Address and Service
FortiDDoS supports a wide range of Global, Service Protection and DNS ACLs. However, these should never be your first line of defense from DDoS attacks. Modern DDoS attacks use spoofed Source IP addresses where IP ACLs and geolocation offer little protection. Use FortiDDoS ACLs to offload other infrastructure or for normal operations. For example, you can geolocate certain countries to prevent them from reaching your web servers. This will not stop DDoS floods from attackers in those countries who will use spoofed or reflected IP from outside that country.
FortiDDoS also supports 2 Global allowlists:
-
DoNotTrack— Any traffic from the IP/ subnet in this ACL is completely ignored by FortiDDoS. There are no drops or even traffic graphs shown for these IP addresses. This ACL should be used with extreme care; if an attacker finds/ guesses an IP within it, they can attack with no mitigation.
-
Track and Allow — This ACL does not block any traffic, but it displays drops. However, Source IPs are often not logged, making it difficult to know when an attacker might be using an IP.
Both of these ACLs should be only used for troubleshooting specific issues and should not be used to "allow" preferred clients or servers. FortiDDoS Thresholds will allow legitimate users while blocking attack traffic when tuned correctly.
Use ACLs for specific addresses and services that you will not use at any time during normal traffic conditions.
FortiDDoS ACLs never show the Source IP of the drop. Since FortiDDoS is designed for DDoS and DDoS uses random spoofed Source IPs, there are a few mechanisms to provide the Source IPs.
Creating ACLs is a two-step process:
- In the System > Address and Service page, you can create the following address and service objects
- Assign those objects to ACLs in the Global Protection and Service Protection Profile Access Control Lists.
There are Additional ACLs:
-
Global Protection Blocklists for IPv4 and DNS Domains intended for large lists of IPs or FQDNs obtained from 3rd parties.
-
DNS Profile Resource Record ACLs for specialized DNS server protection applications
-
ICMP Profile ICMP Type/Code ACLs used to block specific Types and Codes
-
HTTP Profile ACLs for URLs, Hosts, Referers, Cookies and User Agents
To configure address and service objects go to System > Address and Service and refer to the following table:.
|
Object/Tab |
Description |
|---|---|
| Address IPv4 |
Configure IPv4 address/netmask from /32, IPv4 address ranges, and geolocation Countries. |
| Address IPv4 Group | Configure groups of preconfigured Address IPv4 objects. |
| Address IPv6 | Configure IPv6 address/netmask from /128, IPv6 address ranges, and geolocation countries |
| Address IPv6 Group | Configure groups of preconfigured Address IPv6 objects. |
| Service |
Configure Service definitions including:
The system is pre-populated with 24 well-known UDP Reflection Ports that generally source only malicious traffic. For example, these can be grouped in an Anti-Reflection ACL. If you are unsure, let the system create Thresholds for these ports as normal. DDoS protections will work without these ACLs. |
| Service Group |
Groups the preconfigured Services. For example, if you know you are not seeing any valid traffic on the preconfigured UDP Reflection Ports, you can Group these into a single Anti-UDP-Reflection-Group to use in Global or Service Protection Policy ACLs. |
Address IPv4
You can create address objects to identify IPv4 addresses and subnets to use in the following ACLs:
- Global Protection
Note: Any ACL defined in Global Protection is “always on” – it will always drop matching packets and does not follow SPP Detection/Prevention Mode conditions.
- Service Protection Policy ACL
- TCP Profile Session Extended Source Address IPv4 (specialized applications — expert use only)
Before you begin:
- You must have Read-Write permission for Global Settings.
To configure IPv4 addresses:
- Go to System > Address and Service> Address IPv4.
- Click Add to display the configuration editor.
- Complete the configuration as described in the following table.
- Save the configuration.
|
Setting |
Description |
|---|---|
| Name | Configuration name. Must not contain spaces. |
| Type |
Address Netmask- Create an entry for a subnet using an IP address/mask notation. Address Range - Create an entry for a address range with “Address Range From” and “To” . Geo - Create an entry for an address list belonging to a country or area. |
|
To configure using the CLI: config system address4 edit addr1 set type {ip-netmask|ip-range|geo} set ip-netmask <ip/mask> set ip-max <ip> set ip-min <ip> set country <string> next end |
Address IPv4 Group
Create an address group to include one or more address objects.
To configure IPv4 Address Group:
- Go to System > Address and Service> Address IPv4 Group.
- Click Add to display the configuration editor.
- Complete the configuration and click Save.
|
|
To configure using the CLI: config system addressgrp edit <name> set member-list <address1> <address2> … next end |
Address IPv6
You can create address objects to identify IPv6 addresses and subnets to use in the following ACLs:
- Global Protection
Note: Any ACL defined in Global Protection is “always on” – it will always drop matching packets and does not follow SPP Detection/Prevention Mode conditions.
- Service Protection Policy ACL
- TCP Profile Session Extended Source Address IPv4 (specialized applications — expert use only)
Before you begin:
- You must have Read-Write permission for Global Settings.
To configure IPv6 addresses:
- Go to Global System > Address and Service> Address IPv6.
- Click Add to display the configuration editor.
- Complete the configuration and click Save.
|
|
To configure using the CLI: config system addressgrp edit <name> set member-list <address1> <address2> … next end |
Address IPv6 Group
To configure IPv6 Address Group:
- Go to System > Address and Service> Address IPv4 Group.
- Click Add to display the configuration editor.
- Complete the configuration and click Save.
|
|
To configure using the CLI: config system addressgrp6 edit <name> set member-list <address ipv6> <address ipv6> … next end |
Service
You configure service objects to identify the services that you want to match in SPP ACL or Global ACL policies.
Before you begin:
- You must have Read-Write permission for Protection Profile settings.
To configure service objects:
- Go to System > Address and Service> Service.
- View all build-in service.
- Click Add to display the configuration editor.
- Select Protocol type and set protocol ID.
- Complete the configuration and click Save.
|
|
To configure using the CLI: config system service edit <name> set protocol-type {ip|icmp|tcp|udp|tcp-and-udp} set specify-source-port {enable|disable} set source-port-min <0-65535> set source-port-max <0-65535> set destination-port-min <0-65535> set destination-port-max <0-65535> next end |
Service Group
To configure Service Group:
1. Go to System > Address and Service> Service Group.
2. Click Add to display the configuration editor.
3. Complete the configuration and click Save.
|
|
To configure using the CLI: config system servicegrp edit <name> set member-list <service1> <service2> … next end |