Service port settings
In FortiDDoS, Service Ports are defined in two different ways:
-
All ports from 1-9999 are treated as well-known service ports. Inbound traffic from ephemeral ports (>9999) TO these ports is reported/graphed for that service port and outbound traffic is reported/graphed FROM that port. In other words the ephemeral ports are ignored, since we are trying to protect services. This allows you to see inbound and outbound traffic associated with the service port and makes it easy to see if traffic in one direction has a response from the other direction.
The system also uses this information to determine UDP Port Floods and Possible UDP Reflection Floods.-
Inbound UDP Floods to Service Ports as seen as UDP Port Floods.
-
Inbound UDP Floods where the SOURCE Port is a Service port are seen and logged a Possible UDP Reflection Floods.
There are two primary purposes for configuring a UDP Service Port:
-
For monitoring Service or Reflection on "high" ports (>9999).
-
Examples include common FortiGate SSL/VPN port 10443 or recognized Reflection ports such as 11211 (Memcached) or 32414 (Plex).
-
-
For accurately monitoring "low" ports (less than 10,000).
-
To enhance graphing and logging, refer to the list of UDP Service Ports provided below.
-
-
-
-
Specific Service Ports are defined to more deeply inspect HTTP, SSL/TLS, DTLS, and QUIC as well as DNS, NTP, and Zoom (fixed ports with no entry fields). If non-standard ports are in use, enter them in the correct field.
Service Port Configuration
By default, the FortiDDoS system listens for services on the following ports:
|
Configurability |
Port |
|---|---|
|
Fixed, unmodifiable, and therefore not displayed as a configurable option on the GUI |
DNS — UDP service port 53 |
|
NTP — UDP service port 123 |
|
|
Zoom – UDP 8801-8810 |
|
|
Default settings can be modified via the GUI
|
HTTP Service Ports — 80 |
|
SSL/TLS Service Ports — TCP port 443 |
|
|
DTLS Service Ports — UDP port 443 |
|
|
UDP Service Ports — DNS Port 53 and NTP Port 123 are default and not displayed. However, please add the full range of known service and reflection ports shown below. |
|
|
QUIC Service Ports — UDP port 443 |
|
|
Zoom Service Ports — UDP ports 8801-8810 are default, cannot be modified and additional ports cannot be added. |
If the servers in your network use non-standard ports for HTTP, SSL/TLS, DTLS or QUIC traffic, you can configure the system to listen for these protocols on those nonstandard service ports. You can configure up to 256 HTTP, SSL/TLS, DTLS or QUIC service ports. You can also configure Service Ports in ranges, like 8080-8081, for example but all ports in the range (2, in the example) count towards the 256-port total.
Note: If HTTP, SSL/TLS, DTLS or QUIC Service Ports are added before System Recommended Thresholds are created, the extra Service Ports Thresholds are set to system maximum (no Thresholds), since other L4-L7 inspections will protect from attack. TCP and UDP Port ranges will be adjusted so that the service port has its own range entry.
If a HTTP, SSL/TLS, DTLS or QUIC service port configuration is subsequently removed, the threshold remains at the high rate until you change it manually or perform the System Recommended Threshold procedure.
If HTTP, SSL/TLS or DTLS service ports are added after System Recommendations has been run, Port Thresholds are retained. This should not be a problem but can create false-positive drops if the Thresholds are too low. Adjust Thresholds as needed.
UDP Service Ports
Enter up to 256 UDP Service Ports (see below). As above, UDP Service Port ranges count each port in a range towards the 256-port total.
UDP Service Ports will retain the System Recommended Thresholds. If Service ports are added before Traffic Statistics and System Recommended Thresholds are run, Port ranges will be adjusted so that each service port has its own range entry. Again, please copy the UDP Service Port list and paste it into this field.
DNS 53 and NTP 123 Service Ports are always set to system maximums. You may adjust these if desired, but if DNS and NTP Profiles and System Recommended Thresholds are set correctly for the SPP, no Layer 4 Port Threshold is required.
Zoom Service Ports are default and cannot be changed. Additional ports are not supported.
|
Fortinet recommends that the following UDP Service Ports are added to each SPP to improve graphing and logging: 7 13 17 19 53 69 111 123 137 161 177 194 389 427 500 520 623 853 1194 1434 1701-1707 1900 2598 3283 3389 3478 3479 3480 3481 3702 4500 4501 4672 5004 5005 5060 5093 5349 5351 5353 5693 5938 6500 6881-6889 7000 7351 7752 7777-7788 8001 8080 8200 8801-8810 9000 9600 9987 10001 10443 11211 19302-19308 30718 32414 33001 33848 37810 37833 47808-47823 This list includes:
Cut this list and paste it into the UDP Service Port field. Make sure leading and trailing spaces of the string are removed (not the spaces between ports or ranges). |
|
FortiDDoS VMs track traffic on all 65k UDP ports but display peak traffic rates for any port 10240-65535 on port 10240 to save graphing CPU cycles. Adding the UDP ports will improve log information, but no extra port ranges, Thresholds, or graphs will be created above 10240. |
Before you begin:
- You must have Read-Write permission for Global Settings.
To configure Service Port settings:
- Go to Service Protection > Service Protection Policy > {SPP List} > Service Protection Policy: Service Port Settings
- Enter the list of ports or port ranges, each separated by a space.
- Click Save.
|
To configure using the CLI: config ddos spp rule edit <spp_name> set http-service-port <value> <value> … set ssl-service-port <value> <value> … set dtls-service-port <value> <value> … set udp-service-port <value> <value> … set guic-service-port <value> <value> … next end Note: Setting service ports via CLI overwrites the current settings. Be sure to include existing, default ports. For example, SSL/TLS Service Ports has TCP Port 443 pre-configured. To add 8443, |