Fortinet black logo

Handbook

IP Profile

Copy Link
Copy Doc ID 369dfb00-033f-11ed-bb32-fa163e15d75b:853080
Download PDF

IP Profile

Use the IP Profile to configure various IP parameters and ACLs. Always assign an IP profile to every SPP.

Use a single IP Profile for all SPPs unless you need specialized ACLs for Fragments, IP Reputation or Domain Reputation.

All IP Profile parameters can be used with symmetric or asymmetric traffic.

You can create a maximum of 64 IP Profiles.

IP Reputation

The FortiGuard IP Reputation service is a licensed subscription that maintains a database of malicious IP addresses that pose a threat to your network and clients. After you purchase IP Reputation, you register the service contract to the FortiDDoS appliance serial number. Then, you can schedule updates to the IP

Reputation list.

IP Reputation is not required for DDoS mitigation. It is not a Threat Signature subscription which is not required with FortiDDoS. IP Reputation is a subset of FortiGuard's full web/domain/IP filtering service, containing IPs with known affiliations to DDoS attacks and known Anonymous Proxies (like Tor). Either or both subsets can be enabled.

If you are using existing Firewall/Proxy/Web/Domain/IP filtering products or services, FortiGuard IP Reputation services subscription is not required.

IP Reputation is enabled/disabled within this IP Profile. If this IP Profile is assigned to an SPP, then all traffic in that SPP will be checked for IP Reputation. If, for some reason, you want an SPP to ignore IP Reputation anomalies, create a different DNS Profile with IP Reputation disabled.

First set up FortiGuard access in System > FortiGuard. To use over-the-network updates, the management port must be able to access the Internet and DNS. If the system is behind a web proxy, set up Tunneling (proxy).

After you have set up FortiGuard and enabled the feature, the FortiDDoS system downloads the most recent definitions file and then maintains updates for it according to the schedule you configure.

The Dashboard > Status: License Information portlet and System > FortiGuard: License Information both display the status of the most recent update (IP Reputation Service Definition). If the download is successful and new definitions are available, the lists are replaced; otherwise, the previous list remains in use. The License Information portlet will also display the status of your IP Reputation license IP Reputation Service Contract Date). If your license expires, the IP Reputation database is removed from the appliance. This is to prevent stale entries from affecting your traffic. You can configure how the FortiDDoS system receives scheduled updates.

Note: Since an IP Address is seen in both the inbound and outbound traffic, IP Reputation will drop any packet it sees containing the IP Reputation address, even if FortiDDoS does not see one direction of the traffic in asymmetric environments.

Field/Selection

Description

Recommendations

(For Web Servers, Firewalls, DNS Servers)

Name 1-35 characters (a-Z, 0-9, "-", "_" only)

IP Strict Anomalies

Drops packets where:

  • IP version other than 4 or 6
  • Header length less than 5 words
  • End of packet (EOP) before 20 bytes of IPv4 Data
  • Total length less than 20 bytes
  • EOP comes before the length specified by Total length
  • End of Header before the data offset (while parsing options)
  • Length field in LSRR/SSRR option is other than (3+(n*4)) where n takes value greater than or equal to 1
  • Pointer in LSRR/SSRR is other than (n*4) where n takes value greater than or equal to 1
  • For IP Options length less than 3

Recommended enabled for all SPPs.

If traffic appears to be affected, disable to troubleshoot.

This parameter has been default-enabled on FortiDDoS for many years and has never been seen to cause failure of legitimate traffic.

IP Private Check Drops packets where the Source IP is from the Internet Private address space such as 10.0.0.0/8.

IP Multicast Check

Drops packets where the Source IP is from the Internet Multicast address space such as 224.0.0.0/24.

IP Fragment Check

Other Protocol Fragment

Drops fragmented packets from Protocols other than TCP or UDP

Expert use. Normally not recommended. Use Fragment Thresholds. Use only for specific applications - e.g. Drop UDP fragments ONLY for servers that NEVER see UDP traffic.

TCP Fragment

Drops fragmented TCP packets.

UDP Fragment

Drops fragmented TCP packets.

IP Reputation Categories

DDoS

Downloads IP Reputation files to ACL only known DDoS and C&C IPs.

Requires FortiGuard IP Reputation Subscription. Use as desired.

Anonymous Proxies

Downloads IP Reputation files to ACL only known Anonymous Proxies.

Phishing

Downloads IP Reputation files to ACL only known phishing sites.

Tor

Downloads IP Reputation files to ACL only known Tor exit nodes.

IP Profile

Use the IP Profile to configure various IP parameters and ACLs. Always assign an IP profile to every SPP.

Use a single IP Profile for all SPPs unless you need specialized ACLs for Fragments, IP Reputation or Domain Reputation.

All IP Profile parameters can be used with symmetric or asymmetric traffic.

You can create a maximum of 64 IP Profiles.

IP Reputation

The FortiGuard IP Reputation service is a licensed subscription that maintains a database of malicious IP addresses that pose a threat to your network and clients. After you purchase IP Reputation, you register the service contract to the FortiDDoS appliance serial number. Then, you can schedule updates to the IP

Reputation list.

IP Reputation is not required for DDoS mitigation. It is not a Threat Signature subscription which is not required with FortiDDoS. IP Reputation is a subset of FortiGuard's full web/domain/IP filtering service, containing IPs with known affiliations to DDoS attacks and known Anonymous Proxies (like Tor). Either or both subsets can be enabled.

If you are using existing Firewall/Proxy/Web/Domain/IP filtering products or services, FortiGuard IP Reputation services subscription is not required.

IP Reputation is enabled/disabled within this IP Profile. If this IP Profile is assigned to an SPP, then all traffic in that SPP will be checked for IP Reputation. If, for some reason, you want an SPP to ignore IP Reputation anomalies, create a different DNS Profile with IP Reputation disabled.

First set up FortiGuard access in System > FortiGuard. To use over-the-network updates, the management port must be able to access the Internet and DNS. If the system is behind a web proxy, set up Tunneling (proxy).

After you have set up FortiGuard and enabled the feature, the FortiDDoS system downloads the most recent definitions file and then maintains updates for it according to the schedule you configure.

The Dashboard > Status: License Information portlet and System > FortiGuard: License Information both display the status of the most recent update (IP Reputation Service Definition). If the download is successful and new definitions are available, the lists are replaced; otherwise, the previous list remains in use. The License Information portlet will also display the status of your IP Reputation license IP Reputation Service Contract Date). If your license expires, the IP Reputation database is removed from the appliance. This is to prevent stale entries from affecting your traffic. You can configure how the FortiDDoS system receives scheduled updates.

Note: Since an IP Address is seen in both the inbound and outbound traffic, IP Reputation will drop any packet it sees containing the IP Reputation address, even if FortiDDoS does not see one direction of the traffic in asymmetric environments.

Field/Selection

Description

Recommendations

(For Web Servers, Firewalls, DNS Servers)

Name 1-35 characters (a-Z, 0-9, "-", "_" only)

IP Strict Anomalies

Drops packets where:

  • IP version other than 4 or 6
  • Header length less than 5 words
  • End of packet (EOP) before 20 bytes of IPv4 Data
  • Total length less than 20 bytes
  • EOP comes before the length specified by Total length
  • End of Header before the data offset (while parsing options)
  • Length field in LSRR/SSRR option is other than (3+(n*4)) where n takes value greater than or equal to 1
  • Pointer in LSRR/SSRR is other than (n*4) where n takes value greater than or equal to 1
  • For IP Options length less than 3

Recommended enabled for all SPPs.

If traffic appears to be affected, disable to troubleshoot.

This parameter has been default-enabled on FortiDDoS for many years and has never been seen to cause failure of legitimate traffic.

IP Private Check Drops packets where the Source IP is from the Internet Private address space such as 10.0.0.0/8.

IP Multicast Check

Drops packets where the Source IP is from the Internet Multicast address space such as 224.0.0.0/24.

IP Fragment Check

Other Protocol Fragment

Drops fragmented packets from Protocols other than TCP or UDP

Expert use. Normally not recommended. Use Fragment Thresholds. Use only for specific applications - e.g. Drop UDP fragments ONLY for servers that NEVER see UDP traffic.

TCP Fragment

Drops fragmented TCP packets.

UDP Fragment

Drops fragmented TCP packets.

IP Reputation Categories

DDoS

Downloads IP Reputation files to ACL only known DDoS and C&C IPs.

Requires FortiGuard IP Reputation Subscription. Use as desired.

Anonymous Proxies

Downloads IP Reputation files to ACL only known Anonymous Proxies.

Phishing

Downloads IP Reputation files to ACL only known phishing sites.

Tor

Downloads IP Reputation files to ACL only known Tor exit nodes.