Fortinet black logo

Handbook

Service port settings

Copy Link
Copy Doc ID 7b437c33-fcc7-11ec-bb32-fa163e15d75b:54684
Download PDF

Service port settings

In FortiDDoS, Service Ports are defined in two different ways:

  • All ports from 1-9999 are treated as well-known service ports. Inbound traffic from ephemeral ports (>9999) TO these ports is reported/graphed for that service port and outbound traffic is reported/graphed FROM that port. In other words the ephemeral ports are ignored, since we are trying to protect services. This allows you to see inbound and outbound traffic associated with the service port and makes it easy to see if traffic in one direction has a response from the other direction.
    The system also uses this information to determine UDP Port Floods and Possible UDP Reflection Floods.

    • Inbound UDP Floods to Service Ports as seen as UDP Port Floods.

    • Inbound UDP Floods where the SOURCE Port is a Service port are seen and logged a Possible UDP Reflection Floods.

  • Specific Service Ports are defined to more deeply inspect HTTP, SSL/TLS and DTLS as well as DNS and NTP.

Service Port Configuration

By default, the FortiDDoS system listens for services on the following ports:

  • DNS — UDP service port 53

  • NTP — UDP service port 123

  • HTTP — TCP service port 80

  • SSL/TLS — TCP service port 443

  • DTLS — UDP service port 443

DNS and NTP service ports are fixed and additional ports are not available.

If the servers in your network use non-standard ports for HTTP, SSL/TLS or DTLS traffic, you can configure the system to listen for these protocols on those nonstandard service ports. You can configure up to 128 HTTP, SSL/TLS or DTLS service ports. You can also configure Service Ports in ranges, 8080-8081, for example but all ports in the range (2) count towards the 128 port total.

Note: HTTP, SSL/TLS or DTLS Service Ports are added before System Recommended Thresholds are created, the extra Service Ports Thresholds are set to system maximum (no Thresholds), since other L4-L7 inspections will protect from attack. TCP and UDP Port ranges will be adjusted so that the service port has its own range entry.

HTTP, SSL/TLS or DTLS service port configuration is subsequently removed, the threshold remains at the high rate until you change it manually or perform the System Recommended Threshold procedure.

If HTTP, SSL/TLS or DTLS service ports are added after System Recommendations has been run, Port Thresholds are retained. This should not be a problem but can create false-positive drops if the Thresholds are too low. Adjust Thresholds as needed.

UDP Service Ports will retain the System Recommended Thresholds. Port ranges will be adjusted so that each service port has its own range entry.

DNS and NTP Ports are always set to system maximums but it is advisable to manually enter a threshold (2-3x the peak inbound rate seen on the graph) as a “safety” threshold in the rate case DNS and NTP mitigations are disabled or do not fully mitigate.

Fortinet recommends that the following UDP Ports >9999 are added: 11211, 32414, 33833, 33848, 37810, 37833. Reflection attacks have been seen from these ports in 2021. Some of these ports have valid traffic for some customers (Port 37833 may be used for STUN, for example), and these ephemeral ports may be used as Source ports by random selection. Thus there is some risk to simply ACLing these ports. Inclusion in the UDP Service Ports with a low Threshold will both protect you network and alert you if you are seeing reflection floods from these ports.

Before you begin:

  • You must have Read-Write permission for Global Settings.
To configure HTTP Service Port settings:
  1. Go to Service Protection > Service Protection Policy > {SPP List} > Service Protection Policy: Service Port Settings
  2. Enter the list of ports or port ranges, each separated by a space.
  3. Click Save.

Tooltip

To configure using the CLI:

config ddos spp rule

edit <spp_name>

set http-service-port <value> <value> …

set ssl-service-port <value> <value> …

set dtls-service-port <value> <value> …

set udp-service-port <value> <value> …

next

end

Note:

Setting service ports via CLI overwrites the current settings. Be sure to include existing ports. For example, DTLS has UDP Port 443 pre-configured. To add 8443, set dtls-service-port 443 8443 to retain the original port.

Service port settings

In FortiDDoS, Service Ports are defined in two different ways:

  • All ports from 1-9999 are treated as well-known service ports. Inbound traffic from ephemeral ports (>9999) TO these ports is reported/graphed for that service port and outbound traffic is reported/graphed FROM that port. In other words the ephemeral ports are ignored, since we are trying to protect services. This allows you to see inbound and outbound traffic associated with the service port and makes it easy to see if traffic in one direction has a response from the other direction.
    The system also uses this information to determine UDP Port Floods and Possible UDP Reflection Floods.

    • Inbound UDP Floods to Service Ports as seen as UDP Port Floods.

    • Inbound UDP Floods where the SOURCE Port is a Service port are seen and logged a Possible UDP Reflection Floods.

  • Specific Service Ports are defined to more deeply inspect HTTP, SSL/TLS and DTLS as well as DNS and NTP.

Service Port Configuration

By default, the FortiDDoS system listens for services on the following ports:

  • DNS — UDP service port 53

  • NTP — UDP service port 123

  • HTTP — TCP service port 80

  • SSL/TLS — TCP service port 443

  • DTLS — UDP service port 443

DNS and NTP service ports are fixed and additional ports are not available.

If the servers in your network use non-standard ports for HTTP, SSL/TLS or DTLS traffic, you can configure the system to listen for these protocols on those nonstandard service ports. You can configure up to 128 HTTP, SSL/TLS or DTLS service ports. You can also configure Service Ports in ranges, 8080-8081, for example but all ports in the range (2) count towards the 128 port total.

Note: HTTP, SSL/TLS or DTLS Service Ports are added before System Recommended Thresholds are created, the extra Service Ports Thresholds are set to system maximum (no Thresholds), since other L4-L7 inspections will protect from attack. TCP and UDP Port ranges will be adjusted so that the service port has its own range entry.

HTTP, SSL/TLS or DTLS service port configuration is subsequently removed, the threshold remains at the high rate until you change it manually or perform the System Recommended Threshold procedure.

If HTTP, SSL/TLS or DTLS service ports are added after System Recommendations has been run, Port Thresholds are retained. This should not be a problem but can create false-positive drops if the Thresholds are too low. Adjust Thresholds as needed.

UDP Service Ports will retain the System Recommended Thresholds. Port ranges will be adjusted so that each service port has its own range entry.

DNS and NTP Ports are always set to system maximums but it is advisable to manually enter a threshold (2-3x the peak inbound rate seen on the graph) as a “safety” threshold in the rate case DNS and NTP mitigations are disabled or do not fully mitigate.

Fortinet recommends that the following UDP Ports >9999 are added: 11211, 32414, 33833, 33848, 37810, 37833. Reflection attacks have been seen from these ports in 2021. Some of these ports have valid traffic for some customers (Port 37833 may be used for STUN, for example), and these ephemeral ports may be used as Source ports by random selection. Thus there is some risk to simply ACLing these ports. Inclusion in the UDP Service Ports with a low Threshold will both protect you network and alert you if you are seeing reflection floods from these ports.

Before you begin:

  • You must have Read-Write permission for Global Settings.
To configure HTTP Service Port settings:
  1. Go to Service Protection > Service Protection Policy > {SPP List} > Service Protection Policy: Service Port Settings
  2. Enter the list of ports or port ranges, each separated by a space.
  3. Click Save.

Tooltip

To configure using the CLI:

config ddos spp rule

edit <spp_name>

set http-service-port <value> <value> …

set ssl-service-port <value> <value> …

set dtls-service-port <value> <value> …

set udp-service-port <value> <value> …

next

end

Note:

Setting service ports via CLI overwrites the current settings. Be sure to include existing ports. For example, DTLS has UDP Port 443 pre-configured. To add 8443, set dtls-service-port 443 8443 to retain the original port.