IP Profile
Use the IP Profile to configure various IP parameters and ACLs. Always assign an IP profile to every SPP.
Use a single IP Rpofile for all SPPs unless you need specialized ACLs for Fragments, IP Reputation or Domain Reputation.
All IP Profile parameters can be used with symmetric or asymmtric traffic.
You can create a maximum of 64 IP Profiles.
IP Reputation
The FortiGuard IP Reputation service is a licensed subscription that maintains a database of malicious IP addresses that pose a threat to your network and clients. After you purchase IP Reputation, you register the service contract to the FortiDDoS appliance serial number. Then, you can schedule updates to the IP
Reputation list.
IP Reputation is not required for DDoS mitigation. It is not a Threat Signature subscription which is not required with FortiDDoS. IP Reputation is a subset of FortiGuard's full web/domain/IP filtering service, containing IPs with known affiliations to DDoS attacks and known Anonymous Proxies (like Tor). Either or both subsets can be enabled.
If you are using existing Firewall/Proxy/Web/Domain/IP filtering products or services, FortiGuard IP Reputation services subscription is not required.
IP Reputation is enabled/disabled within this IP Profile. If this IP Profile is assigned to an SPP, then all traffic in that SPP will be checked for IP Reputation. If, for some reason, you want an SPP to ignore IP Reputation anomalies, create a different DNS Profile with IP Reputation disabled.
First set up FortiGuard access in System > FortiGuard. To use over-the-network updates, the management port must be able to access the Internet and DNS. If the system is behind a web proxy, set up Tunneling (proxy).
After you have set up FortiGuard and enabled the feature, the FortiDDoS system downloads the most recent definitions file and then maintains updates for it according to the schedule you configure.
The Dashboard > Status: License Information portlet and System > FortiGuard: License Information both display the status of the most recent update (IP Reputation Service Definition). If the download is successful and new definitions are available, the lists are replaced; otherwise, the previous list remains in use. The License Information portlet will also display the status of your IP Reputation license IP Reputation Service Contract Date). If your license expires, the IP Reputation database is removed from the appliance. This is to prevent stale entries from affecting your traffic. You can configure how the FortiDDoS system receives scheduled updates.
Note: Since an IP Address is seen in both the inbound and outbound traffic, IP Reputation will drop any packet it sees containing the IP Reputation address, even if FortiDDoS does not see one direction of the traffic in asymmetric environments.
Field/Selection |
Description |
Recommendations (For Web Servers, Firewalls, DNS Servers) |
---|---|---|
Name | 1-35 characters (a-Z, 0-9, "-", "_" only) |
|
IP Strict Anomalies |
Drops packets where:
|
Recommended enabled for all SPPs. If traffic appears to be affected, disable to troubleshoot. This parameter has been default-enabled on FortiDDoS for many years and has never been seen to cause failure of legitimate traffic.
|
IP Private Check | Drops packets where the Source IP is from the Internet Private address space such as 10.0.0.0/8. | |
IP Multicast Check |
Drops packets where the Source IP is from the Internet Multicast address space such as 224.0.0.0/24. |
|
IP Fragment Check |
||
Other Protocol Fragment |
Drops fragmented packets from Protocols other than TCP or UDP |
Expert use. Normally not recommended. Use Fragment Thresholds. Use only for specific applications - e.g. Drop UDP fragments ONLY for servers that NEVER see UDP traffic. |
TCP Fragment |
Drops fragmented TCP packets. |
|
UDP Fragment |
Drops fragmented TCP packets. |
|
IP Reputation Categories |
||
DDoS |
Downloads IP Reputation files to ACL only known DDoS and C&C Ips. |
Requires FortiGuard IP Reputation Subscription. Use as desired. |
Anonymous Proxies |
Downloads IP Reputation files to ACL only known Anoymous Proxies such as Tor. |