Fortinet white logo
Fortinet white logo

Handbook

Tap Mode deployments

Tap Mode deployments

This section provides the following information about FortiDDoS Tap Mode deployments:

Overview

The FortiDDoS appliance is a transparent Layer 2 bridge that could become a point-of-failure without proper bypass mechanisms. It is possible to deploy a Layer 1 bypass bridge in-path with the FortiDDoS appliance in an out-of-path monitor segment so that you are never faced with outages due to failure, maintenance, or replacement of a FortiDDoS appliance.

Most bypass bridge appliances support inline, bypass, and recovery features. Some bypass bridge appliances also support Tap Mode—a mode in which the Layer 2 bridge can simultaneously perform bypass through its network ports and mirroring through its monitor ports.

FortiDDoS appliances have a complementary Tap Mode setting that turns off the transmit (Tx) component of the FortiDDoS network interface cards. This ensures the FortiDDoS is a passive listener that cannot disrupt traffic or cause an outage.

In a Tap Mode deployment, FortiDDoS can use the mirrored packets to build the traffic history it uses to establish rate thresholds, and it can detect volumetric attacks (rate anomalies), but it does not take actions, like dropping traffic, blocking identified source attackers, or aggressively aging connections.

When an attack is detected, you can turn off Tap Mode on FortiDDoS and the FortiDDoS interfaces resume packet transmission. Bypass bridge probes will then pass through FortiDDoS successfully, the bridge will detect that the out-of-path segment is available, and it will switch to Inline Mode.

Deployment Topology

The figure below illustrates how bypass bridge deployment modes are used in a deployment with FortiDDoS. The bypass bridge is deployed in-path and FortiDDoS is deployed out-of-path.

In Inline Mode, the bypass bridge passes heartbeat packets through its monitor ports to detect whether the out-of-path segment is available. When the health probes indicate the path is available, inbound traffic that is received by the bypass bridge Net0 interface is forwarded through the Mon0 interface to the FortiDDoS WAN port. FortiDDoS processes the traffic, takes action on attacks and passes non-attack traffic through its LAN port to the bypass bridge Mon1 interface. The traffic is passed through the bypass bridge Net1 interface towards its destination.

Inline Mode

If the heartbeat probe fails due to FortiDDoS failure or maintenance, the bypass bridge can be set up to switch from Inline mode to Bypass mode. In Bypass Mode, traffic is not forwarded through the monitor ports. Instead, it is forwarded from Net0 to Net1, bypassing the out-of-path segment.

Bypass Mode

Alternatively, you can set up some bypass bridge to switch from Inline Mode to Tap Mode when probes fail. In bypass bridge Tap Mode, traffic is forwarded from Net0 to Net1, and it is also mirrored to Mon0. This is what you want when you want to deploy FortiDDoS as a passive listener.

Tap Mode

Although not shown in the illustrations, the reverse paths are processed the same way.

Note: When in Tap Mode, FortiDDoS discards packets after processing (noted by an X in Tap Mode). You should not expect to see egress traffic on the Monitor > Port Statistics graphs.

Requirements

Contact your Fortinet Sales Engineer to learn more about bypass bridges that can operate in this mode.

Fortinet does not support Tap Mode deployments with other bridge or tap devices. If you attempt a deployment with other devices, consider the following Tap Mode requirements:

  • The bridge device must be deployed and configured to forward traffic along the data path and send mirrored traffic towards FortiDDoS on both its monitor ports (inbound traffic on one port and outbound on the other).
  • The bridge must block any transmit packets from FortiDDoS on its monitor ports so that any traffic sent by FortiDDoS is blocked.
  • The bridge device should have the ability to set inline/bypass/tap mode manually so that administrators take direct action when there is an attack.
  • FortiDDoS passes heartbeat packets from its ingress to egress ports, so the bridge must not be affected by seeing these heartbeat packets (it will not switch to inline mode).
  • Passive optical TAPs will generally not work since the TAPs usually have a single duplex monitor port output on 1 pair of fiber ports. FortiDDoS requires 2 separate monitor ports for inbound and outbound traffic on 2 separate fiber pairs. Custom cabling can support this, but FortiDDoS can never be switched inline using passive TAPs.

Limitations

In Tap Mode, FortiDDoS is a passive listener. It records actions it would have taken were it placed inline, so ACL, anomaly, rate threshold drops, source blocking, and aggressive aging events and statistics are just simulations.

However, some features cannot be simulated when FortiDDoS is a passive listener. The following Prevention Mode features depend on being deployed in-path and interacting with clients and servers to work correctly:

  • SYN flood mitigation—With SYN validation enabled, FortiDDoS performs antispoofing tests to determine whether the source is legitimate. In Tap Mode, if the source was not already in the legitimate IP table, it will fail the test. As a result, the simulation is skewed, and the reports will show an inordinate spike in blocked sources.
  • TCP state anomaly detection—With Foreign Packet Validation enabled, FortiDDoS drops unexpected packets (for example, if there is a sequence of events in which FortiDDoS drops inbound packets, it does not expect to receive corresponding outbound packets, so a foreign packet drop event is triggered).
  • Aggressive aging—Aggressive aging resets are not actually sent when slow connection attacks and Layer 7 floods are detected, but the connections are cleared from the TCP state table. As a result, subsequent packets for the connection are treated as foreign packets.

Talk with your Fortinet CSE to make sure you thoroughly understand your choices, which include:

  • Disabling TCP session feature control when FortiDDoS is deployed in Tap Mode. (But remember to enable it if you want its protections when you FortiDDoS is deployed inline.)
  • Interpreting or disregarding the logs and graphs for these anomalies.

Tap Mode is not a perfect deployment simulation, but it does enable you prepare for volumetric attacks by building traffic history without risk of disruption or outage.

Configuration

We recommend you set up the bypass bridge to Inline Mode with action on failure set to Tap Mode; and then force a failure by turning on FortiDDoS Tap Mode.

FortiDDoS configuration guidelines

This section gives pointers for FortiDDoS configuration.

Before you begin:

  • Physically connect FortiDDoS to the bypass bridge.

You must add the MAC addresses for the bypass bridge Monitor ports (if available) so that FortiDDoS accepts heartbeats from them. Heartbeats are used when the bypass bridge is in Inline Mode.

To configure bypass MAC addresses:
  1. Go to Global Protection > Deployment > Bypass MAC.
  2. Click Add, and then enter a name for the MAC address and the address.
  3. Save the configuration.
To enable Tap Mode:
  1. Go to Global Protection > Deployment.
  2. Enable Tap Mode.
  3. Save the configuration.

Note: The system reboots when you enable/disable Tap Mode.

config ddos global deployment

set tap-mode {enable|disable}

end

Best practices

The following are recommended best practices:

  • Do not set the bypass bridge Tap Mode manually. Set it up as the action on failure for the bypass bridge Inline Mode and then force a failure of the out-of-path segment by turning on FortiDDoS Tap Mode.
  • In a FortiDDoS Tap Mode deployment, you can set SPPs in Detection Mode or Prevention Mode. Set it to whichever mode you want enabled when you toggle off Tap Mode and put FortiDDoS inline.

Tap Mode deployments

Tap Mode deployments

This section provides the following information about FortiDDoS Tap Mode deployments:

Overview

The FortiDDoS appliance is a transparent Layer 2 bridge that could become a point-of-failure without proper bypass mechanisms. It is possible to deploy a Layer 1 bypass bridge in-path with the FortiDDoS appliance in an out-of-path monitor segment so that you are never faced with outages due to failure, maintenance, or replacement of a FortiDDoS appliance.

Most bypass bridge appliances support inline, bypass, and recovery features. Some bypass bridge appliances also support Tap Mode—a mode in which the Layer 2 bridge can simultaneously perform bypass through its network ports and mirroring through its monitor ports.

FortiDDoS appliances have a complementary Tap Mode setting that turns off the transmit (Tx) component of the FortiDDoS network interface cards. This ensures the FortiDDoS is a passive listener that cannot disrupt traffic or cause an outage.

In a Tap Mode deployment, FortiDDoS can use the mirrored packets to build the traffic history it uses to establish rate thresholds, and it can detect volumetric attacks (rate anomalies), but it does not take actions, like dropping traffic, blocking identified source attackers, or aggressively aging connections.

When an attack is detected, you can turn off Tap Mode on FortiDDoS and the FortiDDoS interfaces resume packet transmission. Bypass bridge probes will then pass through FortiDDoS successfully, the bridge will detect that the out-of-path segment is available, and it will switch to Inline Mode.

Deployment Topology

The figure below illustrates how bypass bridge deployment modes are used in a deployment with FortiDDoS. The bypass bridge is deployed in-path and FortiDDoS is deployed out-of-path.

In Inline Mode, the bypass bridge passes heartbeat packets through its monitor ports to detect whether the out-of-path segment is available. When the health probes indicate the path is available, inbound traffic that is received by the bypass bridge Net0 interface is forwarded through the Mon0 interface to the FortiDDoS WAN port. FortiDDoS processes the traffic, takes action on attacks and passes non-attack traffic through its LAN port to the bypass bridge Mon1 interface. The traffic is passed through the bypass bridge Net1 interface towards its destination.

Inline Mode

If the heartbeat probe fails due to FortiDDoS failure or maintenance, the bypass bridge can be set up to switch from Inline mode to Bypass mode. In Bypass Mode, traffic is not forwarded through the monitor ports. Instead, it is forwarded from Net0 to Net1, bypassing the out-of-path segment.

Bypass Mode

Alternatively, you can set up some bypass bridge to switch from Inline Mode to Tap Mode when probes fail. In bypass bridge Tap Mode, traffic is forwarded from Net0 to Net1, and it is also mirrored to Mon0. This is what you want when you want to deploy FortiDDoS as a passive listener.

Tap Mode

Although not shown in the illustrations, the reverse paths are processed the same way.

Note: When in Tap Mode, FortiDDoS discards packets after processing (noted by an X in Tap Mode). You should not expect to see egress traffic on the Monitor > Port Statistics graphs.

Requirements

Contact your Fortinet Sales Engineer to learn more about bypass bridges that can operate in this mode.

Fortinet does not support Tap Mode deployments with other bridge or tap devices. If you attempt a deployment with other devices, consider the following Tap Mode requirements:

  • The bridge device must be deployed and configured to forward traffic along the data path and send mirrored traffic towards FortiDDoS on both its monitor ports (inbound traffic on one port and outbound on the other).
  • The bridge must block any transmit packets from FortiDDoS on its monitor ports so that any traffic sent by FortiDDoS is blocked.
  • The bridge device should have the ability to set inline/bypass/tap mode manually so that administrators take direct action when there is an attack.
  • FortiDDoS passes heartbeat packets from its ingress to egress ports, so the bridge must not be affected by seeing these heartbeat packets (it will not switch to inline mode).
  • Passive optical TAPs will generally not work since the TAPs usually have a single duplex monitor port output on 1 pair of fiber ports. FortiDDoS requires 2 separate monitor ports for inbound and outbound traffic on 2 separate fiber pairs. Custom cabling can support this, but FortiDDoS can never be switched inline using passive TAPs.

Limitations

In Tap Mode, FortiDDoS is a passive listener. It records actions it would have taken were it placed inline, so ACL, anomaly, rate threshold drops, source blocking, and aggressive aging events and statistics are just simulations.

However, some features cannot be simulated when FortiDDoS is a passive listener. The following Prevention Mode features depend on being deployed in-path and interacting with clients and servers to work correctly:

  • SYN flood mitigation—With SYN validation enabled, FortiDDoS performs antispoofing tests to determine whether the source is legitimate. In Tap Mode, if the source was not already in the legitimate IP table, it will fail the test. As a result, the simulation is skewed, and the reports will show an inordinate spike in blocked sources.
  • TCP state anomaly detection—With Foreign Packet Validation enabled, FortiDDoS drops unexpected packets (for example, if there is a sequence of events in which FortiDDoS drops inbound packets, it does not expect to receive corresponding outbound packets, so a foreign packet drop event is triggered).
  • Aggressive aging—Aggressive aging resets are not actually sent when slow connection attacks and Layer 7 floods are detected, but the connections are cleared from the TCP state table. As a result, subsequent packets for the connection are treated as foreign packets.

Talk with your Fortinet CSE to make sure you thoroughly understand your choices, which include:

  • Disabling TCP session feature control when FortiDDoS is deployed in Tap Mode. (But remember to enable it if you want its protections when you FortiDDoS is deployed inline.)
  • Interpreting or disregarding the logs and graphs for these anomalies.

Tap Mode is not a perfect deployment simulation, but it does enable you prepare for volumetric attacks by building traffic history without risk of disruption or outage.

Configuration

We recommend you set up the bypass bridge to Inline Mode with action on failure set to Tap Mode; and then force a failure by turning on FortiDDoS Tap Mode.

FortiDDoS configuration guidelines

This section gives pointers for FortiDDoS configuration.

Before you begin:

  • Physically connect FortiDDoS to the bypass bridge.

You must add the MAC addresses for the bypass bridge Monitor ports (if available) so that FortiDDoS accepts heartbeats from them. Heartbeats are used when the bypass bridge is in Inline Mode.

To configure bypass MAC addresses:
  1. Go to Global Protection > Deployment > Bypass MAC.
  2. Click Add, and then enter a name for the MAC address and the address.
  3. Save the configuration.
To enable Tap Mode:
  1. Go to Global Protection > Deployment.
  2. Enable Tap Mode.
  3. Save the configuration.

Note: The system reboots when you enable/disable Tap Mode.

config ddos global deployment

set tap-mode {enable|disable}

end

Best practices

The following are recommended best practices:

  • Do not set the bypass bridge Tap Mode manually. Set it up as the action on failure for the bypass bridge Inline Mode and then force a failure of the out-of-path segment by turning on FortiDDoS Tap Mode.
  • In a FortiDDoS Tap Mode deployment, you can set SPPs in Detection Mode or Prevention Mode. Set it to whichever mode you want enabled when you toggle off Tap Mode and put FortiDDoS inline.