Fortinet black logo

Handbook

6.2.2
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1

What's New in FortiDDoS 6.x

What's New in FortiDDoS 6.x

6.2.1

FortiDDoS 6.2.1 offers the following new features:

New CLI commands

  • get system performance to check the CPU, memory, and disk usage.
    This command shows the system resources and matches the GUI Dashboard > Status > System Resources panel. The traditional Linux top command does not provide accurate information for DPDK processors, so you can use the get system performance command to enable the Dashboard and Event Logs to match.

  • diagnose debug rrd_files_check to diagnose SPP RRD numbers.
    Use execute spp-rrd-reset spp <rule_name> to reset databases that fail the rrd_files check.
    Use execute rrd-reset All to reset all databases.

Support to connect VM console

FortiDDoS VM now supports a console port with both VMware and KVM.

New SPP Operation Mode column in the Protected Subnets list

In the Service Protection > Protection Subnets list, columns have been added for Inbound and Outbound Operation Mode (Detection/Prevention).

SPP Navigation from inside FortiView > SPP detail page

You can now navigate between SPPs while in the Service Protection > Service Protection Policy page.

SPP added to Dashboard > Status > Attack Logs widget

The Dashboard Attack Logs panel now shows the SPP associated with the drop/attack log.

Match VM Model Release information with appliances

FortiDDoS model number (VM04/VM08/VM16) is shown in top header bar.

6.2.0

FortiDDoS 6.2.0 offers the following new features:

  • SYN/ACK Scalar Thresholds for asymmetric traffic. With asymmetric traffic, FortiDDoS normally needs to assume an inbound SYN/ACK represents the response from an unseen outbound SYN and creates a connection table entry. This leaves the system/user open to advanced SYN/ACK floods. In 6.2.0 the following Thresholds are visible only when the system is in Asymmetric Mode with Asymmetric Mode Allow Inbound Synack enabled:
    • SYN/ACK - aggregate rate of all SYN-ACKs into the SPP Protected Subnets
    • SYN/ACK per Destination - maximum rate of SYN-ACKs to any single destination in the SPP Protected Subnets
    Note:
    • SYN/ACK Thresholds are not automatically learned and System Recommendations are not created. Use the above graphs to calculate peak rates and create manual thresholds.
    • here is no Adaptive Threshold for these Scalars.
    • These thresholds function on INBOUND traffic only.
  • DTLS Profile is added to Service Protection Policies. Use DTLS to prevent DTLS direct and reflection attacks on all services.
  • Possible UDP Reflection Flood is added from B/E-Series with similar functionality. Any drops associated with UDP Port Thresholds FROM Ports 1-9999 are shown in the attack logs as Possible UDP Reflection Floods. This protects from and identifies any of the more than 30 currently known UDP reflection ports like 19, 111, 389, etc. as well as identifying future reflections on any port lower than 10,000. FortiDDoS F-Series does no support UDP Service ports in 6.2.0.
  • System Recommendation now has an option to use actual outbound traffic statistics for outbound thresholds or set all outbound thresholds to system maximum (default and recommended).
  • Treatment of Global ACLs changes with a dedicated "SPP" for all kinds of Global ACLs. New items added for:
    • Dashboard > Top Attacks > Global: Global ACL Attack table
    • Monitor > Drops Monitor >Global: Graphs of Global Aggregate and ACL Rule Drops
    Note: Global ACLs always drop identified packets and do not follow Detection/Prevention settings per SPP.
  • A Protection Subnets List GUI page is added to list all Protection Subnets for all SPPs and the Detection Mode/Prevention Mode status of the SPP hosting the protection Subnet. Protection Subnets cannot be edited from this page
  • Blocklisted IPv4 and Blocklisted Domains UI’s have been improved to include showing the number of addresses/Domains applied, last update date, add and delete individual addresses/Domains and search for an address/Domain in the lists.
  • Navigation is available between Service Protection Policies when in the SPP editing pages.
  • FortiGuard scheduled updates are changed to Daily or Weekly only. More frequent updates were not providing additional information.
  • Reboot and Shutdown commands are added to the top-right user logout menu.
  • The Domain Reputation attack log event has been separated from the Domain Blocklist event.
  • FortiView Threatmap improves time-period selection for display
  • Additional tool-tip date and time information is available on longer-period graphs (week/month/year).
  • Added CLI command to restart nginx (GUI)
  • Added CLI command get bypass-status to show inline/bypass status of associated ports.
  • Added CLI command diagnose dataplane geo-ip <IPv4 address(no mask)>. This allows user to check within which geolocation a specific IPv4 address is located.
  • Labeling, graph units, borders, field sizes, event log, attack log and tool tip information and other improvements added throughout the GUI.

6.1.0

FortiDDoS-F 6.1.0 is built on the feature base of FortiDDoS-F B/E-Series with these notable additions:

  • VM support in VMware hypervisor environments
  • NTP from E-Series on all models
  • Additional SSL DDoS Mitigation settings
  • 16x SPPs in1500F
  • The System Recommendation changes from 5.4.0 (Separate L4 Scalars/ICMP / TCP Ports / UDP Port) are included
  • DNS Rcode Scalars are included in Traffic Statistics and System Recommendation
  • Split System Recommendation for Layer 4 Scalars/ICMP, TCP Ports and UDP Ports included from B/E 5.4.0
  • Common UDP Source Reflection Ports are pre-populated in Global Service definitions for use with Global or SPP ACLs
  • Service port definitions support Source Port or Destination Port. Source Port ACLs are very useful for permanently blocking kown UDP reflection ports.
  • IP Address / Subnets definitions are created in the System menu and then assigned to Global or SPP ACLs, reducing multiple entries.
  • Bogons IPs and/or Multicast IPs can be ACLed with option selection in any SPP.
  • SPPs replace feature tabs with multiple Profiles for IP, ICMP, TCP, HTTP, SSL/TLS, NTP and DNS. One Profiles can be used by muliple SPPs or one SPP can use Multiple Profiles (TCP Detection and TCP Prevention, for example).
  • Source MAC address for aggressive aging is configurable per SPP, if needed
  • Strict Anomalies options are now included in several SPP Profile pages for Layer 2 to Layer 7 options.
  • Cloud Signaling Thresholds are entered in both pps and Mbps (crossing either triggers Signaling. Thresholds are now per SPP Policy (subnet).
  • Protection Subnets (subnets) are entered for each Service Protection Policy (SPP) instead of globally.
  • Explicit TCP thresholds are added for DNS Query, Question Count, Fragment, MX and ALL. B/E-Series has TCP Thresholds but they are hidden and the same as the UDP Thresholds.
  • IP Reputation and Domain Reputation are included in IP and DNS Profiles and thus are optional per SPP.
  • SSL/TLS Profile includes additional Cipher Anomaly option
  • tcpdump-style packet capture
  • Several formerly-global features such as IP Reputation are now set per SPP for better control
  • Additional Known Method Anomalies available
Removed/Changed/Deferred Features

B/E-Series Functionality not included in this release:

  • Support for FortiDDoS-CM Central Manager
  • Security Fabric Integration with FortiOS Dashboard
  • GTP-U support
  • Distress ACL nor Auto-Distress ACL
  • Multi-tenant support (SPP or SPP Policy Group)
  • Fewer files included in Offline analysis file
  • SPP Backup/Restore
  • Attack Reports are Global only and are on-demand or on-schedule only. Report periods are Last 7 Days, Last Month or Last year only. (Removed per-SPP, per-SPP Policy, per-SPP Policy Group reports, on-Threshold reports and some time periods)
  • REST API changes and requires documentation
  • Log & Report > DDoS Attack Graphs
  • SPP Policy Groups
  • Log & Report > Diagnostics
  • SPP-to-SPP Switching Policies
  • Restrict DNS Queries to specific subnets
  • System Recommendation Option for Actual or System Max Outbound Threshold (5.4.0)
  • Traffic Statistics Option for Peak or 95th Percentile Traffic (5.4.0)
  • Syslog RFC 5424 or Fortinet proprietary secure "OFTP" protocol (5.4.0)
  • CLI Commands for IP Reptution nor Domain Reputation updates (5.4.0)
  • Search for IP addresses within various ACLs (5.3.0)
VM limits
  • VMs do not support Fail-Open option. Fail-Open support will be determined by the underlying server
  • TCP Port Thresholds are calculated to 65,535 but Thresholds/Ranges are created for ports 1-1023 with one range for ports above 1023.
  • TCP Port Graphs display traffic and drops for Ports 1-1023. Port 1024 displays peak traffic rate for any port from 1024-65,535 and total drops associated with any of those ports. Attack logs show full port range 1-65,535.
  • UDP Port Thresholds are calculated to 65,535 but Thresholds/Ranges are created for 1-10,239 only with one range above that.
  • UDP Port Graphs display traffic and drops for Ports 1-10,239. Port 10,240 displays peak traffic rate for any port from 10,240-65,535 and total drops associates with any of those ports. Attack logs show full port range 1-65,535 as well as reflected attack drops from ports 1-9,999.
  • ICMP Type/Code Thresholds are calculated from 0-65,535 but Threshold/Ranges are created for 0-10,239 only. Indexes from 10,240 to 65,535 are included in one range.
  • ICMP Type/Code graphs show indexes from 0/0 to 39/255 with all others showing in 40/0. Attack logs will show drops for Types/Codes for all Types/Codes from 0/0 to 255/255.
Previous
Next

What's New in FortiDDoS 6.x

6.2.1

FortiDDoS 6.2.1 offers the following new features:

New CLI commands

  • get system performance to check the CPU, memory, and disk usage.
    This command shows the system resources and matches the GUI Dashboard > Status > System Resources panel. The traditional Linux top command does not provide accurate information for DPDK processors, so you can use the get system performance command to enable the Dashboard and Event Logs to match.

  • diagnose debug rrd_files_check to diagnose SPP RRD numbers.
    Use execute spp-rrd-reset spp <rule_name> to reset databases that fail the rrd_files check.
    Use execute rrd-reset All to reset all databases.

Support to connect VM console

FortiDDoS VM now supports a console port with both VMware and KVM.

New SPP Operation Mode column in the Protected Subnets list

In the Service Protection > Protection Subnets list, columns have been added for Inbound and Outbound Operation Mode (Detection/Prevention).

SPP Navigation from inside FortiView > SPP detail page

You can now navigate between SPPs while in the Service Protection > Service Protection Policy page.

SPP added to Dashboard > Status > Attack Logs widget

The Dashboard Attack Logs panel now shows the SPP associated with the drop/attack log.

Match VM Model Release information with appliances

FortiDDoS model number (VM04/VM08/VM16) is shown in top header bar.

6.2.0

FortiDDoS 6.2.0 offers the following new features:

  • SYN/ACK Scalar Thresholds for asymmetric traffic. With asymmetric traffic, FortiDDoS normally needs to assume an inbound SYN/ACK represents the response from an unseen outbound SYN and creates a connection table entry. This leaves the system/user open to advanced SYN/ACK floods. In 6.2.0 the following Thresholds are visible only when the system is in Asymmetric Mode with Asymmetric Mode Allow Inbound Synack enabled:
    • SYN/ACK - aggregate rate of all SYN-ACKs into the SPP Protected Subnets
    • SYN/ACK per Destination - maximum rate of SYN-ACKs to any single destination in the SPP Protected Subnets
    Note:
    • SYN/ACK Thresholds are not automatically learned and System Recommendations are not created. Use the above graphs to calculate peak rates and create manual thresholds.
    • here is no Adaptive Threshold for these Scalars.
    • These thresholds function on INBOUND traffic only.
  • DTLS Profile is added to Service Protection Policies. Use DTLS to prevent DTLS direct and reflection attacks on all services.
  • Possible UDP Reflection Flood is added from B/E-Series with similar functionality. Any drops associated with UDP Port Thresholds FROM Ports 1-9999 are shown in the attack logs as Possible UDP Reflection Floods. This protects from and identifies any of the more than 30 currently known UDP reflection ports like 19, 111, 389, etc. as well as identifying future reflections on any port lower than 10,000. FortiDDoS F-Series does no support UDP Service ports in 6.2.0.
  • System Recommendation now has an option to use actual outbound traffic statistics for outbound thresholds or set all outbound thresholds to system maximum (default and recommended).
  • Treatment of Global ACLs changes with a dedicated "SPP" for all kinds of Global ACLs. New items added for:
    • Dashboard > Top Attacks > Global: Global ACL Attack table
    • Monitor > Drops Monitor >Global: Graphs of Global Aggregate and ACL Rule Drops
    Note: Global ACLs always drop identified packets and do not follow Detection/Prevention settings per SPP.
  • A Protection Subnets List GUI page is added to list all Protection Subnets for all SPPs and the Detection Mode/Prevention Mode status of the SPP hosting the protection Subnet. Protection Subnets cannot be edited from this page
  • Blocklisted IPv4 and Blocklisted Domains UI’s have been improved to include showing the number of addresses/Domains applied, last update date, add and delete individual addresses/Domains and search for an address/Domain in the lists.
  • Navigation is available between Service Protection Policies when in the SPP editing pages.
  • FortiGuard scheduled updates are changed to Daily or Weekly only. More frequent updates were not providing additional information.
  • Reboot and Shutdown commands are added to the top-right user logout menu.
  • The Domain Reputation attack log event has been separated from the Domain Blocklist event.
  • FortiView Threatmap improves time-period selection for display
  • Additional tool-tip date and time information is available on longer-period graphs (week/month/year).
  • Added CLI command to restart nginx (GUI)
  • Added CLI command get bypass-status to show inline/bypass status of associated ports.
  • Added CLI command diagnose dataplane geo-ip <IPv4 address(no mask)>. This allows user to check within which geolocation a specific IPv4 address is located.
  • Labeling, graph units, borders, field sizes, event log, attack log and tool tip information and other improvements added throughout the GUI.

6.1.0

FortiDDoS-F 6.1.0 is built on the feature base of FortiDDoS-F B/E-Series with these notable additions:

  • VM support in VMware hypervisor environments
  • NTP from E-Series on all models
  • Additional SSL DDoS Mitigation settings
  • 16x SPPs in1500F
  • The System Recommendation changes from 5.4.0 (Separate L4 Scalars/ICMP / TCP Ports / UDP Port) are included
  • DNS Rcode Scalars are included in Traffic Statistics and System Recommendation
  • Split System Recommendation for Layer 4 Scalars/ICMP, TCP Ports and UDP Ports included from B/E 5.4.0
  • Common UDP Source Reflection Ports are pre-populated in Global Service definitions for use with Global or SPP ACLs
  • Service port definitions support Source Port or Destination Port. Source Port ACLs are very useful for permanently blocking kown UDP reflection ports.
  • IP Address / Subnets definitions are created in the System menu and then assigned to Global or SPP ACLs, reducing multiple entries.
  • Bogons IPs and/or Multicast IPs can be ACLed with option selection in any SPP.
  • SPPs replace feature tabs with multiple Profiles for IP, ICMP, TCP, HTTP, SSL/TLS, NTP and DNS. One Profiles can be used by muliple SPPs or one SPP can use Multiple Profiles (TCP Detection and TCP Prevention, for example).
  • Source MAC address for aggressive aging is configurable per SPP, if needed
  • Strict Anomalies options are now included in several SPP Profile pages for Layer 2 to Layer 7 options.
  • Cloud Signaling Thresholds are entered in both pps and Mbps (crossing either triggers Signaling. Thresholds are now per SPP Policy (subnet).
  • Protection Subnets (subnets) are entered for each Service Protection Policy (SPP) instead of globally.
  • Explicit TCP thresholds are added for DNS Query, Question Count, Fragment, MX and ALL. B/E-Series has TCP Thresholds but they are hidden and the same as the UDP Thresholds.
  • IP Reputation and Domain Reputation are included in IP and DNS Profiles and thus are optional per SPP.
  • SSL/TLS Profile includes additional Cipher Anomaly option
  • tcpdump-style packet capture
  • Several formerly-global features such as IP Reputation are now set per SPP for better control
  • Additional Known Method Anomalies available
Removed/Changed/Deferred Features

B/E-Series Functionality not included in this release:

  • Support for FortiDDoS-CM Central Manager
  • Security Fabric Integration with FortiOS Dashboard
  • GTP-U support
  • Distress ACL nor Auto-Distress ACL
  • Multi-tenant support (SPP or SPP Policy Group)
  • Fewer files included in Offline analysis file
  • SPP Backup/Restore
  • Attack Reports are Global only and are on-demand or on-schedule only. Report periods are Last 7 Days, Last Month or Last year only. (Removed per-SPP, per-SPP Policy, per-SPP Policy Group reports, on-Threshold reports and some time periods)
  • REST API changes and requires documentation
  • Log & Report > DDoS Attack Graphs
  • SPP Policy Groups
  • Log & Report > Diagnostics
  • SPP-to-SPP Switching Policies
  • Restrict DNS Queries to specific subnets
  • System Recommendation Option for Actual or System Max Outbound Threshold (5.4.0)
  • Traffic Statistics Option for Peak or 95th Percentile Traffic (5.4.0)
  • Syslog RFC 5424 or Fortinet proprietary secure "OFTP" protocol (5.4.0)
  • CLI Commands for IP Reptution nor Domain Reputation updates (5.4.0)
  • Search for IP addresses within various ACLs (5.3.0)
VM limits
  • VMs do not support Fail-Open option. Fail-Open support will be determined by the underlying server
  • TCP Port Thresholds are calculated to 65,535 but Thresholds/Ranges are created for ports 1-1023 with one range for ports above 1023.
  • TCP Port Graphs display traffic and drops for Ports 1-1023. Port 1024 displays peak traffic rate for any port from 1024-65,535 and total drops associated with any of those ports. Attack logs show full port range 1-65,535.
  • UDP Port Thresholds are calculated to 65,535 but Thresholds/Ranges are created for 1-10,239 only with one range above that.
  • UDP Port Graphs display traffic and drops for Ports 1-10,239. Port 10,240 displays peak traffic rate for any port from 10,240-65,535 and total drops associates with any of those ports. Attack logs show full port range 1-65,535 as well as reflected attack drops from ports 1-9,999.
  • ICMP Type/Code Thresholds are calculated from 0-65,535 but Threshold/Ranges are created for 0-10,239 only. Indexes from 10,240 to 65,535 are included in one range.
  • ICMP Type/Code graphs show indexes from 0/0 to 39/255 with all others showing in 40/0. Attack logs will show drops for Types/Codes for all Types/Codes from 0/0 to 255/255.
Previous
Next