Fortinet black logo

Handbook

6.6.0
7.0.0
6.6.3
6.6.3
6.6.1
6.6.0
6.5.1
6.5.0
6.4.1
6.4.0
6.3.3
6.3.2
6.3.1
6.2.3
6.2.2
6.2.1
6.2.0
6.1.1

Address and Service

Address and Service

FortiDDoS supports a wide range of Global, Service Protection and DNS ACLs. However, these should never be your first line of defense from DDoS attacks. Modern DDoS attacks use spoofed Source IP addresses where IP ACLs and geolocation offer little protection. Use FortiDDoS ACLs to offload other infrastructure or for normal operations. For example, you can geolocate certain countries to prevent them from reaching your web servers. This will not stop DDoS floods from attackers in those countries who will use spoofed or reflected IP from outside that country.

FortiDDoS also supports 2 Global allowlists:

  • DoNotTrack— Any traffic from the IP/ subnet in this ACL is completely ignored by FortiDDoS. There are no drops or even traffic graphs shown for these IP addresses. This ACL should be used with extreme care; if an attacker finds/ guesses an IP within it, they can attack with no mitigation.

  • Track and Allow — This ACL does not block any traffic, but it displays drops. However, Source IPs are often not logged, making it difficult to know when an attacker might be using an IP.

Both of these ACLs should be only used for troubleshooting specific issues and should not be used to "allow" preferred clients or servers. FortiDDoS Thresholds will allow legitimate users while blocking attack traffic when tuned correctly.

Use ACLs for specific addresses and services that you will not use at any time during normal traffic conditions.

FortiDDoS ACLs never show the Source IP of the drop. Since FortiDDoS is designed for DDoS and DDoS uses random spoofed Source IPs, there are a few mechanisms to provide the Source IPs.

ACL Precedence

ACLs are evaluated in the following order through FortiDDoS:

  • Do Not Track – matched packets bypass all monitoring and mitigation.

  • Track and Allow – matched packets bypass all mitigation but are monitored for traffic and drops in the correct SPP. Think of this as a mini-Detection Mode for specific IPs or subnets.

  • Global ACLs, including

    • IP and subnet ACLs

    • Geolocation ACLs

    • Service (L4 port) ACLs

    • Blocklist for:

      • Uploaded files

      • Individual IPs

      Global ACLs are always dropped, no matter the Detection/Prevention Mode settings per SPP

  • SPP ACLs (IP, subnets, Service, or Geolocation).

  • SPP ACLs follow Detection Mode / Prevention Mode conventions

Creating ACLs is a two-step process:

  1. In the System > Address and Service page, you can create the following address and service objects
  2. Assign those objects to ACLs in the Global Protection and Service Protection Profile Access Control Lists.

There are Additional ACLs:

  • Global Protection Blocklists for IPv4 and DNS Domains intended for large lists of IPs or FQDNs obtained from 3rd parties.

  • DNS Profile Resource Record ACLs for specialized DNS server protection applications

  • ICMP Profile ICMP Type/Code ACLs used to block specific Types and Codes

  • HTTP Profile ACLs for URLs, Hosts, Referers, Cookies and User Agents

To configure address and service objects go to System > Address and Service and refer to the following table:.

Object/Tab

Description
Address IPv4

Configure IPv4 address/netmask from /32, IPv4 address ranges, and geolocation Countries.

Address IPv4 Group Configure groups of preconfigured Address IPv4 objects.
Address IPv6 Configure IPv6 address/netmask from /128, IPv6 address ranges, and geolocation countries
Address IPv6 Group Configure groups of preconfigured Address IPv6 objects.
Service

Configure Service definitions including:

  • Layer 3 Protocol numbers and/or ICMP (which is also Protocol1)

  • Layer 4 TCP, UDP, or both TCP and UDP Port numbers (Source and/or Destination Ports and Port ranges)

The system is pre-populated with 24 well-known UDP Reflection Ports that generally source only malicious traffic. For example, these can be grouped in an Anti-Reflection ACL. If you are unsure, let the system create Thresholds for these ports as normal. DDoS protections will work without these ACLs.
Service Group

Groups the preconfigured Services.

For example, if you know you are not seeing any valid traffic on the preconfigured UDP Reflection Ports, you can Group these into a single Anti-UDP-Reflection-Group to use in Global or Service Protection Policy ACLs.

Address IPv4

You can create address objects to identify IPv4 addresses and subnets to use in the following ACLs:

  • Global Protection

    Note: Any ACL defined in Global Protection is “always on” – it will always drop matching packets and does not follow SPP Detection/Prevention Mode conditions.

  • Service Protection Policy ACL
  • TCP Profile Session Extended Source Address IPv4 (specialized applications — expert use only)

Before you begin:

  • You must have Read-Write permission for Global Settings.
To configure IPv4 addresses:
  1. Go to System > Address and Service> Address IPv4.
  2. Click Add to display the configuration editor.
  3. Complete the configuration as described in the following table.
  4. Save the configuration.

Setting

Description
Name Configuration name. Must not contain spaces.
Type

Address Netmask- Create an entry for a subnet using an IP address/mask notation.

Address Range - Create an entry for a address range with “Address Range From” and “To” .

Geo - Create an entry for an address list belonging to a country or area.
Tooltip

To configure using the CLI:

config system address4

edit addr1

set type {ip-netmask|ip-range|geo}

set ip-netmask <ip/mask>

set ip-max <ip>

set ip-min <ip>

set country <string>

next

end

Address IPv4 Group

Create an address group to include one or more address objects.

To configure IPv4 Address Group:
  1. Go to System > Address and Service> Address IPv4 Group.
  2. Click Add to display the configuration editor.
  3. Complete the configuration and click Save.
Tooltip

To configure using the CLI:

config system addressgrp

edit <name>

set member-list <address1> <address2> …

next

end

Address IPv6

You can create address objects to identify IPv6 addresses and subnets to use in the following ACLs:

  • Global Protection

    Note: Any ACL defined in Global Protection is “always on” – it will always drop matching packets and does not follow SPP Detection/Prevention Mode conditions.

  • Service Protection Policy ACL
  • TCP Profile Session Extended Source Address IPv4 (specialized applications — expert use only)

Before you begin:

  • You must have Read-Write permission for Global Settings.
To configure IPv6 addresses:
  1. Go to Global System > Address and Service> Address IPv6.
  2. Click Add to display the configuration editor.
  3. Complete the configuration and click Save.
Tooltip

To configure using the CLI:

config system addressgrp

edit <name>

set member-list <address1> <address2> …

next

end

Address IPv6 Group

To configure IPv6 Address Group:
  1. Go to System > Address and Service> Address IPv4 Group.
  2. Click Add to display the configuration editor.
  3. Complete the configuration and click Save.
Tooltip

To configure using the CLI:

config system addressgrp6

edit <name>

set member-list <address ipv6> <address ipv6> …

next

end

Service

You configure service objects to identify the services that you want to match in SPP ACL or Global ACL policies.

Before you begin:

  • You must have Read-Write permission for Protection Profile settings.
To configure service objects:
  1. Go to System > Address and Service> Service.
  2. View all build-in service.
  3. Click Add to display the configuration editor.
  4. Select Protocol type and set protocol ID.
  5. Complete the configuration and click Save.

Tooltip

To configure using the CLI:

config system service

edit <name>

set protocol-type {ip|icmp|tcp|udp|tcp-and-udp}

set specify-source-port {enable|disable}

set source-port-min <0-65535>

set source-port-max <0-65535>

set destination-port-min <0-65535>

set destination-port-max <0-65535>

next

end

Service Group

To configure Service Group:

1. Go to System > Address and Service> Service Group.

2. Click Add to display the configuration editor.

3. Complete the configuration and click Save.

Tooltip

To configure using the CLI:

config system servicegrp

edit <name>

set member-list <service1> <service2> …

next

end

ACL Search

Select ACL Search and enter an IPv4 or IPv6 Address in the search field, then click on the magnifying glass icon.

The response lists all places where that address is entered in an Access Control List, including:

  • Track Policy

    • Track and Allow

    • Do Not Track

  • Global ACLs

    • Netmask, Range, Geolocation, Group objects in an Access Control List

  • Blocklist

    • Blocklisted IPv4 (files or manual entries)

  • SPP ACLs

    • Address (includes Netmask, Range, Geolocation objects) and Group

    • SPP ACLs show

      • Enable/Disable status of the ACL

      • Current Detection/Prevention Mode of the SPP

  • Global Proxy IP List

    • While not strictly an ACL, the Proxy IP list identifies IPs that should:

      • Always be treated as Proxies (enabled in Search response table)

      • Never be treated as Proxies (disabled in Search response table)

Some ACLs have additional conditions in the response table. You can only search for individual IPv4 and IPv6 addresses, but the response will indicate if that address is part of a larger subnet ACL.

FortiDDoS does not validate Global, Blocklist, or SPP ACLs. This feature is useful to ensure that an ACL is only utilized where necessary, thus avoiding conflicts. Global and Blocklist ACLs are "always-on," dropping packets that match the criteria, even if SPPs are in Detection Mode. On the other hand, SPP ACLs drop packets when in Prevention Mode but only provide reports when in Detection Mode. This behavior is generally advantageous for troubleshooting purposes.

Previous
Next

Address and Service

FortiDDoS supports a wide range of Global, Service Protection and DNS ACLs. However, these should never be your first line of defense from DDoS attacks. Modern DDoS attacks use spoofed Source IP addresses where IP ACLs and geolocation offer little protection. Use FortiDDoS ACLs to offload other infrastructure or for normal operations. For example, you can geolocate certain countries to prevent them from reaching your web servers. This will not stop DDoS floods from attackers in those countries who will use spoofed or reflected IP from outside that country.

FortiDDoS also supports 2 Global allowlists:

  • DoNotTrack— Any traffic from the IP/ subnet in this ACL is completely ignored by FortiDDoS. There are no drops or even traffic graphs shown for these IP addresses. This ACL should be used with extreme care; if an attacker finds/ guesses an IP within it, they can attack with no mitigation.

  • Track and Allow — This ACL does not block any traffic, but it displays drops. However, Source IPs are often not logged, making it difficult to know when an attacker might be using an IP.

Both of these ACLs should be only used for troubleshooting specific issues and should not be used to "allow" preferred clients or servers. FortiDDoS Thresholds will allow legitimate users while blocking attack traffic when tuned correctly.

Use ACLs for specific addresses and services that you will not use at any time during normal traffic conditions.

FortiDDoS ACLs never show the Source IP of the drop. Since FortiDDoS is designed for DDoS and DDoS uses random spoofed Source IPs, there are a few mechanisms to provide the Source IPs.

ACL Precedence

ACLs are evaluated in the following order through FortiDDoS:

  • Do Not Track – matched packets bypass all monitoring and mitigation.

  • Track and Allow – matched packets bypass all mitigation but are monitored for traffic and drops in the correct SPP. Think of this as a mini-Detection Mode for specific IPs or subnets.

  • Global ACLs, including

    • IP and subnet ACLs

    • Geolocation ACLs

    • Service (L4 port) ACLs

    • Blocklist for:

      • Uploaded files

      • Individual IPs

      Global ACLs are always dropped, no matter the Detection/Prevention Mode settings per SPP

  • SPP ACLs (IP, subnets, Service, or Geolocation).

  • SPP ACLs follow Detection Mode / Prevention Mode conventions

Creating ACLs is a two-step process:

  1. In the System > Address and Service page, you can create the following address and service objects
  2. Assign those objects to ACLs in the Global Protection and Service Protection Profile Access Control Lists.

There are Additional ACLs:

  • Global Protection Blocklists for IPv4 and DNS Domains intended for large lists of IPs or FQDNs obtained from 3rd parties.

  • DNS Profile Resource Record ACLs for specialized DNS server protection applications

  • ICMP Profile ICMP Type/Code ACLs used to block specific Types and Codes

  • HTTP Profile ACLs for URLs, Hosts, Referers, Cookies and User Agents

To configure address and service objects go to System > Address and Service and refer to the following table:.

Object/Tab

Description
Address IPv4

Configure IPv4 address/netmask from /32, IPv4 address ranges, and geolocation Countries.

Address IPv4 Group Configure groups of preconfigured Address IPv4 objects.
Address IPv6 Configure IPv6 address/netmask from /128, IPv6 address ranges, and geolocation countries
Address IPv6 Group Configure groups of preconfigured Address IPv6 objects.
Service

Configure Service definitions including:

  • Layer 3 Protocol numbers and/or ICMP (which is also Protocol1)

  • Layer 4 TCP, UDP, or both TCP and UDP Port numbers (Source and/or Destination Ports and Port ranges)

The system is pre-populated with 24 well-known UDP Reflection Ports that generally source only malicious traffic. For example, these can be grouped in an Anti-Reflection ACL. If you are unsure, let the system create Thresholds for these ports as normal. DDoS protections will work without these ACLs.
Service Group

Groups the preconfigured Services.

For example, if you know you are not seeing any valid traffic on the preconfigured UDP Reflection Ports, you can Group these into a single Anti-UDP-Reflection-Group to use in Global or Service Protection Policy ACLs.

Address IPv4

You can create address objects to identify IPv4 addresses and subnets to use in the following ACLs:

  • Global Protection

    Note: Any ACL defined in Global Protection is “always on” – it will always drop matching packets and does not follow SPP Detection/Prevention Mode conditions.

  • Service Protection Policy ACL
  • TCP Profile Session Extended Source Address IPv4 (specialized applications — expert use only)

Before you begin:

  • You must have Read-Write permission for Global Settings.
To configure IPv4 addresses:
  1. Go to System > Address and Service> Address IPv4.
  2. Click Add to display the configuration editor.
  3. Complete the configuration as described in the following table.
  4. Save the configuration.

Setting

Description
Name Configuration name. Must not contain spaces.
Type

Address Netmask- Create an entry for a subnet using an IP address/mask notation.

Address Range - Create an entry for a address range with “Address Range From” and “To” .

Geo - Create an entry for an address list belonging to a country or area.
Tooltip

To configure using the CLI:

config system address4

edit addr1

set type {ip-netmask|ip-range|geo}

set ip-netmask <ip/mask>

set ip-max <ip>

set ip-min <ip>

set country <string>

next

end

Address IPv4 Group

Create an address group to include one or more address objects.

To configure IPv4 Address Group:
  1. Go to System > Address and Service> Address IPv4 Group.
  2. Click Add to display the configuration editor.
  3. Complete the configuration and click Save.
Tooltip

To configure using the CLI:

config system addressgrp

edit <name>

set member-list <address1> <address2> …

next

end

Address IPv6

You can create address objects to identify IPv6 addresses and subnets to use in the following ACLs:

  • Global Protection

    Note: Any ACL defined in Global Protection is “always on” – it will always drop matching packets and does not follow SPP Detection/Prevention Mode conditions.

  • Service Protection Policy ACL
  • TCP Profile Session Extended Source Address IPv4 (specialized applications — expert use only)

Before you begin:

  • You must have Read-Write permission for Global Settings.
To configure IPv6 addresses:
  1. Go to Global System > Address and Service> Address IPv6.
  2. Click Add to display the configuration editor.
  3. Complete the configuration and click Save.
Tooltip

To configure using the CLI:

config system addressgrp

edit <name>

set member-list <address1> <address2> …

next

end

Address IPv6 Group

To configure IPv6 Address Group:
  1. Go to System > Address and Service> Address IPv4 Group.
  2. Click Add to display the configuration editor.
  3. Complete the configuration and click Save.
Tooltip

To configure using the CLI:

config system addressgrp6

edit <name>

set member-list <address ipv6> <address ipv6> …

next

end

Service

You configure service objects to identify the services that you want to match in SPP ACL or Global ACL policies.

Before you begin:

  • You must have Read-Write permission for Protection Profile settings.
To configure service objects:
  1. Go to System > Address and Service> Service.
  2. View all build-in service.
  3. Click Add to display the configuration editor.
  4. Select Protocol type and set protocol ID.
  5. Complete the configuration and click Save.

Tooltip

To configure using the CLI:

config system service

edit <name>

set protocol-type {ip|icmp|tcp|udp|tcp-and-udp}

set specify-source-port {enable|disable}

set source-port-min <0-65535>

set source-port-max <0-65535>

set destination-port-min <0-65535>

set destination-port-max <0-65535>

next

end

Service Group

To configure Service Group:

1. Go to System > Address and Service> Service Group.

2. Click Add to display the configuration editor.

3. Complete the configuration and click Save.

Tooltip

To configure using the CLI:

config system servicegrp

edit <name>

set member-list <service1> <service2> …

next

end

ACL Search

Select ACL Search and enter an IPv4 or IPv6 Address in the search field, then click on the magnifying glass icon.

The response lists all places where that address is entered in an Access Control List, including:

  • Track Policy

    • Track and Allow

    • Do Not Track

  • Global ACLs

    • Netmask, Range, Geolocation, Group objects in an Access Control List

  • Blocklist

    • Blocklisted IPv4 (files or manual entries)

  • SPP ACLs

    • Address (includes Netmask, Range, Geolocation objects) and Group

    • SPP ACLs show

      • Enable/Disable status of the ACL

      • Current Detection/Prevention Mode of the SPP

  • Global Proxy IP List

    • While not strictly an ACL, the Proxy IP list identifies IPs that should:

      • Always be treated as Proxies (enabled in Search response table)

      • Never be treated as Proxies (disabled in Search response table)

Some ACLs have additional conditions in the response table. You can only search for individual IPv4 and IPv6 addresses, but the response will indicate if that address is part of a larger subnet ACL.

FortiDDoS does not validate Global, Blocklist, or SPP ACLs. This feature is useful to ensure that an ACL is only utilized where necessary, thus avoiding conflicts. Global and Blocklist ACLs are "always-on," dropping packets that match the criteria, even if SPPs are in Detection Mode. On the other hand, SPP ACLs drop packets when in Prevention Mode but only provide reports when in Detection Mode. This behavior is generally advantageous for troubleshooting purposes.

Previous
Next