Fortinet white logo
Fortinet white logo

Handbook

What's New in FortiDDoS 6.x

What's New in FortiDDoS 6.x

6.6.0

FortiDDoS 6.6.0 offers the following new features:

GUI updates

The following updates were made to the FortiDDoS-F GUI.

Service Protection:

  • Ability to edit Service Protection Profiles (IP, TCP, DNS, etc.) from within the Service Protection Policy page is added.

  • Implemented automatic matching between the time period selected in the SPP Threshold Setting tab and the Generate Statistics panel, reducing possible errors.

Address and Service:

  • Search function is added to find IP addresses within Global and SPP ACLs

Top Attacks:

  • A fixed header is added to Traffic Monitor Graphs and Dashboard > Top Attacks pages, providing easier navigation when scrolling down the page.

  • Additional parameters are shown on the Top Attacks page that allow direct linking to associated graphs.

FortiView

  • FortiView Countries and Attacks graphs are changed to look like Monitor graphs, with similar controls.

Log & Report:

  • The Attack Log and Event Log pages default to display 50 logs, with additional choices of 100 and 150.

  • System automatically generates an event log when CPU, RAM or Log Disk exceeds 90% capacity.

Monitor:

  • The Maximum Adaptive Threshold is added to display on scalar graphs. This helps to identify when the graph parameter is a scalar and also assists with understanding the Threshold used to begin mitigation, which is the higher value between the System Recommended Threshold (threshold on the graph) and the dynamic Adaptive Threshold)

  • User input validation is added to graphs for TCP and UDP port numbers, ICMP Type and Code ranges, HTTP URL, Hosts, Referers, Cookies, User Agents, DNS Rcodes.

Support for RADIUS VSAs and TACACS+ Custom Attributes
  • This release has added support for RADIUS VSAs and TACACS+ Custom Attributes.

Increased Syslog Support
  • This release has added support for RFC 5424 and FortiAnalyzer OFTP syslog formats.

FQDN Proxy tunneling
  • Proxy tunneling for FortiGuard updates has added support for proxies that require FQDNs.

Daily Config backup and Debug enhancements
  • Daily Config backup and Debug file upload has added support for SFTP and server path (folders).

Success/ failure Log implementation
  • Under Log Access > Logs, an event log is added for cases of configuration restore failure.

  • Event Logs are also added for success/failure of the Daily Config Backup function.

Geolocation updates
  • Geolocation Country/subnet info for ACLs and label info for FortiView Country graphs are dynamically downloaded from FortiGuard for more accuracy. No subscription is required.

CLI upgrades
  • CLI Error messages are improved with explanation after code.

  • Flowspec ACL output are able to be retrieved via CLI. Contact Fortinet Customer Service & Support for assistance.

KVM deployment enhancements
  • Formatlogdisk is shifted from manual to automated. This increases the deployment time by 10 minutes.

  • SPP-1 is created during deployment. Other SPPs must still be created by the user.

SPP identification update
  • In the Debug zip file and Attack log file, SPP ID numbers are replaced with the SPP name.

Default idle timeout decrease
  • The default user idle timeout is lowered from 30 minutes to 5 minutes for improved security. Admins can adjust this idle time from 1-480 minutes.

Process speed enhancements
  • The time to apply IVP4 and Domain Blocklists is reduced.

Event Log refinements
  • The checkbox for "IP Reputation Update" in the event log is no longer necessary and has been removed. Instead, the "Update event" checkbox is amended to include updates for IP Reputation, Domain Reputation, and Geolocation databases.

TCP DNS Query improvements
  • TCP DNS Queries that contain more than one question are no longer allowed, even if the rate does not exceed the QDCount Threshold. Attempts to run multiple DNS queries within a single TCP session are blocked.

REST-API
  • REST-API supports calls to access Flowspec attack data for integration with external software components.

6.5.0

FortiDDoS 6.5.0 offers the following new features:

GUI enhancements

FortiDDoS-F has refreshed the GUI pages to include new graphs with better tool-tip readability, improved navigation, and various minor field length and fixes.
Note: In 6.6.1, Logarithmic Y-axis selection will not show correct index numbers. Use the tool-tip to see actual traffic or drop numbers instead.

GUI and Graph updates

The following updates were made to the FortiDDoS-F GUI and graphs.

Dashboard Status:

  • Interface and SPP Graphs will now show one behind the other (not stacked as in 6.4.1) so the ingress/egress differential is immediately viewable.

All Graphs:

  • Sub-graphs can now be highlighted by rolling the cursor over the label, and be hidden by clicking on the label.
  • Splining (curves) can now be removed to show each reporting point more accurately.

Top Attacks:

  • A new table has been added for UDP Reflection (Source) Ports, separating that reporting from UDP (Destination) Port Floods.
  • From the Top Attacks page, you can now link directly to applicable Monitor graphs from 5 tables.
    Note: Users must still enter the final Protocol, Port, and Type/Code parameters manually on the graph.

FortiView Threat Map:

  • The FortiView Threat Map has been removed since it was providing little useful information.

Most settings and log pages:

  • Minor changes have been made to most settings and log pages, including changes to options, filters, download, and/or scrolling.
New System Recommended Thresholds
  • System Recommended Thresholds for various DNS TCP Thresholds will now be set at 2x the Threshold for UDP Thresholds. During learning, TCP traffic is usually minimal resulting in very low Thresholds. Then, under attack, when FortiDDoS uses TC=1 validation and the client/recursive server responds correctly with TCP packet, the TCP Thresholds are crossed prematurely leading to false-positive drops. Increasing the TCP Thresholds has virtually no impact on DNS Query flood mitigation.
  • New DNS Query per Source Traffic Statistics and System Recommended Thresholds have been added. Previously this was a manual entry.
Geolocation updates
  • A new IPv6 Geolocation has been added.
  • Geolocation ACLs (IPv4 and IPv6) can now be added to SPPs.

SPP Policy List enhancements

The SPP Policy List now includes a display of all the SPP feature Profiles included with the Policy.

Service Protection Policy ACL List updates

Updates have been made to the re-ordering/deleting functions for the Service Protection Policy ACL list:

  • Placing the tool-tip in the Name field will now show a directional cursor to move the ACL up or down in the list.
  • There are no longer various icons in the right-most column.
  • To delete, highlight a row or shift-click to highlight multiple rows and Delete.
  • To edit, double-click the row.
  • To copy, click a row then clone it.
Two Factor Authentication support for RADIUS

FortiDDoS-F now supports Two-Factor Authentication (2FA) for RADIUS remote authentication.

Remote password authentication support for CLI users

CLI users can now use remote password authentication (RADIUS, LDAP, TACACS+). CLI remote users must have a local username on FortiDDoS with a super-admin Profile.

New DNS features

The following DNS features have been added:

  • DNS Proxy validation for users not accepting TCP Queries.
  • Support for DNS Dynamic Updates.
  • Support for DNS Known Opcode Anomalies.
  • Support for DNS Resource Record ACLs only under flood.
Anomaly tracking updates

Changes have been made to Anomaly tracking which will improve traffic statistics and Threshold for Most Active Source and Ports Thresholds, among others.

Packet capture support from Management Ports

You can now packet capture from Management Ports.

Debug file improvements

Debug file is now split into 2 files:

  • Customer file includes the system config, 100k Attack Logs, 25k Event Logs, List of Protected Subnets, all Thresholds per SPP and a list of SPPs including all feature Profiles per SPP and Service Ports for UDP, HTTP, SSL/TLS, DTLS and QUIC.
  • Debug file for developers (including the Customer file).

Removed debug files from previous releases:

  • The debug files from previous releases have been removed from the debug file when the system firmware is upgraded. This reduces the size of the debug file and removes files that are no longer relevant to the current Release.

Progress indication added for debug file creation:

  • When creating a debug file, the progress can now be indicated through the Save Debug button which will dim and display a rotating "spinner".
Dashboard License Information and System FortiGuard page enhancement

Additional icons have been added to the Dashboard License Information and System FortiGuard page to aid in understanding FortiCare registration and FortiGuard subscriptions.

New CSV download function for DDoS Attack logs

You can now download DDoS Attack logs as CSV files. Up to 100,000 Attack logs can be downloaded.

Drop log enhancement

Attackers can use Queries with legitimate FQDNs but incorrect RR requests to avoid various response-rate-limiting schemes on DNS servers. A good FQDN with a bad RR Query gets a good (Rcode=0) Response with an empty NODATA Answer section (no IP address and Answers=0). For legitimate traffic this indicates that the FQDN is good but there is no such RR information on the server. Attackers can then use this response/reflection to defeat NxDomain Thresholds and other mitigations. To protect against such scenarios, FortiDDoS-F drop logs will now show events specifically for LQ FQDN matches without RR matches: DNS LQ: UDP Query flood due to Negative Response.

FortiView updates

The following updates have been made to FortiView:

  • The SPP graph has been moved to the Traffic Monitor section of the menu.
  • The Countries graph now shows only geolocation of TCP established connections, so spoofed UDP, SYNs, etc., do not provide false information.
  • Graph periods from 1-hour to 1-year now match all other system graphs.
  • The Countries and Attacks tables have been removed since the data provided (passed and dropped traffic of the full graph period) was not useful for understanding DDoS.
Improvements to Event logs for FortiGuard updates

The Event logs for FortiGuard updates have been improved to include the description of actions taken, such as "Completed FortiGuard Update", "IP Reputation DB download: is successful", and "Geolocation DB download: is successful".

Access Control List policy update

To avoid confusion, any Global Protection > Access Control List policy that is configured but disabled will no longer be shown in the Monitor > Global > ACL Drops > ACL Rule Drops.

Global ACL update

When a Global ACL is created, drops associated with it are shown on the Global ACL Aggregate graph and on the ACL graph when the correct ACL is selected from the drop-down menu. However, when the ACL is disabled or deleted, the ACL name will not be available on the drop-down menu. The drops will still show on the aggregated graph. If an ACL is deleted and later a new ACL is created, drops from an old, deleted ACL may show on the ACL graph for the new one. This is related to the way the system selects ACL ID numbers (1-1024).

New CLI command execute recover-gui

You can now use the execute recover-gui CLI command to restart cmdbsvr, restapi and nginx for troubleshooting purposes.

Added Explicit VPP restart Event log

An explicit Virtual Packet Processing (VPP) engine restart Event log has been added. While VPP restarts are rare, the event log is added to confirm without needing the debug file.

Merge Traffic Statistics for HA systems

For HA systems on separate ISP legs of a network with balanced traffic, a method is provided to merge Traffic Statistics from the Secondary to the Primary to allow Threshold setting and synchronization.

Security certificates with password files

FortiDDoS-F now supports security certificates with password files.

6.4.1

FortiDDoS 6.4.1 offers the following new features:

International Domain Names support

International Domain Names (IDN/Unicode text) will now be supported in DNS tables, including Allowlist, LQ, TTL, Cache, Duplicate Query, DQRM, and DNSSEC Message Type Match.

Note: Regex ACLs do not work with unicode text as regex cannot convert unicode to punycode for comparison.

Shell security access enhancement

Admin users can now set allowed shell access, password, and duration of the access from the CLI.

DTLS Content Types 25 and 26 support

FortiDDoS now supports DTLS Content Types 25 and 26. Please note that while the IANA TLS Registry shows "TLS" Content Types 25 and 26, the RFCs associated with those are specific to DTLS only.

6.4.0

FortiDDoS 6.4.0 offers the following new features:

New options added to the DNS profile
  • Domain Reputation includes Malicious URLs, Botnet Domains and (new) Bitcoin Mining Domains.
  • Options When No Cache Match now include Force TCP, Forward to Server and (new) Drop.

Enhancement to Dashboard > Status > System Information Panel

For appliances, the Dashboard > Status > System Information Panel now allows you to toggle the bypass ports between inline and bypass by clicking the Bypass Status information.

Enhancements to Dashboard widgets and panels

Most Dashboard widgets and panels can now be pinned to show additional information and expanded to full screen for easier viewing.

QUIC support
  • New QUIC Profile which includes Anomaly checks and two handshake checks (Reflection Deny usable only with symmetric Traffic).

  • New QUIC Thresholds and graphs for Initial Request, that include Request Initial packet rate Threshold, Request Initial packet per Source Threshold, and Response Initial packet rate Threshold.

  • Dashboard > Data Path Resources now includes table occupancy for QUIC sessions.

Reports improvements
  • You can now generate reports per SPP or any group of SPPs.

  • Report periods now range from 1 hour to 1 year.

  • You can now generate a report when a drop threshold is exceeded. The report will be for the previous 5 minutes regardless of the selected Report Period. Multiple Reports with different drop thresholds are allowed.

Enhancement DDoS Attack Log

The Log and Report > Logs > DDoS Attack Log has moved the Direction and SPP filters outside of the "Add Filter" menu for easier selection.

Enhancement to Anomaly Drop Graphs

The Monitor > Drops Monitor > SPP > Anomaly Drop Graphs now shows directionality for all graphs except for Aggregate graphs.

FORTINET-CORE-MIB and FORTINET-FORTIDDOS-MIB support

From 6.4.0 onward, the FORTINET-CORE-MIB and FORTINET-FORTIDDOS-MIB will now be included in the build and FortiCare download folders.

HTTP flow improvements

Current HTTP packets can be very long due to client cookies, resulting in truncated (segmented/fragmented) packets. FortiDDoS has now changed the way it detects HTTP flows so that Anomalies for Known Methods, Unknown Methods and Version are detected on the HTTP flow and not packet by packet. HTTP Incomplete Request Action should remain "None" since FortiDDoS cannot determine where the correct message end string is in multi-packet flows.

Enhancements to LDAPS/STARTTLS

LDAPS/STARTTLS now has additional support for CLI logins.

New CLI command: execute restapi-restart

The new CLI command execute restapi-restart is introduced to resolve reported issues of the GUI "freezing" on the login screen after a successful login.

6.3.3

FortiDDoS 6.3.3 offers the following new features:

  • DQRM timer is changed to improve performance.

6.3.2

FortiDDoS 6.3.2 offers the following new features:

Improvement to transceiver information for CLI

The transceiver information has been improved for the CLI commands get transceiver status and get transceiver status portx.

6.3.1

FortiDDoS 6.3.1 offers the following new features:

Top Attacks usability improvements

Dashboard > Top Attacks header for Direction, Time Period and SPP stays visible as you scroll down the page.

Attack logs for Global ACL Rules usability improvements

The Global Deny Rule log entries in the Attack log now show the rule name in the Event Details.

Dashboard enhancements
  • The Detection/Prevention Mode status of all configured Service Protection Profiles (SPPs) will now be displayed on a single panel on the Dashboard.
  • Improvements have been made to the System Resources Panel.
  • The Dashboard layout has been improved to enhance usability.

6.3.0

FortiDDoS 6.3.0 offers the following new features:

DNS Profile enhancements
  • Added FQDN Allow/Blocklist file upload, manual entry, and regex entries.

  • FortiDDoS-F now supports DNS "0x20" mixed case FQDNs.

New DNS Header Anomaly

Incomplete DNS can now be used to block non-DNS traffic to Port 53.

DNSSEC enhancements

FortiDDoS-F has added DNSSEC inspection, anomaly and mitigation options.

UDP Service Ports monitor

User-entered UDP Service Ports over 9999 are now monitored for possible reflection floods.

New graphs and tables on FortiGate Security Fabric Dashboard

FortiDDoS-F now supports the following graphs and tables on FortiGate Security Fabric Dashboard: System Information, Data Path Resources, Aggregate Drops and Top Attacks.

SSL/TLS traffic inspection

FortiDDoS-F 1500F can now inspect SSL/TLS traffic for all HTTP Anomalies and Thresholds. Proper SSL Certificates are required.

Note: This is experimental in 6.3.0 and performance has not been confirmed.

LDAP, RADIUS, TACACS+ remote password authentication

LDAP, RADIUS, TACACS+ remote password authentication is now available with local username, profile and trusted hosts settings. This now supports GUI, CLI and Console logins.

TCP Profile enhancement

TCP Profile now adds Foreign Packet Threshold when Foreign Packet Validation is enabled.

New IP Reputation options

Added Phishing, Spam and TOR (exit nodes) Categories to IP Reputation options.

Debug enhancements
  • Debug file now has CUSTOMER folder which includes: Config, Attack logs, Thresholds, Protection Subnets list (event log in MySQL format to be improved in a later release). Do not use Offline Analysis file.

  • Additional debug logs are added for SNMP.

Packet Capture enhancements

Additional packet capture options are now available.

System time change in Event Log

An Event Log is now added when admin changes system time.

Out of Memory (OOM) conditions

Out of Memory (OOM) conditions are optionally set to pass traffic (bypass - default) or block packets. Please see documentation for conditions that may result in OOM drops.

New RRD troubleshooting and repair CLI commands

Additional RRD troubleshooting and repair CLI commands are now available.

execute create-spp-rrd spp_id 15 among others

check_stale_rrd_files

New User (admin) options

Additional menu items added to the User (admin) drop-down in the GUI:

  • System: Reboot / Shutdown

  • Configuration Backup / Restore

  • Change Password

GUI enhancements
  • Additional special characters are allowed for admin users: a-Z -9_.-*@.

  • Data Port Speed and Duplex settings are shown on Network > Interface page.

  • Global ACL names are included in graphs.

  • Enabled/Disabled status of Global and SPP ACLs is displayed in ACL lists.

  • Variable column widths and text wrapping is added to Dashboard > Status > Top Attacks panel, for improved readability of attack events.

  • Link speed addition to Network GUI.

  • Bypass status icon and inline/bypass text is added to the Dashboard > Status > System Information panel.

  • Filter conditions for several parameter lists (ACLs, Network Ports, etc.) are improved.

  • Network > Interface list can be filtered by Link Status and Config Status (for Port-Pairs and Ports).

  • Improved GUI for System >SNMP > v1/v2/v3.

  • A spinning "loading" icon is shown when the system is building list pages, such as Attack Logs.

  • For most column based lists, clicking the settings () icon in the list header allows the user to customize the columns shown.

  • Dashboard > SPP adds a column for SPP Status (Enable/Disabled).

6.2.1

FortiDDoS 6.2.1 offers the following new features:

New CLI commands
  • get system performance to check the CPU, memory, and disk usage.
    This command shows the system resources and matches the GUI Dashboard > Status > System Resources panel. The traditional Linux top command does not provide accurate information for DPDK processors, so you can use the get system performance command to enable the Dashboard and Event Logs to match.

  • diagnose debug rrd_files_check to diagnose SPP RRD numbers.
    Use execute spp-rrd-reset spp <rule_name> to reset databases that fail the rrd_files check.
    Use execute rrd-reset All to reset all databases.

Support to connect VM console

FortiDDoS VM now supports a console port with both VMware and KVM.

New SPP Operation Mode column in the Protected Subnets list

In the Service Protection > Protection Subnets list, columns have been added for Inbound and Outbound Operation Mode (Detection/Prevention).

SPP Navigation from inside FortiView > SPP detail page

You can now navigate between SPPs while in the Service Protection > Service Protection Policy page.

SPP added to Dashboard > Status > Attack Logs widget

The Dashboard Attack Logs panel now shows the SPP associated with the drop/attack log.

Match VM Model Release information with appliances

FortiDDoS model number (VM04/VM08/VM16) is shown in top header bar.

6.2.0

FortiDDoS 6.2.0 offers the following new features:

  • SYN/ACK Scalar Thresholds for asymmetric traffic. With asymmetric traffic, FortiDDoS normally needs to assume an inbound SYN/ACK represents the response from an unseen outbound SYN and creates a connection table entry. This leaves the system/user open to advanced SYN/ACK floods. In 6.2.0 the following Thresholds are visible only when the system is in Asymmetric Mode with Asymmetric Mode Allow Inbound Synack enabled:
    • SYN/ACK - aggregate rate of all SYN-ACKs into the SPP Protected Subnets
    • SYN/ACK per Destination - maximum rate of SYN-ACKs to any single destination in the SPP Protected Subnets
    Note:
    • SYN/ACK Thresholds are not automatically learned and System Recommendations are not created. Use the above graphs to calculate peak rates and create manual thresholds.
    • here is no Adaptive Threshold for these Scalars.
    • These thresholds function on INBOUND traffic only.
  • DTLS Profile is added to Service Protection Policies. Use DTLS to prevent DTLS direct and reflection attacks on all services.
  • Possible UDP Reflection Flood is added from B/E-Series with similar functionality. Any drops associated with UDP Port Thresholds FROM Ports 1-9999 are shown in the attack logs as Possible UDP Reflection Floods. This protects from and identifies any of the more than 30 currently known UDP reflection ports like 19, 111, 389, etc. as well as identifying future reflections on any port lower than 10,000. FortiDDoS F-Series does no support UDP Service ports in 6.2.0.
  • System Recommendation now has an option to use actual outbound traffic statistics for outbound thresholds or set all outbound thresholds to system maximum (default and recommended).
  • Treatment of Global ACLs changes with a dedicated "SPP" for all kinds of Global ACLs. New items added for:
    • Dashboard > Top Attacks > Global: Global ACL Attack table
    • Monitor > Drops Monitor >Global: Graphs of Global Aggregate and ACL Rule Drops
    Note: Global ACLs always drop identified packets and do not follow Detection/Prevention settings per SPP.
  • A Protection Subnets List GUI page is added to list all Protection Subnets for all SPPs and the Detection Mode/Prevention Mode status of the SPP hosting the protection Subnet. Protection Subnets cannot be edited from this page
  • Blocklisted IPv4 and Blocklisted Domains UI’s have been improved to include showing the number of addresses/Domains applied, last update date, add and delete individual addresses/Domains and search for an address/Domain in the lists.
  • Navigation is available between Service Protection Policies when in the SPP editing pages.
  • FortiGuard scheduled updates are changed to Daily or Weekly only. More frequent updates were not providing additional information.
  • Reboot and Shutdown commands are added to the top-right user logout menu.
  • The Domain Reputation attack log event has been separated from the Domain Blocklist event.
  • FortiView Threatmap improves time-period selection for display
  • Additional tool-tip date and time information is available on longer-period graphs (week/month/year).
  • Added CLI command to restart nginx (GUI)
  • Added CLI command get bypass-status to show inline/bypass status of associated ports.
  • Added CLI command diagnose dataplane geo-ip <IPv4 address(no mask)>. This allows user to check within which geolocation a specific IPv4 address is located.
  • Labeling, graph units, borders, field sizes, event log, attack log and tool tip information and other improvements added throughout the GUI.

6.1.0

FortiDDoS-F 6.1.0 is built on the feature base of FortiDDoS-F B/E-Series with these notable additions:

  • VM support in VMware hypervisor environments
  • NTP from E-Series on all models
  • Additional SSL DDoS Mitigation settings
  • 16x SPPs in1500F
  • The System Recommendation changes from 5.4.0 (Separate L4 Scalars/ICMP / TCP Ports / UDP Port) are included
  • DNS Rcode Scalars are included in Traffic Statistics and System Recommendation
  • Split System Recommendation for Layer 4 Scalars/ICMP, TCP Ports and UDP Ports included from B/E 5.4.0
  • Common UDP Source Reflection Ports are pre-populated in Global Service definitions for use with Global or SPP ACLs
  • Service port definitions support Source Port or Destination Port. Source Port ACLs are very useful for permanently blocking kown UDP reflection ports.
  • IP Address / Subnets definitions are created in the System menu and then assigned to Global or SPP ACLs, reducing multiple entries.
  • Bogons IPs and/or Multicast IPs can be ACLed with option selection in any SPP.
  • SPPs replace feature tabs with multiple Profiles for IP, ICMP, TCP, HTTP, SSL/TLS, NTP and DNS. One Profiles can be used by muliple SPPs or one SPP can use Multiple Profiles (TCP Detection and TCP Prevention, for example).
  • Source MAC address for aggressive aging is configurable per SPP, if needed
  • Strict Anomalies options are now included in several SPP Profile pages for Layer 2 to Layer 7 options.
  • Cloud Signaling Thresholds are entered in both pps and Mbps (crossing either triggers Signaling. Thresholds are now per SPP Policy (subnet).
  • Protection Subnets (subnets) are entered for each Service Protection Policy (SPP) instead of globally.
  • Explicit TCP thresholds are added for DNS Query, Question Count, Fragment, MX and ALL. B/E-Series has TCP Thresholds but they are hidden and the same as the UDP Thresholds.
  • IP Reputation and Domain Reputation are included in IP and DNS Profiles and thus are optional per SPP.
  • SSL/TLS Profile includes additional Cipher Anomaly option
  • tcpdump-style packet capture
  • Several formerly-global features such as IP Reputation are now set per SPP for better control
  • Additional Known Method Anomalies available
Removed/Changed/Deferred Features

B/E-Series Functionality not included in this release:

  • Support for FortiDDoS-CM Central Manager
  • Security Fabric Integration with FortiOS Dashboard
  • GTP-U support
  • Distress ACL nor Auto-Distress ACL
  • Multi-tenant support (SPP or SPP Policy Group)
  • Fewer files included in Offline analysis file
  • SPP Backup/Restore
  • Attack Reports are Global only and are on-demand or on-schedule only. Report periods are Last 7 Days, Last Month or Last year only. (Removed per-SPP, per-SPP Policy, per-SPP Policy Group reports, on-Threshold reports and some time periods)
  • REST API changes and requires documentation
  • Log & Report > DDoS Attack Graphs
  • SPP Policy Groups
  • Log & Report > Diagnostics
  • SPP-to-SPP Switching Policies
  • Restrict DNS Queries to specific subnets
  • System Recommendation Option for Actual or System Max Outbound Threshold (5.4.0)
  • Traffic Statistics Option for Peak or 95th Percentile Traffic (5.4.0)
  • Syslog RFC 5424 or Fortinet proprietary secure "OFTP" protocol (5.4.0)
  • CLI Commands for IP Reptution nor Domain Reputation updates (5.4.0)
  • Search for IP addresses within various ACLs (5.3.0)
VM limits
  • VMs do not support Fail-Open option. Fail-Open support will be determined by the underlying server
  • TCP Port Thresholds are calculated to 65,535 but Thresholds/Ranges are created for ports 1-1023 with one range for ports above 1023.
  • TCP Port Graphs display traffic and drops for Ports 1-1023. Port 1024 displays peak traffic rate for any port from 1024-65,535 and total drops associated with any of those ports. Attack logs show full port range 1-65,535.
  • UDP Port Thresholds are calculated to 65,535 but Thresholds/Ranges are created for 1-10,239 only with one range above that.
  • UDP Port Graphs display traffic and drops for Ports 1-10,239. Port 10,240 displays peak traffic rate for any port from 10,240-65,535 and total drops associates with any of those ports. Attack logs show full port range 1-65,535 as well as reflected attack drops from ports 1-9,999.
  • ICMP Type/Code Thresholds are calculated from 0-65,535 but Threshold/Ranges are created for 0-10,239 only. Indexes from 10,240 to 65,535 are included in one range.
  • ICMP Type/Code graphs show indexes from 0/0 to 39/255 with all others showing in 40/0. Attack logs will show drops for Types/Codes for all Types/Codes from 0/0 to 255/255.

What's New in FortiDDoS 6.x

What's New in FortiDDoS 6.x

6.6.0

FortiDDoS 6.6.0 offers the following new features:

GUI updates

The following updates were made to the FortiDDoS-F GUI.

Service Protection:

  • Ability to edit Service Protection Profiles (IP, TCP, DNS, etc.) from within the Service Protection Policy page is added.

  • Implemented automatic matching between the time period selected in the SPP Threshold Setting tab and the Generate Statistics panel, reducing possible errors.

Address and Service:

  • Search function is added to find IP addresses within Global and SPP ACLs

Top Attacks:

  • A fixed header is added to Traffic Monitor Graphs and Dashboard > Top Attacks pages, providing easier navigation when scrolling down the page.

  • Additional parameters are shown on the Top Attacks page that allow direct linking to associated graphs.

FortiView

  • FortiView Countries and Attacks graphs are changed to look like Monitor graphs, with similar controls.

Log & Report:

  • The Attack Log and Event Log pages default to display 50 logs, with additional choices of 100 and 150.

  • System automatically generates an event log when CPU, RAM or Log Disk exceeds 90% capacity.

Monitor:

  • The Maximum Adaptive Threshold is added to display on scalar graphs. This helps to identify when the graph parameter is a scalar and also assists with understanding the Threshold used to begin mitigation, which is the higher value between the System Recommended Threshold (threshold on the graph) and the dynamic Adaptive Threshold)

  • User input validation is added to graphs for TCP and UDP port numbers, ICMP Type and Code ranges, HTTP URL, Hosts, Referers, Cookies, User Agents, DNS Rcodes.

Support for RADIUS VSAs and TACACS+ Custom Attributes
  • This release has added support for RADIUS VSAs and TACACS+ Custom Attributes.

Increased Syslog Support
  • This release has added support for RFC 5424 and FortiAnalyzer OFTP syslog formats.

FQDN Proxy tunneling
  • Proxy tunneling for FortiGuard updates has added support for proxies that require FQDNs.

Daily Config backup and Debug enhancements
  • Daily Config backup and Debug file upload has added support for SFTP and server path (folders).

Success/ failure Log implementation
  • Under Log Access > Logs, an event log is added for cases of configuration restore failure.

  • Event Logs are also added for success/failure of the Daily Config Backup function.

Geolocation updates
  • Geolocation Country/subnet info for ACLs and label info for FortiView Country graphs are dynamically downloaded from FortiGuard for more accuracy. No subscription is required.

CLI upgrades
  • CLI Error messages are improved with explanation after code.

  • Flowspec ACL output are able to be retrieved via CLI. Contact Fortinet Customer Service & Support for assistance.

KVM deployment enhancements
  • Formatlogdisk is shifted from manual to automated. This increases the deployment time by 10 minutes.

  • SPP-1 is created during deployment. Other SPPs must still be created by the user.

SPP identification update
  • In the Debug zip file and Attack log file, SPP ID numbers are replaced with the SPP name.

Default idle timeout decrease
  • The default user idle timeout is lowered from 30 minutes to 5 minutes for improved security. Admins can adjust this idle time from 1-480 minutes.

Process speed enhancements
  • The time to apply IVP4 and Domain Blocklists is reduced.

Event Log refinements
  • The checkbox for "IP Reputation Update" in the event log is no longer necessary and has been removed. Instead, the "Update event" checkbox is amended to include updates for IP Reputation, Domain Reputation, and Geolocation databases.

TCP DNS Query improvements
  • TCP DNS Queries that contain more than one question are no longer allowed, even if the rate does not exceed the QDCount Threshold. Attempts to run multiple DNS queries within a single TCP session are blocked.

REST-API
  • REST-API supports calls to access Flowspec attack data for integration with external software components.

6.5.0

FortiDDoS 6.5.0 offers the following new features:

GUI enhancements

FortiDDoS-F has refreshed the GUI pages to include new graphs with better tool-tip readability, improved navigation, and various minor field length and fixes.
Note: In 6.6.1, Logarithmic Y-axis selection will not show correct index numbers. Use the tool-tip to see actual traffic or drop numbers instead.

GUI and Graph updates

The following updates were made to the FortiDDoS-F GUI and graphs.

Dashboard Status:

  • Interface and SPP Graphs will now show one behind the other (not stacked as in 6.4.1) so the ingress/egress differential is immediately viewable.

All Graphs:

  • Sub-graphs can now be highlighted by rolling the cursor over the label, and be hidden by clicking on the label.
  • Splining (curves) can now be removed to show each reporting point more accurately.

Top Attacks:

  • A new table has been added for UDP Reflection (Source) Ports, separating that reporting from UDP (Destination) Port Floods.
  • From the Top Attacks page, you can now link directly to applicable Monitor graphs from 5 tables.
    Note: Users must still enter the final Protocol, Port, and Type/Code parameters manually on the graph.

FortiView Threat Map:

  • The FortiView Threat Map has been removed since it was providing little useful information.

Most settings and log pages:

  • Minor changes have been made to most settings and log pages, including changes to options, filters, download, and/or scrolling.
New System Recommended Thresholds
  • System Recommended Thresholds for various DNS TCP Thresholds will now be set at 2x the Threshold for UDP Thresholds. During learning, TCP traffic is usually minimal resulting in very low Thresholds. Then, under attack, when FortiDDoS uses TC=1 validation and the client/recursive server responds correctly with TCP packet, the TCP Thresholds are crossed prematurely leading to false-positive drops. Increasing the TCP Thresholds has virtually no impact on DNS Query flood mitigation.
  • New DNS Query per Source Traffic Statistics and System Recommended Thresholds have been added. Previously this was a manual entry.
Geolocation updates
  • A new IPv6 Geolocation has been added.
  • Geolocation ACLs (IPv4 and IPv6) can now be added to SPPs.

SPP Policy List enhancements

The SPP Policy List now includes a display of all the SPP feature Profiles included with the Policy.

Service Protection Policy ACL List updates

Updates have been made to the re-ordering/deleting functions for the Service Protection Policy ACL list:

  • Placing the tool-tip in the Name field will now show a directional cursor to move the ACL up or down in the list.
  • There are no longer various icons in the right-most column.
  • To delete, highlight a row or shift-click to highlight multiple rows and Delete.
  • To edit, double-click the row.
  • To copy, click a row then clone it.
Two Factor Authentication support for RADIUS

FortiDDoS-F now supports Two-Factor Authentication (2FA) for RADIUS remote authentication.

Remote password authentication support for CLI users

CLI users can now use remote password authentication (RADIUS, LDAP, TACACS+). CLI remote users must have a local username on FortiDDoS with a super-admin Profile.

New DNS features

The following DNS features have been added:

  • DNS Proxy validation for users not accepting TCP Queries.
  • Support for DNS Dynamic Updates.
  • Support for DNS Known Opcode Anomalies.
  • Support for DNS Resource Record ACLs only under flood.
Anomaly tracking updates

Changes have been made to Anomaly tracking which will improve traffic statistics and Threshold for Most Active Source and Ports Thresholds, among others.

Packet capture support from Management Ports

You can now packet capture from Management Ports.

Debug file improvements

Debug file is now split into 2 files:

  • Customer file includes the system config, 100k Attack Logs, 25k Event Logs, List of Protected Subnets, all Thresholds per SPP and a list of SPPs including all feature Profiles per SPP and Service Ports for UDP, HTTP, SSL/TLS, DTLS and QUIC.
  • Debug file for developers (including the Customer file).

Removed debug files from previous releases:

  • The debug files from previous releases have been removed from the debug file when the system firmware is upgraded. This reduces the size of the debug file and removes files that are no longer relevant to the current Release.

Progress indication added for debug file creation:

  • When creating a debug file, the progress can now be indicated through the Save Debug button which will dim and display a rotating "spinner".
Dashboard License Information and System FortiGuard page enhancement

Additional icons have been added to the Dashboard License Information and System FortiGuard page to aid in understanding FortiCare registration and FortiGuard subscriptions.

New CSV download function for DDoS Attack logs

You can now download DDoS Attack logs as CSV files. Up to 100,000 Attack logs can be downloaded.

Drop log enhancement

Attackers can use Queries with legitimate FQDNs but incorrect RR requests to avoid various response-rate-limiting schemes on DNS servers. A good FQDN with a bad RR Query gets a good (Rcode=0) Response with an empty NODATA Answer section (no IP address and Answers=0). For legitimate traffic this indicates that the FQDN is good but there is no such RR information on the server. Attackers can then use this response/reflection to defeat NxDomain Thresholds and other mitigations. To protect against such scenarios, FortiDDoS-F drop logs will now show events specifically for LQ FQDN matches without RR matches: DNS LQ: UDP Query flood due to Negative Response.

FortiView updates

The following updates have been made to FortiView:

  • The SPP graph has been moved to the Traffic Monitor section of the menu.
  • The Countries graph now shows only geolocation of TCP established connections, so spoofed UDP, SYNs, etc., do not provide false information.
  • Graph periods from 1-hour to 1-year now match all other system graphs.
  • The Countries and Attacks tables have been removed since the data provided (passed and dropped traffic of the full graph period) was not useful for understanding DDoS.
Improvements to Event logs for FortiGuard updates

The Event logs for FortiGuard updates have been improved to include the description of actions taken, such as "Completed FortiGuard Update", "IP Reputation DB download: is successful", and "Geolocation DB download: is successful".

Access Control List policy update

To avoid confusion, any Global Protection > Access Control List policy that is configured but disabled will no longer be shown in the Monitor > Global > ACL Drops > ACL Rule Drops.

Global ACL update

When a Global ACL is created, drops associated with it are shown on the Global ACL Aggregate graph and on the ACL graph when the correct ACL is selected from the drop-down menu. However, when the ACL is disabled or deleted, the ACL name will not be available on the drop-down menu. The drops will still show on the aggregated graph. If an ACL is deleted and later a new ACL is created, drops from an old, deleted ACL may show on the ACL graph for the new one. This is related to the way the system selects ACL ID numbers (1-1024).

New CLI command execute recover-gui

You can now use the execute recover-gui CLI command to restart cmdbsvr, restapi and nginx for troubleshooting purposes.

Added Explicit VPP restart Event log

An explicit Virtual Packet Processing (VPP) engine restart Event log has been added. While VPP restarts are rare, the event log is added to confirm without needing the debug file.

Merge Traffic Statistics for HA systems

For HA systems on separate ISP legs of a network with balanced traffic, a method is provided to merge Traffic Statistics from the Secondary to the Primary to allow Threshold setting and synchronization.

Security certificates with password files

FortiDDoS-F now supports security certificates with password files.

6.4.1

FortiDDoS 6.4.1 offers the following new features:

International Domain Names support

International Domain Names (IDN/Unicode text) will now be supported in DNS tables, including Allowlist, LQ, TTL, Cache, Duplicate Query, DQRM, and DNSSEC Message Type Match.

Note: Regex ACLs do not work with unicode text as regex cannot convert unicode to punycode for comparison.

Shell security access enhancement

Admin users can now set allowed shell access, password, and duration of the access from the CLI.

DTLS Content Types 25 and 26 support

FortiDDoS now supports DTLS Content Types 25 and 26. Please note that while the IANA TLS Registry shows "TLS" Content Types 25 and 26, the RFCs associated with those are specific to DTLS only.

6.4.0

FortiDDoS 6.4.0 offers the following new features:

New options added to the DNS profile
  • Domain Reputation includes Malicious URLs, Botnet Domains and (new) Bitcoin Mining Domains.
  • Options When No Cache Match now include Force TCP, Forward to Server and (new) Drop.

Enhancement to Dashboard > Status > System Information Panel

For appliances, the Dashboard > Status > System Information Panel now allows you to toggle the bypass ports between inline and bypass by clicking the Bypass Status information.

Enhancements to Dashboard widgets and panels

Most Dashboard widgets and panels can now be pinned to show additional information and expanded to full screen for easier viewing.

QUIC support
  • New QUIC Profile which includes Anomaly checks and two handshake checks (Reflection Deny usable only with symmetric Traffic).

  • New QUIC Thresholds and graphs for Initial Request, that include Request Initial packet rate Threshold, Request Initial packet per Source Threshold, and Response Initial packet rate Threshold.

  • Dashboard > Data Path Resources now includes table occupancy for QUIC sessions.

Reports improvements
  • You can now generate reports per SPP or any group of SPPs.

  • Report periods now range from 1 hour to 1 year.

  • You can now generate a report when a drop threshold is exceeded. The report will be for the previous 5 minutes regardless of the selected Report Period. Multiple Reports with different drop thresholds are allowed.

Enhancement DDoS Attack Log

The Log and Report > Logs > DDoS Attack Log has moved the Direction and SPP filters outside of the "Add Filter" menu for easier selection.

Enhancement to Anomaly Drop Graphs

The Monitor > Drops Monitor > SPP > Anomaly Drop Graphs now shows directionality for all graphs except for Aggregate graphs.

FORTINET-CORE-MIB and FORTINET-FORTIDDOS-MIB support

From 6.4.0 onward, the FORTINET-CORE-MIB and FORTINET-FORTIDDOS-MIB will now be included in the build and FortiCare download folders.

HTTP flow improvements

Current HTTP packets can be very long due to client cookies, resulting in truncated (segmented/fragmented) packets. FortiDDoS has now changed the way it detects HTTP flows so that Anomalies for Known Methods, Unknown Methods and Version are detected on the HTTP flow and not packet by packet. HTTP Incomplete Request Action should remain "None" since FortiDDoS cannot determine where the correct message end string is in multi-packet flows.

Enhancements to LDAPS/STARTTLS

LDAPS/STARTTLS now has additional support for CLI logins.

New CLI command: execute restapi-restart

The new CLI command execute restapi-restart is introduced to resolve reported issues of the GUI "freezing" on the login screen after a successful login.

6.3.3

FortiDDoS 6.3.3 offers the following new features:

  • DQRM timer is changed to improve performance.

6.3.2

FortiDDoS 6.3.2 offers the following new features:

Improvement to transceiver information for CLI

The transceiver information has been improved for the CLI commands get transceiver status and get transceiver status portx.

6.3.1

FortiDDoS 6.3.1 offers the following new features:

Top Attacks usability improvements

Dashboard > Top Attacks header for Direction, Time Period and SPP stays visible as you scroll down the page.

Attack logs for Global ACL Rules usability improvements

The Global Deny Rule log entries in the Attack log now show the rule name in the Event Details.

Dashboard enhancements
  • The Detection/Prevention Mode status of all configured Service Protection Profiles (SPPs) will now be displayed on a single panel on the Dashboard.
  • Improvements have been made to the System Resources Panel.
  • The Dashboard layout has been improved to enhance usability.

6.3.0

FortiDDoS 6.3.0 offers the following new features:

DNS Profile enhancements
  • Added FQDN Allow/Blocklist file upload, manual entry, and regex entries.

  • FortiDDoS-F now supports DNS "0x20" mixed case FQDNs.

New DNS Header Anomaly

Incomplete DNS can now be used to block non-DNS traffic to Port 53.

DNSSEC enhancements

FortiDDoS-F has added DNSSEC inspection, anomaly and mitigation options.

UDP Service Ports monitor

User-entered UDP Service Ports over 9999 are now monitored for possible reflection floods.

New graphs and tables on FortiGate Security Fabric Dashboard

FortiDDoS-F now supports the following graphs and tables on FortiGate Security Fabric Dashboard: System Information, Data Path Resources, Aggregate Drops and Top Attacks.

SSL/TLS traffic inspection

FortiDDoS-F 1500F can now inspect SSL/TLS traffic for all HTTP Anomalies and Thresholds. Proper SSL Certificates are required.

Note: This is experimental in 6.3.0 and performance has not been confirmed.

LDAP, RADIUS, TACACS+ remote password authentication

LDAP, RADIUS, TACACS+ remote password authentication is now available with local username, profile and trusted hosts settings. This now supports GUI, CLI and Console logins.

TCP Profile enhancement

TCP Profile now adds Foreign Packet Threshold when Foreign Packet Validation is enabled.

New IP Reputation options

Added Phishing, Spam and TOR (exit nodes) Categories to IP Reputation options.

Debug enhancements
  • Debug file now has CUSTOMER folder which includes: Config, Attack logs, Thresholds, Protection Subnets list (event log in MySQL format to be improved in a later release). Do not use Offline Analysis file.

  • Additional debug logs are added for SNMP.

Packet Capture enhancements

Additional packet capture options are now available.

System time change in Event Log

An Event Log is now added when admin changes system time.

Out of Memory (OOM) conditions

Out of Memory (OOM) conditions are optionally set to pass traffic (bypass - default) or block packets. Please see documentation for conditions that may result in OOM drops.

New RRD troubleshooting and repair CLI commands

Additional RRD troubleshooting and repair CLI commands are now available.

execute create-spp-rrd spp_id 15 among others

check_stale_rrd_files

New User (admin) options

Additional menu items added to the User (admin) drop-down in the GUI:

  • System: Reboot / Shutdown

  • Configuration Backup / Restore

  • Change Password

GUI enhancements
  • Additional special characters are allowed for admin users: a-Z -9_.-*@.

  • Data Port Speed and Duplex settings are shown on Network > Interface page.

  • Global ACL names are included in graphs.

  • Enabled/Disabled status of Global and SPP ACLs is displayed in ACL lists.

  • Variable column widths and text wrapping is added to Dashboard > Status > Top Attacks panel, for improved readability of attack events.

  • Link speed addition to Network GUI.

  • Bypass status icon and inline/bypass text is added to the Dashboard > Status > System Information panel.

  • Filter conditions for several parameter lists (ACLs, Network Ports, etc.) are improved.

  • Network > Interface list can be filtered by Link Status and Config Status (for Port-Pairs and Ports).

  • Improved GUI for System >SNMP > v1/v2/v3.

  • A spinning "loading" icon is shown when the system is building list pages, such as Attack Logs.

  • For most column based lists, clicking the settings () icon in the list header allows the user to customize the columns shown.

  • Dashboard > SPP adds a column for SPP Status (Enable/Disabled).

6.2.1

FortiDDoS 6.2.1 offers the following new features:

New CLI commands
  • get system performance to check the CPU, memory, and disk usage.
    This command shows the system resources and matches the GUI Dashboard > Status > System Resources panel. The traditional Linux top command does not provide accurate information for DPDK processors, so you can use the get system performance command to enable the Dashboard and Event Logs to match.

  • diagnose debug rrd_files_check to diagnose SPP RRD numbers.
    Use execute spp-rrd-reset spp <rule_name> to reset databases that fail the rrd_files check.
    Use execute rrd-reset All to reset all databases.

Support to connect VM console

FortiDDoS VM now supports a console port with both VMware and KVM.

New SPP Operation Mode column in the Protected Subnets list

In the Service Protection > Protection Subnets list, columns have been added for Inbound and Outbound Operation Mode (Detection/Prevention).

SPP Navigation from inside FortiView > SPP detail page

You can now navigate between SPPs while in the Service Protection > Service Protection Policy page.

SPP added to Dashboard > Status > Attack Logs widget

The Dashboard Attack Logs panel now shows the SPP associated with the drop/attack log.

Match VM Model Release information with appliances

FortiDDoS model number (VM04/VM08/VM16) is shown in top header bar.

6.2.0

FortiDDoS 6.2.0 offers the following new features:

  • SYN/ACK Scalar Thresholds for asymmetric traffic. With asymmetric traffic, FortiDDoS normally needs to assume an inbound SYN/ACK represents the response from an unseen outbound SYN and creates a connection table entry. This leaves the system/user open to advanced SYN/ACK floods. In 6.2.0 the following Thresholds are visible only when the system is in Asymmetric Mode with Asymmetric Mode Allow Inbound Synack enabled:
    • SYN/ACK - aggregate rate of all SYN-ACKs into the SPP Protected Subnets
    • SYN/ACK per Destination - maximum rate of SYN-ACKs to any single destination in the SPP Protected Subnets
    Note:
    • SYN/ACK Thresholds are not automatically learned and System Recommendations are not created. Use the above graphs to calculate peak rates and create manual thresholds.
    • here is no Adaptive Threshold for these Scalars.
    • These thresholds function on INBOUND traffic only.
  • DTLS Profile is added to Service Protection Policies. Use DTLS to prevent DTLS direct and reflection attacks on all services.
  • Possible UDP Reflection Flood is added from B/E-Series with similar functionality. Any drops associated with UDP Port Thresholds FROM Ports 1-9999 are shown in the attack logs as Possible UDP Reflection Floods. This protects from and identifies any of the more than 30 currently known UDP reflection ports like 19, 111, 389, etc. as well as identifying future reflections on any port lower than 10,000. FortiDDoS F-Series does no support UDP Service ports in 6.2.0.
  • System Recommendation now has an option to use actual outbound traffic statistics for outbound thresholds or set all outbound thresholds to system maximum (default and recommended).
  • Treatment of Global ACLs changes with a dedicated "SPP" for all kinds of Global ACLs. New items added for:
    • Dashboard > Top Attacks > Global: Global ACL Attack table
    • Monitor > Drops Monitor >Global: Graphs of Global Aggregate and ACL Rule Drops
    Note: Global ACLs always drop identified packets and do not follow Detection/Prevention settings per SPP.
  • A Protection Subnets List GUI page is added to list all Protection Subnets for all SPPs and the Detection Mode/Prevention Mode status of the SPP hosting the protection Subnet. Protection Subnets cannot be edited from this page
  • Blocklisted IPv4 and Blocklisted Domains UI’s have been improved to include showing the number of addresses/Domains applied, last update date, add and delete individual addresses/Domains and search for an address/Domain in the lists.
  • Navigation is available between Service Protection Policies when in the SPP editing pages.
  • FortiGuard scheduled updates are changed to Daily or Weekly only. More frequent updates were not providing additional information.
  • Reboot and Shutdown commands are added to the top-right user logout menu.
  • The Domain Reputation attack log event has been separated from the Domain Blocklist event.
  • FortiView Threatmap improves time-period selection for display
  • Additional tool-tip date and time information is available on longer-period graphs (week/month/year).
  • Added CLI command to restart nginx (GUI)
  • Added CLI command get bypass-status to show inline/bypass status of associated ports.
  • Added CLI command diagnose dataplane geo-ip <IPv4 address(no mask)>. This allows user to check within which geolocation a specific IPv4 address is located.
  • Labeling, graph units, borders, field sizes, event log, attack log and tool tip information and other improvements added throughout the GUI.

6.1.0

FortiDDoS-F 6.1.0 is built on the feature base of FortiDDoS-F B/E-Series with these notable additions:

  • VM support in VMware hypervisor environments
  • NTP from E-Series on all models
  • Additional SSL DDoS Mitigation settings
  • 16x SPPs in1500F
  • The System Recommendation changes from 5.4.0 (Separate L4 Scalars/ICMP / TCP Ports / UDP Port) are included
  • DNS Rcode Scalars are included in Traffic Statistics and System Recommendation
  • Split System Recommendation for Layer 4 Scalars/ICMP, TCP Ports and UDP Ports included from B/E 5.4.0
  • Common UDP Source Reflection Ports are pre-populated in Global Service definitions for use with Global or SPP ACLs
  • Service port definitions support Source Port or Destination Port. Source Port ACLs are very useful for permanently blocking kown UDP reflection ports.
  • IP Address / Subnets definitions are created in the System menu and then assigned to Global or SPP ACLs, reducing multiple entries.
  • Bogons IPs and/or Multicast IPs can be ACLed with option selection in any SPP.
  • SPPs replace feature tabs with multiple Profiles for IP, ICMP, TCP, HTTP, SSL/TLS, NTP and DNS. One Profiles can be used by muliple SPPs or one SPP can use Multiple Profiles (TCP Detection and TCP Prevention, for example).
  • Source MAC address for aggressive aging is configurable per SPP, if needed
  • Strict Anomalies options are now included in several SPP Profile pages for Layer 2 to Layer 7 options.
  • Cloud Signaling Thresholds are entered in both pps and Mbps (crossing either triggers Signaling. Thresholds are now per SPP Policy (subnet).
  • Protection Subnets (subnets) are entered for each Service Protection Policy (SPP) instead of globally.
  • Explicit TCP thresholds are added for DNS Query, Question Count, Fragment, MX and ALL. B/E-Series has TCP Thresholds but they are hidden and the same as the UDP Thresholds.
  • IP Reputation and Domain Reputation are included in IP and DNS Profiles and thus are optional per SPP.
  • SSL/TLS Profile includes additional Cipher Anomaly option
  • tcpdump-style packet capture
  • Several formerly-global features such as IP Reputation are now set per SPP for better control
  • Additional Known Method Anomalies available
Removed/Changed/Deferred Features

B/E-Series Functionality not included in this release:

  • Support for FortiDDoS-CM Central Manager
  • Security Fabric Integration with FortiOS Dashboard
  • GTP-U support
  • Distress ACL nor Auto-Distress ACL
  • Multi-tenant support (SPP or SPP Policy Group)
  • Fewer files included in Offline analysis file
  • SPP Backup/Restore
  • Attack Reports are Global only and are on-demand or on-schedule only. Report periods are Last 7 Days, Last Month or Last year only. (Removed per-SPP, per-SPP Policy, per-SPP Policy Group reports, on-Threshold reports and some time periods)
  • REST API changes and requires documentation
  • Log & Report > DDoS Attack Graphs
  • SPP Policy Groups
  • Log & Report > Diagnostics
  • SPP-to-SPP Switching Policies
  • Restrict DNS Queries to specific subnets
  • System Recommendation Option for Actual or System Max Outbound Threshold (5.4.0)
  • Traffic Statistics Option for Peak or 95th Percentile Traffic (5.4.0)
  • Syslog RFC 5424 or Fortinet proprietary secure "OFTP" protocol (5.4.0)
  • CLI Commands for IP Reptution nor Domain Reputation updates (5.4.0)
  • Search for IP addresses within various ACLs (5.3.0)
VM limits
  • VMs do not support Fail-Open option. Fail-Open support will be determined by the underlying server
  • TCP Port Thresholds are calculated to 65,535 but Thresholds/Ranges are created for ports 1-1023 with one range for ports above 1023.
  • TCP Port Graphs display traffic and drops for Ports 1-1023. Port 1024 displays peak traffic rate for any port from 1024-65,535 and total drops associated with any of those ports. Attack logs show full port range 1-65,535.
  • UDP Port Thresholds are calculated to 65,535 but Thresholds/Ranges are created for 1-10,239 only with one range above that.
  • UDP Port Graphs display traffic and drops for Ports 1-10,239. Port 10,240 displays peak traffic rate for any port from 10,240-65,535 and total drops associates with any of those ports. Attack logs show full port range 1-65,535 as well as reflected attack drops from ports 1-9,999.
  • ICMP Type/Code Thresholds are calculated from 0-65,535 but Threshold/Ranges are created for 0-10,239 only. Indexes from 10,240 to 65,535 are included in one range.
  • ICMP Type/Code graphs show indexes from 0/0 to 39/255 with all others showing in 40/0. Attack logs will show drops for Types/Codes for all Types/Codes from 0/0 to 255/255.