What's New in FortiDDoS 6.x
6.3.2
FortiDDoS 6.3.2 offers the following new features:
Improvement to transceiver information for CLI
The transceiver information has been improved for the CLI commands get transceiver status
and get transceiver status portx
.
6.3.1
FortiDDoS 6.3.1 offers the following new features:
Top Attacks usability improvements
Dashboard > Top Attacks header for Direction, Time Period and SPP stays visible as you scroll down the page.
Attack logs for Global ACL Rules usability improvements
The Global Deny Rule log entries in the Attack log now show the rule name in the Event Details.
Dashboard enhancements
- The Detection/Prevention Mode status of all configured Service Protection Profiles (SPPs) will now be displayed on a single panel on the Dashboard.
- Improvements have been made to the System Resources Panel.
- The Dashboard layout has been improved to enhance usability.
6.3.0
FortiDDoS 6.3.0 offers the following new features:
DNS Profile enhancements
-
Added FQDN Allow/Blocklist file upload, manual entry, and regex entries.
-
FortiDDoS-F now supports DNS "0x20" mixed case FQDNs.
New DNS Header Anomaly
Incomplete DNS can now be used to block non-DNS traffic to Port 53.
DNSSEC enhancements
FortiDDoS-F has added DNSSEC inspection, anomaly and mitigation options.
UDP Service Ports monitor
User-entered UDP Service Ports over 9999 are now monitored for possible reflection floods.
New graphs and tables on FortiGate Security Fabric Dashboard
FortiDDoS-F now supports the following graphs and tables on FortiGate Security Fabric Dashboard: System Information, Data Path Resources, Aggregate Drops and Top Attacks.
SSL/TLS traffic inspection
FortiDDoS-F 1500F can now inspect SSL/TLS traffic for all HTTP Anomalies and Thresholds. Proper SSL Certificates are required.
Note: This is experimental in 6.3.0 and performance has not been confirmed.
LDAP, RADIUS, TACACS+ remote password authentication
LDAP, RADIUS, TACACS+ remote password authentication is now available with local username, profile and trusted hosts settings. This now supports GUI, CLI and Console logins.
TCP Profile enhancement
TCP Profile now adds Foreign Packet Threshold when Foreign Packet Validation is enabled.
New IP Reputation options
Added Phishing, Spam and TOR (exit nodes) Categories to IP Reputation options.
Debug enhancements
-
Debug file now has CUSTOMER folder which includes: Config, Attack logs, Thresholds, Protection Subnets list (event log in MySQL format to be improved in a later release). Do not use Offline Analysis file.
-
Additional debug logs are added for SNMP.
Packet Capture enhancements
Additional packet capture options are now available.
System time change in Event Log
An Event Log is now added when admin changes system time.
Out of Memory (OOM) conditions
Out of Memory (OOM) conditions are optionally set to pass traffic (bypass - default) or block packets. Please see documentation for conditions that may result in OOM drops.
New RRD troubleshooting and repair CLI commands
Additional RRD troubleshooting and repair CLI commands are now available.
execute create-spp-rrd spp_id 15 among others
check_stale_rrd_files
New User (admin) options
Additional menu items added to the User (admin) drop-down in the GUI:
-
System: Reboot / Shutdown
-
Configuration Backup / Restore
-
Change Password
GUI enhancements
-
Additional special characters are allowed for admin users:
a-Z -9_.-*@
. -
Data Port Speed and Duplex settings are shown on Network > Interface page.
-
Global ACL names are included in graphs.
-
Enabled/Disabled status of Global and SPP ACLs is displayed in ACL lists.
-
Variable column widths and text wrapping is added to Dashboard > Status > Top Attacks panel, for improved readability of attack events.
-
Link speed addition to Network GUI.
-
Bypass status icon and inline/bypass text is added to the Dashboard > Status > System Information panel.
-
Filter conditions for several parameter lists (ACLs, Network Ports, etc.) are improved.
-
Network > Interface list can be filtered by Link Status and Config Status (for Port-Pairs and Ports).
-
Improved GUI for System >SNMP > v1/v2/v3.
-
A spinning "loading" icon is shown when the system is building list pages, such as Attack Logs.
-
For most column based lists, clicking the settings () icon in the list header allows the user to customize the columns shown.
-
Dashboard > SPP adds a column for SPP Status (Enable/Disabled).
6.2.1
FortiDDoS 6.2.1 offers the following new features:
New CLI commands
-
get system performance
to check the CPU, memory, and disk usage.
This command shows the system resources and matches the GUI Dashboard > Status > System Resources panel. The traditional Linuxtop
command does not provide accurate information for DPDK processors, so you can use theget system performance
command to enable the Dashboard and Event Logs to match. -
diagnose debug rrd_files_check
to diagnose SPP RRD numbers.
Useexecute spp-rrd-reset spp <rule_name>
to reset databases that fail the rrd_files check.
Useexecute rrd-reset All
to reset all databases.
Support to connect VM console
FortiDDoS VM now supports a console port with both VMware and KVM.
New SPP Operation Mode column in the Protected Subnets list
In the Service Protection > Protection Subnets list, columns have been added for Inbound and Outbound Operation Mode (Detection/Prevention).
SPP Navigation from inside FortiView > SPP detail page
You can now navigate between SPPs while in the Service Protection > Service Protection Policy page.
SPP added to Dashboard > Status > Attack Logs widget
The Dashboard Attack Logs panel now shows the SPP associated with the drop/attack log.
Match VM Model Release information with appliances
FortiDDoS model number (VM04/VM08/VM16) is shown in top header bar.
6.2.0
FortiDDoS 6.2.0 offers the following new features:
- SYN/ACK Scalar Thresholds for asymmetric traffic. With asymmetric traffic, FortiDDoS normally needs to assume an inbound SYN/ACK represents the response from an unseen outbound SYN and creates a connection table entry. This leaves the system/user open to advanced SYN/ACK floods. In 6.2.0 the following Thresholds are visible only when the system is in Asymmetric Mode with Asymmetric Mode Allow Inbound Synack enabled:
- SYN/ACK - aggregate rate of all SYN-ACKs into the SPP Protected Subnets
- SYN/ACK per Destination - maximum rate of SYN-ACKs to any single destination in the SPP Protected Subnets
- SYN/ACK Thresholds are not automatically learned and System Recommendations are not created. Use the above graphs to calculate peak rates and create manual thresholds.
- here is no Adaptive Threshold for these Scalars.
- These thresholds function on INBOUND traffic only.
- DTLS Profile is added to Service Protection Policies. Use DTLS to prevent DTLS direct and reflection attacks on all services.
- Possible UDP Reflection Flood is added from B/E-Series with similar functionality. Any drops associated with UDP Port Thresholds FROM Ports 1-9999 are shown in the attack logs as Possible UDP Reflection Floods. This protects from and identifies any of the more than 30 currently known UDP reflection ports like 19, 111, 389, etc. as well as identifying future reflections on any port lower than 10,000. FortiDDoS F-Series does no support UDP Service ports in 6.2.0.
- System Recommendation now has an option to use actual outbound traffic statistics for outbound thresholds or set all outbound thresholds to system maximum (default and recommended).
- Treatment of Global ACLs changes with a dedicated "SPP" for all kinds of Global ACLs. New items added for:
- Dashboard > Top Attacks > Global: Global ACL Attack table
- Monitor > Drops Monitor >Global: Graphs of Global Aggregate and ACL Rule Drops
- A Protection Subnets List GUI page is added to list all Protection Subnets for all SPPs and the Detection Mode/Prevention Mode status of the SPP hosting the protection Subnet. Protection Subnets cannot be edited from this page
- Blocklisted IPv4 and Blocklisted Domains UI’s have been improved to include showing the number of addresses/Domains applied, last update date, add and delete individual addresses/Domains and search for an address/Domain in the lists.
- Navigation is available between Service Protection Policies when in the SPP editing pages.
- FortiGuard scheduled updates are changed to Daily or Weekly only. More frequent updates were not providing additional information.
- Reboot and Shutdown commands are added to the top-right user logout menu.
- The Domain Reputation attack log event has been separated from the Domain Blocklist event.
- FortiView Threatmap improves time-period selection for display
- Additional tool-tip date and time information is available on longer-period graphs (week/month/year).
- Added CLI command to restart nginx (GUI)
- Added CLI command get bypass-status to show inline/bypass status of associated ports.
- Added CLI command diagnose dataplane geo-ip <IPv4 address(no mask)>. This allows user to check within which geolocation a specific IPv4 address is located.
- Labeling, graph units, borders, field sizes, event log, attack log and tool tip information and other improvements added throughout the GUI.
6.1.0
FortiDDoS-F 6.1.0 is built on the feature base of FortiDDoS-F B/E-Series with these notable additions:
- VM support in VMware hypervisor environments
- NTP from E-Series on all models
- Additional SSL DDoS Mitigation settings
- 16x SPPs in1500F
- The System Recommendation changes from 5.4.0 (Separate L4 Scalars/ICMP / TCP Ports / UDP Port) are included
- DNS Rcode Scalars are included in Traffic Statistics and System Recommendation
- Split System Recommendation for Layer 4 Scalars/ICMP, TCP Ports and UDP Ports included from B/E 5.4.0
- Common UDP Source Reflection Ports are pre-populated in Global Service definitions for use with Global or SPP ACLs
- Service port definitions support Source Port or Destination Port. Source Port ACLs are very useful for permanently blocking kown UDP reflection ports.
- IP Address / Subnets definitions are created in the System menu and then assigned to Global or SPP ACLs, reducing multiple entries.
- Bogons IPs and/or Multicast IPs can be ACLed with option selection in any SPP.
- SPPs replace feature tabs with multiple Profiles for IP, ICMP, TCP, HTTP, SSL/TLS, NTP and DNS. One Profiles can be used by muliple SPPs or one SPP can use Multiple Profiles (TCP Detection and TCP Prevention, for example).
- Source MAC address for aggressive aging is configurable per SPP, if needed
- Strict Anomalies options are now included in several SPP Profile pages for Layer 2 to Layer 7 options.
- Cloud Signaling Thresholds are entered in both pps and Mbps (crossing either triggers Signaling. Thresholds are now per SPP Policy (subnet).
- Protection Subnets (subnets) are entered for each Service Protection Policy (SPP) instead of globally.
- Explicit TCP thresholds are added for DNS Query, Question Count, Fragment, MX and ALL. B/E-Series has TCP Thresholds but they are hidden and the same as the UDP Thresholds.
- IP Reputation and Domain Reputation are included in IP and DNS Profiles and thus are optional per SPP.
- SSL/TLS Profile includes additional Cipher Anomaly option
- tcpdump-style packet capture
- Several formerly-global features such as IP Reputation are now set per SPP for better control
- Additional Known Method Anomalies available
Removed/Changed/Deferred Features
B/E-Series Functionality not included in this release:
- Support for FortiDDoS-CM Central Manager
- Security Fabric Integration with FortiOS Dashboard
- GTP-U support
- Distress ACL nor Auto-Distress ACL
- Multi-tenant support (SPP or SPP Policy Group)
- Fewer files included in Offline analysis file
- SPP Backup/Restore
- Attack Reports are Global only and are on-demand or on-schedule only. Report periods are Last 7 Days, Last Month or Last year only. (Removed per-SPP, per-SPP Policy, per-SPP Policy Group reports, on-Threshold reports and some time periods)
- REST API changes and requires documentation
- Log & Report > DDoS Attack Graphs
- SPP Policy Groups
- Log & Report > Diagnostics
- SPP-to-SPP Switching Policies
- Restrict DNS Queries to specific subnets
- System Recommendation Option for Actual or System Max Outbound Threshold (5.4.0)
- Traffic Statistics Option for Peak or 95th Percentile Traffic (5.4.0)
- Syslog RFC 5424 or Fortinet proprietary secure "OFTP" protocol (5.4.0)
- CLI Commands for IP Reptution nor Domain Reputation updates (5.4.0)
- Search for IP addresses within various ACLs (5.3.0)
VM limits
- VMs do not support Fail-Open option. Fail-Open support will be determined by the underlying server
- TCP Port Thresholds are calculated to 65,535 but Thresholds/Ranges are created for ports 1-1023 with one range for ports above 1023.
- TCP Port Graphs display traffic and drops for Ports 1-1023. Port 1024 displays peak traffic rate for any port from 1024-65,535 and total drops associated with any of those ports. Attack logs show full port range 1-65,535.
- UDP Port Thresholds are calculated to 65,535 but Thresholds/Ranges are created for 1-10,239 only with one range above that.
- UDP Port Graphs display traffic and drops for Ports 1-10,239. Port 10,240 displays peak traffic rate for any port from 10,240-65,535 and total drops associates with any of those ports. Attack logs show full port range 1-65,535 as well as reflected attack drops from ports 1-9,999.
- ICMP Type/Code Thresholds are calculated from 0-65,535 but Threshold/Ranges are created for 0-10,239 only. Indexes from 10,240 to 65,535 are included in one range.
- ICMP Type/Code graphs show indexes from 0/0 to 39/255 with all others showing in 40/0. Attack logs will show drops for Types/Codes for all Types/Codes from 0/0 to 255/255.