles can be used by muliple SPPs or one SPP can use Multiple Profiles (TCP Detection and TCP Prevention, for example).
  • Source MAC address for aggressive aging is configurable per SPP, if needed
  • Strict Anomalies options are now included in several SPP Profile pages for Layer 2 to Layer 7 options.
  • Cloud Signaling Thresholds are entered in both pps and Mbps (crossing either triggers Signaling. Thresholds are now per SPP Policy (subnet).
  • SPP Policies (subnets) are entered for each Service Protection Policy (SPP) instead of globally.
  • Explicit TCP thresholds are added for DNS Query, Question Count, Fragment, MX and ALL. B/E-Series has TCP Thresholds but they are hidden and the same as the UDP Thresholds.
  • IP Reputation and Domain Reputation are included in IP and DNS Profiles and thus are optional per SPP.
  • SSL/TLS Profile includes additional Cipher Anomaly option
  • tcpdump-style packet capture
  • Several formerly-global features such as IP Reputation are now set per SPP for better control
  • Additional Known Method Anomalies available
Removed/Changed/Deferred Features

B/E-Series Functionality not included in this release:

  • Support for FortiDDoS-CM Central Manager
  • Security Fabric Integration with FortiOS Dashboard
  • GTP-U support
  • Distress ACL nor Auto-Distress ACL
  • Multi-tenant support (SPP or SPP Policy Group)
  • Fewer files included in Offline analysis file
  • SPP Backup/Restore
  • Attack Reports are Global only and are on-demand or on-schedule only. Report periods are Last 7 Days, Last Month or Last year only. (Removed per-SPP, per-SPP Policy, per-SPP Policy Group reports, on-Threshold reports and some time periods)
  • REST API changes and requires documentation
  • Log & Report > DDoS Attack Graphs
  • SPP Policy Groups
  • Log & Report > Diagnostics
  • SPP-to-SPP Switching Policies
  • Restrict DNS Queries to specific subnets
  • System Recommendation Option for Actual or System Max Outbound Threshold (5.4.0)
  • Traffic Statistics Option for Peak or 95th Percentile Traffic (5.4.0)
  • Syslog RFC 5424 or Fortinet proprietary secure "OFTP" protocol (5.4.0)
  • Search for IP addresses within various ACLs (5.3.0)
VM limits
  • VMs do not support Fail-Open option. Fail-Open support will be determined by the underlying server
  • TCP Port Thresholds are calculated to 65,535 but Thresholds/Ranges are created for ports 1-1023 with one range for ports above 1023.
  • TCP Port Graphs display traffic and drops for Ports 1-1023. Port 1024 displays peak traffic rate for any port from 1024-65,535 and total drops associated with any of those ports. Attack logs show full port range 1-65,535.
  • UDP Port Thresholds are calculated to 65,535 but Thresholds/Ranges are created for 1-10,239 only with one range above that.
  • UDP Port Graphs display traffic and drops for Ports 1-10,239. Port 10,240 displays peak traffic rate for any port from 10,240-65,535 and total drops associates with any of those ports. Attack logs show full port range 1-65,535 as well as reflected attack drops from ports 1-9,999.
  • ICMP Type/Code Thresholds are calculated from 0-65,535 but Threshold/Ranges are created for 0-10,239 only. Indexes from 10,240 to 65,535 are included in one range.
  • ICMP Type/Code graphs show indexes from 0/0 to 39/255 with all others showing in 40/0. Attack logs will show drops for Types/Codes for all Types/Codes from 0/0 to 255/255.
Previous
Next

What's new

FortiDDoS-F 6.1.2 offers the following new features:

  • Support for KVM hypervisor
FortiDDoS-F Series New features

FortiDDoS-F series is built on the feature base of FortiDDoS B/E-Series with these notable additions:

  • VMware support with SR-IOV support where available
  • NTP from E-Series on all models
  • Additional SSL DDoS Mitigation settings
  • 16x SPPs in1500F and 4/8/16x SPPs in VM04/VM08/VM16
  • DNS Rcode Scalars are included in Traffic Statistics and System Recommendation
  • NTP Scalars are included in Traffic Statistics and System Recommendations
  • Split System Recommendation for Layer 4 Scalars/ICMP, TCP Ports and UDP Ports included from B/E 5.4.0
  • Common UDP Source Reflection Ports are pre-populated in Global Service definitions for use with Global or SPP ACLs
  • Service port definitions support Source Port or Destination Port. Source Port ACLs are very useful for permanently blocking kown UDP reflection ports.
  • IP Address / Subnets definitions are created in the System menu and then assigned to Global or SPP ACLs, reducing multiple entries.
  • Bogons IPs and/or Multicast IPs can be ACLed with option selection in any SPP.
  • SPPs replace feature tabs with multiple Profiles for IP, ICMP, TCP, HTTP, SSL/TLS, NTP and DNS. One Profiles can be used by muliple SPPs or one SPP can use Multiple Profiles (TCP Detection and TCP Prevention, for example).
  • Source MAC address for aggressive aging is configurable per SPP, if needed
  • Strict Anomalies options are now included in several SPP Profile pages for Layer 2 to Layer 7 options.
  • Cloud Signaling Thresholds are entered in both pps and Mbps (crossing either triggers Signaling. Thresholds are now per SPP Policy (subnet).
  • SPP Policies (subnets) are entered for each Service Protection Policy (SPP) instead of globally.
  • Explicit TCP thresholds are added for DNS Query, Question Count, Fragment, MX and ALL. B/E-Series has TCP Thresholds but they are hidden and the same as the UDP Thresholds.
  • IP Reputation and Domain Reputation are included in IP and DNS Profiles and thus are optional per SPP.
  • SSL/TLS Profile includes additional Cipher Anomaly option
  • tcpdump-style packet capture
  • Several formerly-global features such as IP Reputation are now set per SPP for better control
  • Additional Known Method Anomalies available
Removed/Changed/Deferred Features

B/E-Series Functionality not included in this release:

  • Support for FortiDDoS-CM Central Manager
  • Security Fabric Integration with FortiOS Dashboard
  • GTP-U support
  • Distress ACL nor Auto-Distress ACL
  • Multi-tenant support (SPP or SPP Policy Group)
  • Fewer files included in Offline analysis file
  • SPP Backup/Restore
  • Attack Reports are Global only and are on-demand or on-schedule only. Report periods are Last 7 Days, Last Month or Last year only. (Removed per-SPP, per-SPP Policy, per-SPP Policy Group reports, on-Threshold reports and some time periods)
  • REST API changes and requires documentation
  • Log & Report > DDoS Attack Graphs
  • SPP Policy Groups
  • Log & Report > Diagnostics
  • SPP-to-SPP Switching Policies
  • Restrict DNS Queries to specific subnets
  • System Recommendation Option for Actual or System Max Outbound Threshold (5.4.0)
  • Traffic Statistics Option for Peak or 95th Percentile Traffic (5.4.0)
  • Syslog RFC 5424 or Fortinet proprietary secure "OFTP" protocol (5.4.0)
  • Search for IP addresses within various ACLs (5.3.0)
VM limits
  • VMs do not support Fail-Open option. Fail-Open support will be determined by the underlying server
  • TCP Port Thresholds are calculated to 65,535 but Thresholds/Ranges are created for ports 1-1023 with one range for ports above 1023.
  • TCP Port Graphs display traffic and drops for Ports 1-1023. Port 1024 displays peak traffic rate for any port from 1024-65,535 and total drops associated with any of those ports. Attack logs show full port range 1-65,535.
  • UDP Port Thresholds are calculated to 65,535 but Thresholds/Ranges are created for 1-10,239 only with one range above that.
  • UDP Port Graphs display traffic and drops for Ports 1-10,239. Port 10,240 displays peak traffic rate for any port from 10,240-65,535 and total drops associates with any of those ports. Attack logs show full port range 1-65,535 as well as reflected attack drops from ports 1-9,999.
  • ICMP Type/Code Thresholds are calculated from 0-65,535 but Threshold/Ranges are created for 0-10,239 only. Indexes from 10,240 to 65,535 are included in one range.
  • ICMP Type/Code graphs show indexes from 0/0 to 39/255 with all others showing in 40/0. Attack logs will show drops for Types/Codes for all Types/Codes from 0/0 to 255/255.
Previous
Next