Fortinet black logo

Release Notes

Home FortiDDoS-F 6.5.0 Release Notes
6.5.0
7.0.0
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.2
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.5
6.1.4
6.1.3
6.1.2
6.1.1
6.1.0

What's new

What's new

FortiDDoS-F 6.5.0 offers the following new features and enhancements:

GUI enhancements

FortiDDoS-F has refreshed the GUI pages to include new graphs with better tool-tip readability, improved navigation, and various minor field length and fixes.
Note: In 6.5.0, Logarithmic Y-axis selection will not show correct index numbers. Use the tool-tip to see actual traffic or drop numbers instead.

GUI and Graph updates

The following updates were made to the FortiDDoS-F GUI and graphs.

Dashboard Status:

  • Interface and SPP Graphs will now show one behind the other (not stacked as in 6.4.1) so the ingress/egress differential is immediately viewable.

All Graphs:

  • Sub-graphs can now be highlighted by rolling the cursor over the label, and be hidden by clicking on the label.
  • Splining (curves) can now be removed to show each reporting point more accurately.

Top Attacks:

  • A new table has been added for UDP Reflection (Source) Ports, separating that reporting from UDP (Destination) Port Floods.
  • From the Top Attacks page, you can now link directly to applicable Monitor graphs from 5 tables.
    Note: Users must still enter the final Protocol, Port, and Type/Code parameters manually on the graph.

FortiView Threat Map:

  • The FortiView Threat Map has been removed since it was providing little useful information.

Most settings and log pages:

  • Minor changes have been made to most settings and log pages, including changes to options, filters, download, and/or scrolling.
New System Recommended Thresholds
  • System Recommended Thresholds for various DNS TCP Thresholds will now be set at 2x the Threshold for UDP Thresholds. During learning, TCP traffic is usually minimal resulting in very low Thresholds. Then, under attack, when FortiDDoS uses TC=1 validation and the client/recursive server responds correctly with TCP packet, the TCP Thresholds are crossed prematurely leading to false-positive drops. Increasing the TCP Thresholds has virtually no impact on DNS Query flood mitigation.
  • New DNS Query per Source Traffic Statistics and System Recommended Thresholds have been added. Previously this was a manual entry.
Geolocation updates
  • A new IPv6 Geolocation has been added.

  • Geolocation ACLs (IPv4 and IPv6) can now be added to SPPs.

SPP Policy List enhancements

The SPP Policy List now includes a display of all the SPP feature Profiles included with the Policy.

Service Protection Policy ACL List updates

Updates have been made to the re-ordering/deleting functions for the Service Protection Policy ACL list:

  • Placing the tool-tip in the Name field will now show a directional cursor to move the ACL up or down in the list.
  • There are no longer various icons in the right-most column.
  • To delete, highlight a row or shift-click to highlight multiple rows and Delete.
  • To edit, double-click the row.
  • To copy, click a row then clone it.
Two Factor Authentication support for RADIUS

FortiDDoS-F now supports Two-Factor Authentication (2FA) for RADIUS remote authentication.

Remote password authentication support for CLI users

CLI users can now use remote password authentication (RADIUS, LDAP, TACACS+). CLI remote users must have a local username on FortiDDoS with a super-admin Profile.

New DNS features

The following DNS features have been added:

  • DNS Proxy validation for users not accepting TCP Queries.
  • Support for DNS Dynamic Updates.
  • Support for DNS Known Opcode Anomalies.
  • Support for DNS Resource Record ACLs only under flood.
Anomaly tracking updates

Changes have been made to Anomaly tracking which will improve traffic statistics and Threshold for Most Active Source and Ports Thresholds, among others.

Packet capture support from Management Ports

You can now packet capture from Management Ports.

Debug file improvements

Debug file is now split into 2 files:

  • Customer file includes the system config, 100k Attack Logs, 25k Event Logs, List of Protected Subnets, all Thresholds per SPP and a list of SPPs including all feature Profiles per SPP and Service Ports for UDP, HTTP, SSL/TLS, DTLS and QUIC.
  • Debug file for developers (including the Customer file).

Removed debug files from previous releases:

  • The debug files from previous releases have been removed from the debug file when the system firmware is upgraded. This reduces the size of the debug file and removes files that are no longer relevant to the current Release.

Progress indication added for debug file creation:

  • When creating a debug file, the progress can now be indicated through the Save Debug button which will dim and display a rotating "spinner".
Dashboard License Information and System FortiGuard page enhancement

Additional icons have been added to the Dashboard License Information and System FortiGuard page to aid in understanding FortiCare registration and FortiGuard subscriptions.

New CSV download function for DDoS Attack logs

You can now download DDoS Attack logs as CSV files. Up to 100,000 Attack logs can be downloaded.

Drop log enhancement

Attackers can use Queries with legitimate FQDNs but incorrect RR requests to avoid various response-rate-limiting schemes on DNS servers. A good FQDN with a bad RR Query gets a good (Rcode=0) Response with an empty NODATA Answer section (no IP address and Answers=0). For legitimate traffic this indicates that the FQDN is good but there is no such RR information on the server. Attackers can then use this response/reflection to defeat NxDomain Thresholds and other mitigations. To protect against such scenarios, FortiDDoS-F drop logs will now show events specifically for LQ FQDN matches without RR matches: DNS LQ: UDP Query flood due to Negative Response.

FortiView updates

The following updates have been made to FortiView:

  • The SPP Traffic graph has been moved to the Traffic Monitor section of the menu.
  • The Countries graph now shows only geolocation of TCP established connections, so spoofed UDP, SYNs, etc., do not provide false information.
  • Graph periods from 1-hour to 1-year now match all other system graphs.
  • The Countries and Attacks tables have been removed since the data provided (passed and dropped traffic of the full graph period) was not useful for understanding DDoS.
Improvements to Event logs for FortiGuard updates

The Event logs for FortiGuard updates have been improved to include the description of actions taken, such as "Completed FortiGuard Update", "IP Reputation DB download: is successful", and "Geolocation DB download: is successful".

Access Control List policy update

To avoid confusion, any Global Protection > Access Control List policy that is configured but disabled will no longer be shown in the Monitor > DROPS MONITOR > Global > ACL Drops > ACL Rule Drops.

Global ACL update

When a Global ACL is created, drops associated with it are shown on the Global ACL Aggregate graph and on the ACL graph when the correct ACL is selected from the drop-down menu. However, when the ACL is disabled or deleted, the ACL name will not be available on the drop-down menu. The drops will still show on the aggregated graph. If an ACL is deleted and later a new ACL is created, drops from an old, deleted ACL may show on the ACL graph for the new one. This is related to the way the system selects ACL ID numbers (1-1024).

New CLI command execute recover-gui

You can now use the execute recover-gui CLI command to restart cmdbsvr, restapi and nginx for troubleshooting purposes.

Added Explicit VPP restart Event log

An explicit Virtual Packet Processing (VPP) engine restart Event log has been added. While VPP restarts are rare, the event log is added to confirm without needing the debug file.

Merge Traffic Statistics for HA systems

For HA systems on separate ISP legs of a network with balanced traffic, a method is provided to merge Traffic Statistics from the Secondary to the Primary to allow Threshold setting and synchronization.

Security certificates with password files

FortiDDoS-F now supports security certificates with password files.

Previous
Next

What's new

FortiDDoS-F 6.5.0 offers the following new features and enhancements:

GUI enhancements

FortiDDoS-F has refreshed the GUI pages to include new graphs with better tool-tip readability, improved navigation, and various minor field length and fixes.
Note: In 6.5.0, Logarithmic Y-axis selection will not show correct index numbers. Use the tool-tip to see actual traffic or drop numbers instead.

GUI and Graph updates

The following updates were made to the FortiDDoS-F GUI and graphs.

Dashboard Status:

  • Interface and SPP Graphs will now show one behind the other (not stacked as in 6.4.1) so the ingress/egress differential is immediately viewable.

All Graphs:

  • Sub-graphs can now be highlighted by rolling the cursor over the label, and be hidden by clicking on the label.
  • Splining (curves) can now be removed to show each reporting point more accurately.

Top Attacks:

  • A new table has been added for UDP Reflection (Source) Ports, separating that reporting from UDP (Destination) Port Floods.
  • From the Top Attacks page, you can now link directly to applicable Monitor graphs from 5 tables.
    Note: Users must still enter the final Protocol, Port, and Type/Code parameters manually on the graph.

FortiView Threat Map:

  • The FortiView Threat Map has been removed since it was providing little useful information.

Most settings and log pages:

  • Minor changes have been made to most settings and log pages, including changes to options, filters, download, and/or scrolling.
New System Recommended Thresholds
  • System Recommended Thresholds for various DNS TCP Thresholds will now be set at 2x the Threshold for UDP Thresholds. During learning, TCP traffic is usually minimal resulting in very low Thresholds. Then, under attack, when FortiDDoS uses TC=1 validation and the client/recursive server responds correctly with TCP packet, the TCP Thresholds are crossed prematurely leading to false-positive drops. Increasing the TCP Thresholds has virtually no impact on DNS Query flood mitigation.
  • New DNS Query per Source Traffic Statistics and System Recommended Thresholds have been added. Previously this was a manual entry.
Geolocation updates
  • A new IPv6 Geolocation has been added.

  • Geolocation ACLs (IPv4 and IPv6) can now be added to SPPs.

SPP Policy List enhancements

The SPP Policy List now includes a display of all the SPP feature Profiles included with the Policy.

Service Protection Policy ACL List updates

Updates have been made to the re-ordering/deleting functions for the Service Protection Policy ACL list:

  • Placing the tool-tip in the Name field will now show a directional cursor to move the ACL up or down in the list.
  • There are no longer various icons in the right-most column.
  • To delete, highlight a row or shift-click to highlight multiple rows and Delete.
  • To edit, double-click the row.
  • To copy, click a row then clone it.
Two Factor Authentication support for RADIUS

FortiDDoS-F now supports Two-Factor Authentication (2FA) for RADIUS remote authentication.

Remote password authentication support for CLI users

CLI users can now use remote password authentication (RADIUS, LDAP, TACACS+). CLI remote users must have a local username on FortiDDoS with a super-admin Profile.

New DNS features

The following DNS features have been added:

  • DNS Proxy validation for users not accepting TCP Queries.
  • Support for DNS Dynamic Updates.
  • Support for DNS Known Opcode Anomalies.
  • Support for DNS Resource Record ACLs only under flood.
Anomaly tracking updates

Changes have been made to Anomaly tracking which will improve traffic statistics and Threshold for Most Active Source and Ports Thresholds, among others.

Packet capture support from Management Ports

You can now packet capture from Management Ports.

Debug file improvements

Debug file is now split into 2 files:

  • Customer file includes the system config, 100k Attack Logs, 25k Event Logs, List of Protected Subnets, all Thresholds per SPP and a list of SPPs including all feature Profiles per SPP and Service Ports for UDP, HTTP, SSL/TLS, DTLS and QUIC.
  • Debug file for developers (including the Customer file).

Removed debug files from previous releases:

  • The debug files from previous releases have been removed from the debug file when the system firmware is upgraded. This reduces the size of the debug file and removes files that are no longer relevant to the current Release.

Progress indication added for debug file creation:

  • When creating a debug file, the progress can now be indicated through the Save Debug button which will dim and display a rotating "spinner".
Dashboard License Information and System FortiGuard page enhancement

Additional icons have been added to the Dashboard License Information and System FortiGuard page to aid in understanding FortiCare registration and FortiGuard subscriptions.

New CSV download function for DDoS Attack logs

You can now download DDoS Attack logs as CSV files. Up to 100,000 Attack logs can be downloaded.

Drop log enhancement

Attackers can use Queries with legitimate FQDNs but incorrect RR requests to avoid various response-rate-limiting schemes on DNS servers. A good FQDN with a bad RR Query gets a good (Rcode=0) Response with an empty NODATA Answer section (no IP address and Answers=0). For legitimate traffic this indicates that the FQDN is good but there is no such RR information on the server. Attackers can then use this response/reflection to defeat NxDomain Thresholds and other mitigations. To protect against such scenarios, FortiDDoS-F drop logs will now show events specifically for LQ FQDN matches without RR matches: DNS LQ: UDP Query flood due to Negative Response.

FortiView updates

The following updates have been made to FortiView:

  • The SPP Traffic graph has been moved to the Traffic Monitor section of the menu.
  • The Countries graph now shows only geolocation of TCP established connections, so spoofed UDP, SYNs, etc., do not provide false information.
  • Graph periods from 1-hour to 1-year now match all other system graphs.
  • The Countries and Attacks tables have been removed since the data provided (passed and dropped traffic of the full graph period) was not useful for understanding DDoS.
Improvements to Event logs for FortiGuard updates

The Event logs for FortiGuard updates have been improved to include the description of actions taken, such as "Completed FortiGuard Update", "IP Reputation DB download: is successful", and "Geolocation DB download: is successful".

Access Control List policy update

To avoid confusion, any Global Protection > Access Control List policy that is configured but disabled will no longer be shown in the Monitor > DROPS MONITOR > Global > ACL Drops > ACL Rule Drops.

Global ACL update

When a Global ACL is created, drops associated with it are shown on the Global ACL Aggregate graph and on the ACL graph when the correct ACL is selected from the drop-down menu. However, when the ACL is disabled or deleted, the ACL name will not be available on the drop-down menu. The drops will still show on the aggregated graph. If an ACL is deleted and later a new ACL is created, drops from an old, deleted ACL may show on the ACL graph for the new one. This is related to the way the system selects ACL ID numbers (1-1024).

New CLI command execute recover-gui

You can now use the execute recover-gui CLI command to restart cmdbsvr, restapi and nginx for troubleshooting purposes.

Added Explicit VPP restart Event log

An explicit Virtual Packet Processing (VPP) engine restart Event log has been added. While VPP restarts are rare, the event log is added to confirm without needing the debug file.

Merge Traffic Statistics for HA systems

For HA systems on separate ISP legs of a network with balanced traffic, a method is provided to merge Traffic Statistics from the Secondary to the Primary to allow Threshold setting and synchronization.

Security certificates with password files

FortiDDoS-F now supports security certificates with password files.

Previous
Next