Fortinet black logo

Handbook

TCP Profile

Copy Link
Copy Doc ID 7b437c33-fcc7-11ec-bb32-fa163e15d75b:581710
Download PDF

TCP Profile

Use the TCP Profile to configure various TCP parameters. A TCP Profile should be used for ALL SPPs, even ones that host primarily UDP service.

Some TCP Profile parameters CANNOT be used with asymmetric traffic. Be aware of your routing environment and Global Protection > Deployment > Asymmetric Mode setting.

You can create a maximum of 64 TCP Profiles.

Note 1: It is IMPORTANT that SYN Validation is enabled when this profile is used for any SPP in Prevention Mode. If SYN Validation is NOT enabled, the SYN Thresholds are ignored and there is is no protection from SYN floods.

Note 2: SYN Flood Mitigation requires interaction with the sending Client which will not happen if the SPP is in DETECTION Mode. You should create a TCP-Detection mode Profile with SYN Validation disabled and TCP-Prevention mode Profile with SYN Validation enabled and change this profile when you change Detection/Prevention Modes for the SPP.

Note 3: You cannot delete any TCP Profile if it has any definitions for TCP Session Extended Source Address IPv4/IPv6. Remove those from the TCP Profile first. Those addresses/groups may be in use by other SPPs or Profiles.

Field/Selection

Description

Recommendations

Detection Mode

Prevention Mode

Symmetric Traffic

Asymmetric Traffic

Name 1-35 characters (a-Z, 0-9, "-", "_" only)
SYN Flood Protection
SYN Flood Mitigation Mode
  • SYN cookie (Recommended)—Sends a SYN/ACK with a cookie value in the TCP sequence field. If it receives an ACK back with the right cookie, a SYN/RST packet is sent and the IP address is added to the legitimate IP address table. When the client then automatically retries, it succeeds in making a TCP connection. Fortinet recommends this option.
  • ACK cookie—Sends the client two ACK packets: one with a correct ACK number and another with a wrong number. The system determines whether the source is spoofed based on the client’s response. If the client’s response indicates that the source is not spoofed, FortiDDoS allows the connection and adds the source to the legitimate IP address table. Fortinet recommends this option if you have enough bandwidth in the reverse direction of the attack.
  • SYN retransmission—Drops the initial SYNs to force the client to send a SYN again. If the expected number of retransmitted SYNs arrive within the predetermined time period, the system considers the source to be legitimate. FortiDDoS then allows the connection to go through and adds the source to the legitimate IP address table. Fortinet no longer recommends this option
SYN Cookie
SYN Flood Mitigation Direction Inbound Recommended Outbound not normally required - Expert use Inbound
SYN With Payload

SYN with Payload blocks SYN packets that are tno header-only packets - they have additional, usually-malicious payload. Attackers use SYN with Payload to increase the size of their attacks.

However, a draft IETF standard (Fast Open) allows payload with SYNs and some Hosting companies are experimenting with it. If you see SYNwithPayload drops, investigate the Protected IPs.

Inbound Recommended

Outbound not normally required - Expert use

Inbound
TCP Slow Connection Protection

Use this section to specify:

  • Slow connection detection settings (Type, Threshold and ObservationPeriod). These settings are only used if Slow TCP Connections is enabled below in TCP Session Settings.
  • Slow Connection Source Blocking option

Note the following:

  • Do not use Slow Connection settings with asymmetric traffic. FortiDDoS counts Bytes for the connection in both directions since a single command may result in a large file download with occasional ACKs from the client. If FortiDDoS does not see the outbound packets (for example), it may trigger a false positive Slow Connection.
  • Do not use Slow Connections settings with any authenticating servers such as SSL-VPN, FTP or any server that allows a user to login and stay idle for any period of time (e-commerce, for example). Idle sessions will trigger Slow Connection mitigation and may drop the user’s session unexpectedly.
  • Slow Connection settings are best tuned while the system is in Prevention Mode. If attempting in Detection Mode, enable Block Sources with Slow TCP Connections. This will provide additional logging information, BUT it may also result in a large number of 'Foreign Packet' drops which can be ignored.
Expert - Many servers allow logins or allow long idle times. These will trigger TCP Slow Connections and unexpectedly drop legitimate connections. Use FortiWeb of FortiADC to manage slow connections on these types of servers. No
  • Slow Connection Type

Select one of the following options from the drop-down:

  • Moderate: Uses predefined thresholds to detect slow connection attacks.
  • Aggressive: Uses more aggressive (lower) thresholds to detect slow connection attacks.
  • User Defined: Enables advanced users to specify custom thresholds to detect slow connection attacks.
  • None (Default): Do not monitor for slow connection attacks. If this setting is chosen, disable TCP Sessions Settings > Aggressive Aging Feature Control: Slow TCP Connections below as well.

Note: To reduce false positives, Fortinet recommends you to initially set the option to moderate and switch to aggressive only if required. When the 'User Defined' option is selected, the defaults are set to 1 Byte per 15 seconds which allows lower rates than the default 'moderate' setting. We recommend to use the predefined moderate and Aggressive values as guidelines to help you specify your own settings.

Thresholds are triggered when a session sends or receives data at a SLOWER rate than the number of Bytes over the Observation Threshold.

Expert No
  • Block Sources With Slow TCP Connections

Normally enabled if above Slow Connection Type is not None.

This results in an attack log called 'Slow Connection: Source flood'. this log includes the Source IP of the Slow Connection, which is useful for analysis and potentially ACLing the Source.

Use this option with care. Using Block Sources will block all traffic from those Sources. For example, if one client behind a firewall is creating a Slow Connection, all traffic from the firewall will be blocked.

Disabling this option results in an attack event called Foreign Packets (Aggressive Aging and Slow Connections) which is shared with other Aggressive Aging events (see Aggressive aging.)

Expert

No

  • Slow Connection Byte Threshold

The number of Bytes that must be seen within the Observation Period below to prevent triggering Slow Connection Mitigation.

Note, this number is pre-filled for Types: Moderate or Aggressive and can be customized for Type: User Defined. If Type: None is selected, numbers are shown in the Byte Threshold but are ignored.

Expert

No

  • Slow Connection Observation Period

The time period (in seconds) during which Bytes are counted. Once the Byte threshold above is crossed, the Observation Period is reset and the Byte count starts again.

Note, this number is pre-filled for Types: Moderate or Aggressive and can be customized for Type: User Defined. If Type: None is selected, numbers are shownin the Observation Period but are ignored.

Expert

No

TCP Packets Validation

TCP Session Feature Control:

  • Sequence Validation

Drops packets with invalid TCP sequence numbers.

Note: Some vendors intentionally use non-standard sequence numbers for end-to-end signaling between WANop devices. If you see large numbers of OUTBOUND Sequence Validation Drops, disable the feature.

Enable

Enable

Disable

  • SYN Validation

Enables SYN Flood validation using the method selected above. If this is NOT enabled, SYN Thresholds are ignored and SYN Floods are not mitigated.

If this feature is enabled in DETECTION Mode and there is a SYN Flood, the system is unable to send validation packets, resulting in unusual logging.

This feature should be disabled while in DETECTION Mode.

Disable

Enable

  • State Transition Anomalies Validation

Drops packets with TCP state transitions that are invalid. For example, if an ACK packet is received when FortiDDoS has not observed a SYN/ACK packet, it is a state transition anomaly.

FortiDDoS features can be used in Asyymetric Mode, provided Allow Inbound SYN-ACK is also enabled. See Global Protection features.

Enable

Enable

  • Foreign Packet Validation

Drops TCP packets without an existing TCP connection and reports them as a foreign packet. In most cases, the foreign packets validation is useful for filtering out junk.

Note: Inbound Foreign Packets will be passed in DETECTION Mode and may result in matching outbound Foeign Packets. If in doubt, disable Foreign Packet Validation when the SPP is in DETECTION mode.

Disable

Enable

  • Allow Tuple Reuse

Allows a new connection with the same 5-tuple (Sooure IP:port, Protocol, Destination IP:Port) while the existing connection is in the closed or close-wait, fin-wait, time-wait states.

Enable

  • Allow Duplicate SYN in SYN Sent

Allows duplicate TCP SYN packets during the SYN-SENT state. It allows this type of packet even if the sequence numbers are different.

Enable

Optional but not necessary

  • Allow Duplicate SYN in SYN Recv

Allows duplicate TCP SYN packets during the SYNRECV

state. It allows this type of packet even if the

sequence numbers are different.

Disable

  • Allow SYN Anomaly

Allows duplicate TCP packets during any other state even if the sequence numbers are different from the existing connection entry. This is equivalent to allowing the packet without updating an existing connection entry with the new information from the allowed packet.

Use on Fortinet recommendation only

  • Allow SYN ACK Anomaly
  • Allow ACK Anomaly
  • Allow RST Anomaly
  • Allow FIN Anomaly
  • Drop Threshold For Foreign Packets

If Foreign Packet Validation is enabled, this optional field is shown. Default value is 0 with range 0-65535.

If a non-zero Threshold is added here, Foreign Packets will not be dropped nor displayed unless their packet rate exceeds the Threshold when they will be dropped and displayed in logs and graphs.

Use this Threshold if Foreign Packet drop logs are distracting, since most customers will see small numbers of drops every logging cycle.

Note: If the Foreign Packet Threshold is set and Foreign Packet Validation is disabled, the Threshold is reset to 0 and must be replaced when Foreign Packet Validation is re-enabled.

  • Strict Anomalies

Drops various TCP Header Anomalies including:

  • TCP Checksum Error
  • TCP Invalid Flag Combination
  • Other header anomalies, such as incomplete packet
  • SYN or FIN or RST is set for fragmented packets
  • Data offset is less than 5 for a TCP packet
  • End of packet is detected before the 20 bytes of TCP header
  • Length field in Window scale option other than 3 in a TCP packet

Enable

TCP Session Settings

Aggressive Aging Feature Control

Controls sending RSTs to servers

High Concurrent Connection per Source

Sends TCP RSTs to the protected destination server(s) to reset connections from the identified Source IP when

the Concurrent Connection per Source threshold is crossed.

Optional. System cannot send RSTs in Detection mode which may result in unusually logging.

Enable

Slow TCP Connections

Sends TCP RSTs to the protected destination server(s) to reset connections from the identified source depending on the Slow Connection settings above.

Optional. System cannot send RSTs in Detection mode which may result in unusually logging.

Expert

No

TCP Session Idle Timeout

Idle timeout period for any TCP session. The default value is 528 seconds. Use this timer to age idle TCP sessions (sessions with no traffic for long periods),

for all connections and ports. This timer should match other idle timers in your infrastructure such as firewalls.

Always monitored

This setting is ignored in Asymmetric Mode

TCP Session Idle Timeout Unit

Seconds, Minutes, Hours.

TCP Session Extended Timeout

Extended timeout value for specific IP addresses (IPv4 only) where the timeout should be longer than the idle timeout period. For example, this setting can be configured for specific IP addresses in environments where persistent SSH/TELNET/HTTP connections are used. This timer should be longer than the TCP Session Idle Timeout. See also, Session timeout precedence and application, below.

Always monitored

This setting is ignored in Asymmetric Mode

TCP Session Extended Timeout Unit

Seconds, Minutes, Hours.

TCP Session Extended Source Type

IPv4 Address or IPv4 Address Group

Always monitored

This setting is ignored in Asymmetric Mode

TCP Session Extended Source Address IPv4

Select from the Global IP address / IP Address Group definitions

Example Settings:

TCP Detection Mode

TCP Prevention Mode

TCP Profile

Use the TCP Profile to configure various TCP parameters. A TCP Profile should be used for ALL SPPs, even ones that host primarily UDP service.

Some TCP Profile parameters CANNOT be used with asymmetric traffic. Be aware of your routing environment and Global Protection > Deployment > Asymmetric Mode setting.

You can create a maximum of 64 TCP Profiles.

Note 1: It is IMPORTANT that SYN Validation is enabled when this profile is used for any SPP in Prevention Mode. If SYN Validation is NOT enabled, the SYN Thresholds are ignored and there is is no protection from SYN floods.

Note 2: SYN Flood Mitigation requires interaction with the sending Client which will not happen if the SPP is in DETECTION Mode. You should create a TCP-Detection mode Profile with SYN Validation disabled and TCP-Prevention mode Profile with SYN Validation enabled and change this profile when you change Detection/Prevention Modes for the SPP.

Note 3: You cannot delete any TCP Profile if it has any definitions for TCP Session Extended Source Address IPv4/IPv6. Remove those from the TCP Profile first. Those addresses/groups may be in use by other SPPs or Profiles.

Field/Selection

Description

Recommendations

Detection Mode

Prevention Mode

Symmetric Traffic

Asymmetric Traffic

Name 1-35 characters (a-Z, 0-9, "-", "_" only)
SYN Flood Protection
SYN Flood Mitigation Mode
  • SYN cookie (Recommended)—Sends a SYN/ACK with a cookie value in the TCP sequence field. If it receives an ACK back with the right cookie, a SYN/RST packet is sent and the IP address is added to the legitimate IP address table. When the client then automatically retries, it succeeds in making a TCP connection. Fortinet recommends this option.
  • ACK cookie—Sends the client two ACK packets: one with a correct ACK number and another with a wrong number. The system determines whether the source is spoofed based on the client’s response. If the client’s response indicates that the source is not spoofed, FortiDDoS allows the connection and adds the source to the legitimate IP address table. Fortinet recommends this option if you have enough bandwidth in the reverse direction of the attack.
  • SYN retransmission—Drops the initial SYNs to force the client to send a SYN again. If the expected number of retransmitted SYNs arrive within the predetermined time period, the system considers the source to be legitimate. FortiDDoS then allows the connection to go through and adds the source to the legitimate IP address table. Fortinet no longer recommends this option
SYN Cookie
SYN Flood Mitigation Direction Inbound Recommended Outbound not normally required - Expert use Inbound
SYN With Payload

SYN with Payload blocks SYN packets that are tno header-only packets - they have additional, usually-malicious payload. Attackers use SYN with Payload to increase the size of their attacks.

However, a draft IETF standard (Fast Open) allows payload with SYNs and some Hosting companies are experimenting with it. If you see SYNwithPayload drops, investigate the Protected IPs.

Inbound Recommended

Outbound not normally required - Expert use

Inbound
TCP Slow Connection Protection

Use this section to specify:

  • Slow connection detection settings (Type, Threshold and ObservationPeriod). These settings are only used if Slow TCP Connections is enabled below in TCP Session Settings.
  • Slow Connection Source Blocking option

Note the following:

  • Do not use Slow Connection settings with asymmetric traffic. FortiDDoS counts Bytes for the connection in both directions since a single command may result in a large file download with occasional ACKs from the client. If FortiDDoS does not see the outbound packets (for example), it may trigger a false positive Slow Connection.
  • Do not use Slow Connections settings with any authenticating servers such as SSL-VPN, FTP or any server that allows a user to login and stay idle for any period of time (e-commerce, for example). Idle sessions will trigger Slow Connection mitigation and may drop the user’s session unexpectedly.
  • Slow Connection settings are best tuned while the system is in Prevention Mode. If attempting in Detection Mode, enable Block Sources with Slow TCP Connections. This will provide additional logging information, BUT it may also result in a large number of 'Foreign Packet' drops which can be ignored.
Expert - Many servers allow logins or allow long idle times. These will trigger TCP Slow Connections and unexpectedly drop legitimate connections. Use FortiWeb of FortiADC to manage slow connections on these types of servers. No
  • Slow Connection Type

Select one of the following options from the drop-down:

  • Moderate: Uses predefined thresholds to detect slow connection attacks.
  • Aggressive: Uses more aggressive (lower) thresholds to detect slow connection attacks.
  • User Defined: Enables advanced users to specify custom thresholds to detect slow connection attacks.
  • None (Default): Do not monitor for slow connection attacks. If this setting is chosen, disable TCP Sessions Settings > Aggressive Aging Feature Control: Slow TCP Connections below as well.

Note: To reduce false positives, Fortinet recommends you to initially set the option to moderate and switch to aggressive only if required. When the 'User Defined' option is selected, the defaults are set to 1 Byte per 15 seconds which allows lower rates than the default 'moderate' setting. We recommend to use the predefined moderate and Aggressive values as guidelines to help you specify your own settings.

Thresholds are triggered when a session sends or receives data at a SLOWER rate than the number of Bytes over the Observation Threshold.

Expert No
  • Block Sources With Slow TCP Connections

Normally enabled if above Slow Connection Type is not None.

This results in an attack log called 'Slow Connection: Source flood'. this log includes the Source IP of the Slow Connection, which is useful for analysis and potentially ACLing the Source.

Use this option with care. Using Block Sources will block all traffic from those Sources. For example, if one client behind a firewall is creating a Slow Connection, all traffic from the firewall will be blocked.

Disabling this option results in an attack event called Foreign Packets (Aggressive Aging and Slow Connections) which is shared with other Aggressive Aging events (see Aggressive aging.)

Expert

No

  • Slow Connection Byte Threshold

The number of Bytes that must be seen within the Observation Period below to prevent triggering Slow Connection Mitigation.

Note, this number is pre-filled for Types: Moderate or Aggressive and can be customized for Type: User Defined. If Type: None is selected, numbers are shown in the Byte Threshold but are ignored.

Expert

No

  • Slow Connection Observation Period

The time period (in seconds) during which Bytes are counted. Once the Byte threshold above is crossed, the Observation Period is reset and the Byte count starts again.

Note, this number is pre-filled for Types: Moderate or Aggressive and can be customized for Type: User Defined. If Type: None is selected, numbers are shownin the Observation Period but are ignored.

Expert

No

TCP Packets Validation

TCP Session Feature Control:

  • Sequence Validation

Drops packets with invalid TCP sequence numbers.

Note: Some vendors intentionally use non-standard sequence numbers for end-to-end signaling between WANop devices. If you see large numbers of OUTBOUND Sequence Validation Drops, disable the feature.

Enable

Enable

Disable

  • SYN Validation

Enables SYN Flood validation using the method selected above. If this is NOT enabled, SYN Thresholds are ignored and SYN Floods are not mitigated.

If this feature is enabled in DETECTION Mode and there is a SYN Flood, the system is unable to send validation packets, resulting in unusual logging.

This feature should be disabled while in DETECTION Mode.

Disable

Enable

  • State Transition Anomalies Validation

Drops packets with TCP state transitions that are invalid. For example, if an ACK packet is received when FortiDDoS has not observed a SYN/ACK packet, it is a state transition anomaly.

FortiDDoS features can be used in Asyymetric Mode, provided Allow Inbound SYN-ACK is also enabled. See Global Protection features.

Enable

Enable

  • Foreign Packet Validation

Drops TCP packets without an existing TCP connection and reports them as a foreign packet. In most cases, the foreign packets validation is useful for filtering out junk.

Note: Inbound Foreign Packets will be passed in DETECTION Mode and may result in matching outbound Foeign Packets. If in doubt, disable Foreign Packet Validation when the SPP is in DETECTION mode.

Disable

Enable

  • Allow Tuple Reuse

Allows a new connection with the same 5-tuple (Sooure IP:port, Protocol, Destination IP:Port) while the existing connection is in the closed or close-wait, fin-wait, time-wait states.

Enable

  • Allow Duplicate SYN in SYN Sent

Allows duplicate TCP SYN packets during the SYN-SENT state. It allows this type of packet even if the sequence numbers are different.

Enable

Optional but not necessary

  • Allow Duplicate SYN in SYN Recv

Allows duplicate TCP SYN packets during the SYNRECV

state. It allows this type of packet even if the

sequence numbers are different.

Disable

  • Allow SYN Anomaly

Allows duplicate TCP packets during any other state even if the sequence numbers are different from the existing connection entry. This is equivalent to allowing the packet without updating an existing connection entry with the new information from the allowed packet.

Use on Fortinet recommendation only

  • Allow SYN ACK Anomaly
  • Allow ACK Anomaly
  • Allow RST Anomaly
  • Allow FIN Anomaly
  • Drop Threshold For Foreign Packets

If Foreign Packet Validation is enabled, this optional field is shown. Default value is 0 with range 0-65535.

If a non-zero Threshold is added here, Foreign Packets will not be dropped nor displayed unless their packet rate exceeds the Threshold when they will be dropped and displayed in logs and graphs.

Use this Threshold if Foreign Packet drop logs are distracting, since most customers will see small numbers of drops every logging cycle.

Note: If the Foreign Packet Threshold is set and Foreign Packet Validation is disabled, the Threshold is reset to 0 and must be replaced when Foreign Packet Validation is re-enabled.

  • Strict Anomalies

Drops various TCP Header Anomalies including:

  • TCP Checksum Error
  • TCP Invalid Flag Combination
  • Other header anomalies, such as incomplete packet
  • SYN or FIN or RST is set for fragmented packets
  • Data offset is less than 5 for a TCP packet
  • End of packet is detected before the 20 bytes of TCP header
  • Length field in Window scale option other than 3 in a TCP packet

Enable

TCP Session Settings

Aggressive Aging Feature Control

Controls sending RSTs to servers

High Concurrent Connection per Source

Sends TCP RSTs to the protected destination server(s) to reset connections from the identified Source IP when

the Concurrent Connection per Source threshold is crossed.

Optional. System cannot send RSTs in Detection mode which may result in unusually logging.

Enable

Slow TCP Connections

Sends TCP RSTs to the protected destination server(s) to reset connections from the identified source depending on the Slow Connection settings above.

Optional. System cannot send RSTs in Detection mode which may result in unusually logging.

Expert

No

TCP Session Idle Timeout

Idle timeout period for any TCP session. The default value is 528 seconds. Use this timer to age idle TCP sessions (sessions with no traffic for long periods),

for all connections and ports. This timer should match other idle timers in your infrastructure such as firewalls.

Always monitored

This setting is ignored in Asymmetric Mode

TCP Session Idle Timeout Unit

Seconds, Minutes, Hours.

TCP Session Extended Timeout

Extended timeout value for specific IP addresses (IPv4 only) where the timeout should be longer than the idle timeout period. For example, this setting can be configured for specific IP addresses in environments where persistent SSH/TELNET/HTTP connections are used. This timer should be longer than the TCP Session Idle Timeout. See also, Session timeout precedence and application, below.

Always monitored

This setting is ignored in Asymmetric Mode

TCP Session Extended Timeout Unit

Seconds, Minutes, Hours.

TCP Session Extended Source Type

IPv4 Address or IPv4 Address Group

Always monitored

This setting is ignored in Asymmetric Mode

TCP Session Extended Source Address IPv4

Select from the Global IP address / IP Address Group definitions

Example Settings:

TCP Detection Mode

TCP Prevention Mode