Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    7.0.0
    7.0.3
    7.0.1
    7.0.0
    6.6.3
    6.6.3
    6.6.1
    6.6.0
    6.5.1
    6.5.0
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.1

    Service port settings

    Service port settings

    In FortiDDoS, Service Ports are defined in two different ways:

    • All ports from 1-9999 are treated as well-known service ports. Inbound traffic from ephemeral ports (>9999) TO these ports is reported/graphed for that service port and outbound traffic is reported/graphed FROM that port. In other words the ephemeral ports are ignored, since we are trying to protect services. This allows you to see inbound and outbound traffic associated with the service port and makes it easy to see if traffic in one direction has a response from the other direction.
      The system also uses this information to determine UDP Port Floods and Possible UDP Reflection Floods.

      • Inbound UDP Floods to Service Ports as seen as UDP Port Floods.

      • Inbound UDP Floods where the SOURCE Port is a Service port are seen and logged a Possible UDP Reflection Floods.

        There are two primary purposes for configuring a UDP Service Port:

        1. For monitoring Service or Reflection on "high" ports (>9999).

          • Examples include common FortiGate SSL/VPN port 10443 or recognized Reflection ports such as 11211 (Memcached) or 32414 (Plex).

        2. For accurately monitoring "low" ports (less than 10,000).

          • To enhance graphing and logging, refer to the list of UDP Service Ports provided below.

    • Specific Service Ports are defined to more deeply inspect HTTP, SSL/TLS, DTLS, and QUIC as well as DNS, NTP, and Zoom (fixed ports with no entry fields). If non-standard ports are in use, enter them in the correct field.

    Service Port Configuration

    By default, the FortiDDoS system listens for services on the following ports:

    Configurability

    Port

    Fixed, unmodifiable, and therefore not displayed as a configurable option on the GUI

    DNS — UDP service port 53

    NTP — UDP service port 123

    Zoom – UDP 8801-8810

    Default settings can be modified via the GUI

    HTTP — TCP service port 80

    SSL/TLS — TCP service port 443

    DTLS — UDP service port 443

    QUIC — UDP service port 443

    If the servers in your network use non-standard ports for HTTP, SSL/TLS, DTLS or QUIC traffic, you can configure the system to listen for these protocols on those nonstandard service ports. You can configure up to 128 HTTP, SSL/TLS, DTLS or QUIC service ports. You can also configure Service Ports in ranges, like 8080-8081, for example but all ports in the range (2, in the example) count towards the 128-port total.

    Note: If HTTP, SSL/TLS, DTLS or QUIC Service Ports are added before System Recommended Thresholds are created, the extra Service Ports Thresholds are set to system maximum (no Thresholds), since other L4-L7 inspections will protect from attack. TCP and UDP Port ranges will be adjusted so that the service port has its own range entry.

    If a HTTP, SSL/TLS, DTLS or QUIC service port configuration is subsequently removed, the threshold remains at the high rate until you change it manually or perform the System Recommended Threshold procedure.

    If HTTP, SSL/TLS or DTLS service ports are added after System Recommendations has been run, Port Thresholds are retained. This should not be a problem but can create false-positive drops if the Thresholds are too low. Adjust Thresholds as needed.

    UDP Service Ports will retain the System Recommended Thresholds. Port ranges will be adjusted so that each service port has its own range entry.

    DNS and NTP Ports are always set to system maximums but it is advisable to manually enter a threshold (2-3x the peak inbound rate seen on the graph) as a “safety” threshold in the rate case DNS and NTP mitigations are disabled or do not fully mitigate.

    tooltip icon

    Fortinet recommends that the following UDP Service Ports are added to each SPP to improve graphing and logging:

    7 13 17 19 53 69 111 123 137 161 177 194 389 427 500 520 623 853 1194 1434 1701-1707 1900 2598 3283 3389 3478 3479 3480 3481 3702 4500 4501 4672 5004 5005 5060 5093 5349 5351 5353 5693 5938 6500 6881-6889 7000 7351 7752 7777-7788 8001 8080 8200 8801-8810 9000 9600 9987 10001 10443 11211 19302-19308 30718 32414 33001 33848 37810 37833 47808-47823

    This list includes:

    • Known UDP application ports so that traffic is always associated with those ports, even if the ephemeral port is also less than 10,000.

    • Known UDP reflection ports above 10,000

    • Some ports that can be used for applications and reflections

    Cut this list and paste it into the UDP Service Port field. Make sure leading and trailing spaces of the string are removed (not the spaces between ports or ranges).

    Before you begin:

    • You must have Read-Write permission for Global Settings.
    To configure Service Port settings:
    1. Go to Service Protection > Service Protection Policy > {SPP List} > Service Protection Policy: Service Port Settings
    2. Enter the list of ports or port ranges, each separated by a space.
    3. Click Save.

    Tooltip

    To configure using the CLI:

    config ddos spp rule

    edit <spp_name>

    set http-service-port <value> <value> …

    set ssl-service-port <value> <value> …

    set dtls-service-port <value> <value> …

    set udp-service-port <value> <value> …

    next

    end

    Note:

    Setting service ports via CLI overwrites the current settings. Be sure to include existing ports. For example, DTLS has UDP Port 443 pre-configured. To add 8443, set dtls-service-port 443 8443 to retain the original port.
    Previous
    Next

    Service port settings

    Service port settings

    In FortiDDoS, Service Ports are defined in two different ways:

    • All ports from 1-9999 are treated as well-known service ports. Inbound traffic from ephemeral ports (>9999) TO these ports is reported/graphed for that service port and outbound traffic is reported/graphed FROM that port. In other words the ephemeral ports are ignored, since we are trying to protect services. This allows you to see inbound and outbound traffic associated with the service port and makes it easy to see if traffic in one direction has a response from the other direction.
      The system also uses this information to determine UDP Port Floods and Possible UDP Reflection Floods.

      • Inbound UDP Floods to Service Ports as seen as UDP Port Floods.

      • Inbound UDP Floods where the SOURCE Port is a Service port are seen and logged a Possible UDP Reflection Floods.

        There are two primary purposes for configuring a UDP Service Port:

        1. For monitoring Service or Reflection on "high" ports (>9999).

          • Examples include common FortiGate SSL/VPN port 10443 or recognized Reflection ports such as 11211 (Memcached) or 32414 (Plex).

        2. For accurately monitoring "low" ports (less than 10,000).

          • To enhance graphing and logging, refer to the list of UDP Service Ports provided below.

    • Specific Service Ports are defined to more deeply inspect HTTP, SSL/TLS, DTLS, and QUIC as well as DNS, NTP, and Zoom (fixed ports with no entry fields). If non-standard ports are in use, enter them in the correct field.

    Service Port Configuration

    By default, the FortiDDoS system listens for services on the following ports:

    Configurability

    Port

    Fixed, unmodifiable, and therefore not displayed as a configurable option on the GUI

    DNS — UDP service port 53

    NTP — UDP service port 123

    Zoom – UDP 8801-8810

    Default settings can be modified via the GUI

    HTTP — TCP service port 80

    SSL/TLS — TCP service port 443

    DTLS — UDP service port 443

    QUIC — UDP service port 443

    If the servers in your network use non-standard ports for HTTP, SSL/TLS, DTLS or QUIC traffic, you can configure the system to listen for these protocols on those nonstandard service ports. You can configure up to 128 HTTP, SSL/TLS, DTLS or QUIC service ports. You can also configure Service Ports in ranges, like 8080-8081, for example but all ports in the range (2, in the example) count towards the 128-port total.

    Note: If HTTP, SSL/TLS, DTLS or QUIC Service Ports are added before System Recommended Thresholds are created, the extra Service Ports Thresholds are set to system maximum (no Thresholds), since other L4-L7 inspections will protect from attack. TCP and UDP Port ranges will be adjusted so that the service port has its own range entry.

    If a HTTP, SSL/TLS, DTLS or QUIC service port configuration is subsequently removed, the threshold remains at the high rate until you change it manually or perform the System Recommended Threshold procedure.

    If HTTP, SSL/TLS or DTLS service ports are added after System Recommendations has been run, Port Thresholds are retained. This should not be a problem but can create false-positive drops if the Thresholds are too low. Adjust Thresholds as needed.

    UDP Service Ports will retain the System Recommended Thresholds. Port ranges will be adjusted so that each service port has its own range entry.

    DNS and NTP Ports are always set to system maximums but it is advisable to manually enter a threshold (2-3x the peak inbound rate seen on the graph) as a “safety” threshold in the rate case DNS and NTP mitigations are disabled or do not fully mitigate.

    tooltip icon

    Fortinet recommends that the following UDP Service Ports are added to each SPP to improve graphing and logging:

    7 13 17 19 53 69 111 123 137 161 177 194 389 427 500 520 623 853 1194 1434 1701-1707 1900 2598 3283 3389 3478 3479 3480 3481 3702 4500 4501 4672 5004 5005 5060 5093 5349 5351 5353 5693 5938 6500 6881-6889 7000 7351 7752 7777-7788 8001 8080 8200 8801-8810 9000 9600 9987 10001 10443 11211 19302-19308 30718 32414 33001 33848 37810 37833 47808-47823

    This list includes:

    • Known UDP application ports so that traffic is always associated with those ports, even if the ephemeral port is also less than 10,000.

    • Known UDP reflection ports above 10,000

    • Some ports that can be used for applications and reflections

    Cut this list and paste it into the UDP Service Port field. Make sure leading and trailing spaces of the string are removed (not the spaces between ports or ranges).

    Before you begin:

    • You must have Read-Write permission for Global Settings.
    To configure Service Port settings:
    1. Go to Service Protection > Service Protection Policy > {SPP List} > Service Protection Policy: Service Port Settings
    2. Enter the list of ports or port ranges, each separated by a space.
    3. Click Save.

    Tooltip

    To configure using the CLI:

    config ddos spp rule

    edit <spp_name>

    set http-service-port <value> <value> …

    set ssl-service-port <value> <value> …

    set dtls-service-port <value> <value> …

    set udp-service-port <value> <value> …

    next

    end

    Note:

    Setting service ports via CLI overwrites the current settings. Be sure to include existing ports. For example, DTLS has UDP Port 443 pre-configured. To add 8443, set dtls-service-port 443 8443 to retain the original port.
    Previous
    Next