Cloud Signaling
The Service Provider Signaling feature enables small/medium businesses and enterprises to work with participating service providers to route traffic through a "scrubbing station" in the service provider network (SP) before it is forwarded through the WAN link to the customer premises network (CP).
For details on deployments with signaling between FortiDDoS devices, see Service Protection.
For information on deployments with signaling to 3rd-party Cloud DDoS Mitigation services, please contact your local sales team or Fortinet TAC.
Note: You must use mgmt1 port for signaling. If FortiDDoS is behind a web proxy, configure Tunneling settings under IP Reputation.
Before you begin:
- You must have Read-Write permission for Global Settings.
- Please make sure the following settings are configured in SPP rule:
- Cloud signaling status is enabled under Service Protection > Service Protection Policy > {SPP Rule} > Service Protection Policy
- Configure Signaling Threshold (KPPS or Mbps or both) for selected subnet under Service Protection > Service Protection Policy > {SPP Rule} > Service Protection Policy > Protection Subnets
To configure service provider signaling:
- Go to Global Protection > Cloud Signaling.
- Click Add to display the configuration editor.
- Complete the configuration as described in the following table.
- Save the configuration.
|
Settings |
Guidelines |
|---|---|
|
Cloud Signaling Mode |
Customer Premises Service Provider |
|
Signaling Timeout |
Timeout after which System will re-investigate if traffic is passed Signaling Threshold |
|
Customer Premises FDD |
|
|
Status |
Enable or Disable |
|
Name |
Configuration name. Must not contain spaces. |
|
Device Type |
FortiDDoS—If the service provider uses FortiDDoS, select this option and complete the fields described next. Third Party—If the service provider has a cloud mitigation service, select this option and specify the account ID, shared secret, and URL expected by the third party. |
|
Serial Number |
Serial number of the FortiDDoS in the service provider network. The serial number configuration is case sensitive. Be careful to enter the serial number exactly as it is provided to you. |
|
Shared Secret |
Must match the string configured on the SP FortiDDoS. (Allowed characters are a-Z and 0-9) Note: Once entered, the Shared Secret/API Key is not displayed on GUI nor in CLI and cannot be recovered. If forgotten, a new matching key must be entered for the paired devices. |
|
Address Type |
IPv4 or IPv6 |
|
Service Provider IP address |
IP address of the SP FortiDDoS management interface. |
|
Service Provider FDD |
|
|
Name |
Configuration name. Must not contain spaces. |
|
Customer Premises FDD Serial Number |
Serial number of the FortiDDoS in the customer premises network. The serial number configuration is case sensitive. Be careful to enter the serial number exactly as it is provided to you. |
|
Shared Secret |
Must match the string configured on the CP FortiDDoS. (Allowed characters are a-A and 0-9) |
|
Customer Premises FDD IP Version |
IPv4 or IPv6 |
|
Customer Premises IP address |
IP address of the CP FortiDDoS management interface. |
|
Cloud Signaling/Third Party mitigation |
|
|
Name |
Configuration name. Must not contain spaces. |
|
Device Type |
Third Party |
|
Shared Secret |
Obtain from the Cloud Mitigation provider. Allowed characters: A-Z, a-z, 0-9, no spaces. Max 19 characters. |
|
Account ID |
User account provided by the Cloud Mitigation provider |
|
SP URL |
Listening Signaling URL provided by the Cloud Mitigation provider |
|
To configure using the CLI: config ddos global cloud-signaling set mode { customer-premises | service-provider } set timeout <integer> config devices edit <device_name> set enable { enable | disable } set device-type { FortiDDoS | Third-Party } set serial-number <string> set shared-secret <passwd> set address-type { ipv4 | ipv6 } set ipv4-address <ipv4_addr> set ipv6-address <ipv6_addr> set account-id <string> set url <string> next end end |