Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    7.0.3
    7.0.3
    7.0.1
    7.0.0
    6.6.3
    6.6.3
    6.6.1
    6.6.0
    6.5.1
    6.5.0
    6.4.1
    6.4.0
    6.3.3
    6.3.2
    6.3.1
    6.2.3
    6.2.2
    6.2.1
    6.2.0
    6.1.1

    IP Profile

    IP Profile

    Use the IP Profile to configure various IP parameters and ACLs. Always assign an IP profile to every SPP.

    Use a single IP Profile for all SPPs unless you need specialized ACLs for Fragments, IP Reputation or Domain Reputation.

    All IP Profile parameters can be used with symmetric or asymmetric traffic.

    You can create a maximum of 64 IP Profiles.

    IP Reputation

    The FortiGuard IP Reputation service is a licensed subscription that maintains a database of malicious IP addresses that pose a threat to your network and clients. After you purchase IP Reputation, you register the service contract to the FortiDDoS appliance serial number. Then, you can schedule updates to the IP Reputation list.

    IP Reputation is not required for DDoS mitigation. It is not a Threat Signature subscription which is not required with FortiDDoS. IP Reputation is a subset of FortiGuard's full web/domain/IP filtering service, containing IPs with known affiliations to DDoS attacks and C&C servers, anonymous proxies, phishing sites, Tor exit nodes and/or spam originators. Any of the subsets can be enabled.

    If you are using existing Firewall/Proxy/Web/Domain/IP filtering products or services, FortiGuard IP Reputation services subscription is not required.

    IP Reputation is enabled/disabled within this IP Profile. If this IP Profile is assigned to an SPP, then all traffic in that SPP will be checked for IP Reputation. If, for some reason, you want an SPP to ignore IP Reputation anomalies, create a different IP Profile with IP Reputation disabled.

    IP Reputation follows the Detection Mode (report but do not drop) / Prevention Mode (report and drop) of the assigned SPP.

    First set up FortiGuard access in System > FortiGuard. To use over-the-network u1pdates, the management port must be able to access the Internet and DNS. If the system is behind a web proxy, set up Tunneling (proxy).

    After you have set up FortiGuard and enabled the feature, the FortiDDoS system downloads the most recent definitions file and then maintains updates for it according to the schedule you configure.

    The Dashboard > Status: License Information portlet and System > FortiGuard: License Information both display the status of the most recent update (IP Reputation Service Definition). If the download is successful and new definitions are available, the lists are replaced; otherwise, the previous list remains in use. The License Information portlet will also display the status of your IP Reputation license IP Reputation Service Contract Date). If your license expires, the IP Reputation database is removed from the appliance. This is to prevent stale entries from affecting your traffic. You can configure how the FortiDDoS system receives scheduled updates.

    Note: Since an IP Address is seen in both the inbound and outbound traffic, IP Reputation will drop any packet it sees containing the IP Reputation address, even if FortiDDoS does not see one direction of the traffic in asymmetric environments.

    Field/Selection

    Description

    Recommendations

    (For Web Servers, Firewalls, DNS Servers)
    Name 1-35 characters (a-Z, 0-9, "-", "_" only)

    IP Strict Anomalies

    (Default enabled)

    Drops packets where:

    • IP version other than 4 or 6
    • Header length less than 5 words
    • End of packet (EOP) before 20 bytes of IPv4 Data
    • Total length less than 20 bytes
    • EOP comes before the length specified by Total length
    • End of Header before the data offset (while parsing options)
    • Length field in LSRR/SSRR option is other than (3+(n*4)) where n takes value greater than or equal to 1
    • Pointer in LSRR/SSRR is other than (n*4) where n takes value greater than or equal to 1
    • For IP Options length less than 3

    Recommended enabled for all SPPs.

    If traffic appears to be affected, disable to troubleshoot.

    This parameter has been default-enabled on FortiDDoS for many years and has never been seen to cause failure of legitimate traffic.

    UDP Empty Checksum Check

    (Default enabled)

    Drops packets where UDP Checksum = 0. (RFC states that

    when checksum calculates to 0, insert 7fff). Some IPSEC NAT Traversal applications using UDP port 4500 use empty UDP packets with checksum=0.

    Disable for firewall SPPs or in SPPs where the UDP Checksum inbound logs show UDP port 4500 as the Protected Port.

    IP Land Attack (Src=Dst) Anomaly

    (Default enabled)

    Drops packets where the Source IP is the same as the Destination IP.

    Recommended but in some network designs, inter-router HA pair detection loop-back messages are seen by FortiDDoS. When enabled, this option will drop those, affecting the router HA. If these drops are seen in outbound logs, disable it.

    IP Private Check

    (Default enabled)

    Drops packets where the Source IP is from the Internet Private address space such as 10.0.0.0/8.

    Note: Some users pass VLAN Traffic through FortiDDoS with private subnet IPs. Normally this traffic will appear in the default SPP since the private subnets are not normally configured in SPPs. If you have configured IP Private Check for an IP Profile associated with the default SPP, you may see a very large number of Private IP ACL drops.

    IP Multicast Check

    (Default enabled)

    Drops packets where the Source IP is from the Internet Multicast address space 224.0.0.0/24.

    IP Fragment Check

    Other Protocol Fragment

    Drops fragmented packets from Protocols other than TCP or UDP

    Expert use. Normally not recommended. Use Fragment Thresholds. Use only for specific applications - e.g. Drop UDP fragments ONLY for servers that NEVER see UDP traffic.

    TCP Fragment

    Drops fragmented TCP packets.

    UDP Fragment

    Drops fragmented TCP packets.

    IP Reputation Categories

    DDoS

    Downloads IP Reputation files to ACL only known DDoS and C&C IPs.

    Requires FortiGuard IP Reputation Subscription. Use as desired.

    Note: If for any reason FortiDDoS cannot access FortiGuard (network issues or end-of-subscription, for example), the IP Reputation database is not removed but becomes “static” with no updates. As the database content is dynamic, the lack of updates can cause false-positive drops, which become more pronounced as the database ages. Fortinet strongly recommends disabling the IP Reputation options in all IP Profiles should this scenario occur.

    Anonymous Proxies

    Downloads IP Reputation files to ACL only known Anonymous Proxies.

    NOTE: Use with care. Many people, possibly including your employees, use always-on VPN services. Those users will be blocked from your services, including VPN and web servers, if this feature is enabled for those SPPs.

    Phishing

    Downloads IP Reputation files to ACL only known phishing sites.

    Tor

    Downloads IP Reputation files to ACL only known Tor exit nodes.

    Spam

    Downloads IP Reputation files to ACL only known spam originators.

    Previous
    Next

    IP Profile

    IP Profile

    Use the IP Profile to configure various IP parameters and ACLs. Always assign an IP profile to every SPP.

    Use a single IP Profile for all SPPs unless you need specialized ACLs for Fragments, IP Reputation or Domain Reputation.

    All IP Profile parameters can be used with symmetric or asymmetric traffic.

    You can create a maximum of 64 IP Profiles.

    IP Reputation

    The FortiGuard IP Reputation service is a licensed subscription that maintains a database of malicious IP addresses that pose a threat to your network and clients. After you purchase IP Reputation, you register the service contract to the FortiDDoS appliance serial number. Then, you can schedule updates to the IP Reputation list.

    IP Reputation is not required for DDoS mitigation. It is not a Threat Signature subscription which is not required with FortiDDoS. IP Reputation is a subset of FortiGuard's full web/domain/IP filtering service, containing IPs with known affiliations to DDoS attacks and C&C servers, anonymous proxies, phishing sites, Tor exit nodes and/or spam originators. Any of the subsets can be enabled.

    If you are using existing Firewall/Proxy/Web/Domain/IP filtering products or services, FortiGuard IP Reputation services subscription is not required.

    IP Reputation is enabled/disabled within this IP Profile. If this IP Profile is assigned to an SPP, then all traffic in that SPP will be checked for IP Reputation. If, for some reason, you want an SPP to ignore IP Reputation anomalies, create a different IP Profile with IP Reputation disabled.

    IP Reputation follows the Detection Mode (report but do not drop) / Prevention Mode (report and drop) of the assigned SPP.

    First set up FortiGuard access in System > FortiGuard. To use over-the-network u1pdates, the management port must be able to access the Internet and DNS. If the system is behind a web proxy, set up Tunneling (proxy).

    After you have set up FortiGuard and enabled the feature, the FortiDDoS system downloads the most recent definitions file and then maintains updates for it according to the schedule you configure.

    The Dashboard > Status: License Information portlet and System > FortiGuard: License Information both display the status of the most recent update (IP Reputation Service Definition). If the download is successful and new definitions are available, the lists are replaced; otherwise, the previous list remains in use. The License Information portlet will also display the status of your IP Reputation license IP Reputation Service Contract Date). If your license expires, the IP Reputation database is removed from the appliance. This is to prevent stale entries from affecting your traffic. You can configure how the FortiDDoS system receives scheduled updates.

    Note: Since an IP Address is seen in both the inbound and outbound traffic, IP Reputation will drop any packet it sees containing the IP Reputation address, even if FortiDDoS does not see one direction of the traffic in asymmetric environments.

    Field/Selection

    Description

    Recommendations

    (For Web Servers, Firewalls, DNS Servers)
    Name 1-35 characters (a-Z, 0-9, "-", "_" only)

    IP Strict Anomalies

    (Default enabled)

    Drops packets where:

    • IP version other than 4 or 6
    • Header length less than 5 words
    • End of packet (EOP) before 20 bytes of IPv4 Data
    • Total length less than 20 bytes
    • EOP comes before the length specified by Total length
    • End of Header before the data offset (while parsing options)
    • Length field in LSRR/SSRR option is other than (3+(n*4)) where n takes value greater than or equal to 1
    • Pointer in LSRR/SSRR is other than (n*4) where n takes value greater than or equal to 1
    • For IP Options length less than 3

    Recommended enabled for all SPPs.

    If traffic appears to be affected, disable to troubleshoot.

    This parameter has been default-enabled on FortiDDoS for many years and has never been seen to cause failure of legitimate traffic.

    UDP Empty Checksum Check

    (Default enabled)

    Drops packets where UDP Checksum = 0. (RFC states that

    when checksum calculates to 0, insert 7fff). Some IPSEC NAT Traversal applications using UDP port 4500 use empty UDP packets with checksum=0.

    Disable for firewall SPPs or in SPPs where the UDP Checksum inbound logs show UDP port 4500 as the Protected Port.

    IP Land Attack (Src=Dst) Anomaly

    (Default enabled)

    Drops packets where the Source IP is the same as the Destination IP.

    Recommended but in some network designs, inter-router HA pair detection loop-back messages are seen by FortiDDoS. When enabled, this option will drop those, affecting the router HA. If these drops are seen in outbound logs, disable it.

    IP Private Check

    (Default enabled)

    Drops packets where the Source IP is from the Internet Private address space such as 10.0.0.0/8.

    Note: Some users pass VLAN Traffic through FortiDDoS with private subnet IPs. Normally this traffic will appear in the default SPP since the private subnets are not normally configured in SPPs. If you have configured IP Private Check for an IP Profile associated with the default SPP, you may see a very large number of Private IP ACL drops.

    IP Multicast Check

    (Default enabled)

    Drops packets where the Source IP is from the Internet Multicast address space 224.0.0.0/24.

    IP Fragment Check

    Other Protocol Fragment

    Drops fragmented packets from Protocols other than TCP or UDP

    Expert use. Normally not recommended. Use Fragment Thresholds. Use only for specific applications - e.g. Drop UDP fragments ONLY for servers that NEVER see UDP traffic.

    TCP Fragment

    Drops fragmented TCP packets.

    UDP Fragment

    Drops fragmented TCP packets.

    IP Reputation Categories

    DDoS

    Downloads IP Reputation files to ACL only known DDoS and C&C IPs.

    Requires FortiGuard IP Reputation Subscription. Use as desired.

    Note: If for any reason FortiDDoS cannot access FortiGuard (network issues or end-of-subscription, for example), the IP Reputation database is not removed but becomes “static” with no updates. As the database content is dynamic, the lack of updates can cause false-positive drops, which become more pronounced as the database ages. Fortinet strongly recommends disabling the IP Reputation options in all IP Profiles should this scenario occur.

    Anonymous Proxies

    Downloads IP Reputation files to ACL only known Anonymous Proxies.

    NOTE: Use with care. Many people, possibly including your employees, use always-on VPN services. Those users will be blocked from your services, including VPN and web servers, if this feature is enabled for those SPPs.

    Phishing

    Downloads IP Reputation files to ACL only known phishing sites.

    Tor

    Downloads IP Reputation files to ACL only known Tor exit nodes.

    Spam

    Downloads IP Reputation files to ACL only known spam originators.

    Previous
    Next