FortiDeceptor decoys

FortiDeceptor creates a network of decoys to lure attackers and monitor their activities on the network. When attackers attack a decoy, first, an alert is generated; second, their malicious activities are captured and analyzed in real-time to generate a mitigation and remediation response that protects the network.

The current FortiDeceptor decoys are:

Windows	Windows 7 Windows 10 (can be deployed as a gold image) Windows 2016 (deployed as a gold image) Windows 2019 (deployed as a gold image)
Linux	Ubuntu Desktop
IoT/OT	SCADA version 3 Medical OS POS OS ERP OS 8 OT protocols IoT OS
VPN	Fortinet SSL-VPN (FG-60E, FG-100F, FG-1500D, FG-2000E, FG-3700D)

The current FortiDeceptor monitor services are:

Windows	RDP SMB TCPListener NBNSSpoofSpotter
Linux	SSH SAMBA TCPListener HTTP HTTPS GIT
IoT/OT	HTTP FTP TFTP SNMP MODBUS S7COMM BACNET IPMI TRICONEX ENIP Kamstrup DNP3 Telnet PACS-WEB PACS DICOM server Infusion Pump (TELNET) Infusion Pump (FTP) POS-WEB ERP-WEP GUARDIAN-AST IEC104 Jetdirect Printer-WEB IP Camera-WEB UPnP RTSP CDP
SSL VPN	HTTPS

The current FortiDeceptor IP address capacity are:

A single FortiDeceptor appliance (HW/VM) can host up to 16 deception VMs.
A single deception VM supports up to 16 IP addresses or decoys, Each IP represent a decoy.
A single FortiDeceptor appliance (HW/VM) can support up to 256 IP addresses.
With 4 decoys per segment on average, a single FortiDeceptor appliance (HW/VM) can support up to 64 segments (VLANS).
FortiDeceptor decoys services details

IoT OS

HP printer decoy	SNMP service	Enable this towill open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within network Community name is user-defined SNMP response is customized for HP printer decoy
	Jetdirect	Enable this service will open port 9100 on decoy VM, and respond to PJL (Printer Job Language) request.
	Printer-WEB	A web GUI that simulate administration GUI of HP Officejet Pro X451dw printer.
IP camera decoy	IP Camera-WEB	A login-required service that displays videos to simulate IP cameras, although there are default videos, users should upload 1-8 .mp4 videos to best fit the working environment.
	SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network Community name is user-defined SNMP response is customized for IP camera decoy
	UPnP service	Enable this service to open port 8080 on decoy VM and simulate UPnP service: a UPnP msg will broadcast within the network. Within the msg there is a url for the attacker to download a .xml file showing device information.
	RTSP service	When this this service is enabled, you will also need to upload a video to a predefined location so the attacker can watch the video. The RTSP port can be adjusted To upload, you can use ffmpeg, or any other methods to infinitely loop a video, so it is available to the attacker For example, to infinitely loop a video:`sudo ffmpeg -re -stream_loop -1 -i {path_to_local_video} -c copy -f rtsp rtsp://{ip}:{port}/{name_you_choose};` For attacker, the live camera stream is available at `rtsp://{ip}:{port}/{name_you_choose}`
Cisco router decoy	Models	4 cisco images (model) are supported - 2691, 3660, 3725 and 3745, also if users upload a cisco image that cannot be used, an error msg will appear.
	Router Running-Config (optional)	User can upload a customized cisco config file to predefine the Cisco router setting
	Telnet service	A login-required service that enables attackers to utilize all Cisco router’s functions.
	HTTP service	A login-required GUI service that like the telnet service but provide less functionalities.
	SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for Cisco router decoy
	CDP service	Enable CDP so the decoy VM will send CDP traffic within the network.

Medical

Infusion Pump (Telnet) service	Simulate Infusion Pump (telnet) A username/password is required to login.
Infusion Pump (FTP)	Simulates Infusion Pump (FTP) A username/password is required to login.
PACS service	A user-defined name for the PACS system.
PACS-WEB service	Login-required web GUI for PACS, with existing medical data Port can be adjusted
DICOM Server service	Server port can be adjusted Server name can be adjusted DICOM operations (e.g. C-STORE, C-FIND) are supported

POS

POS-WEB service

Login-required web GUI simulate POS website
Port can be adjusted

CRM(ERP)

ERP-WEB service

Login-required web GUI simulates ERP website
Port can be adjusted

SCADA (version3) OS

Schneider SCADAPack 333E decoy	SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network Community name is user-defined SNMP response is customized for Schneider SCADAPack 333E decoy
	DNP3 service	Toggle to enable/disable this service, enable this service capture attack through DNP3
	Telnet service	Login-required telnet service simulates SCADAPack E Smart RTU command line environment
Schneider Power Meter - PM5560 decoy	SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) requests from within the network Community name is user-defined SNMP response is customized for Schneider Power Meter - PM5560 decoy
	BACNET service	Toggle to enable/disable this service. Enable this service to capture attacks through BACNET on default BACNET port
	HTTP service	Toggle to enable/disable this service. Enable this service to capture attacks through HTTP on default HTTP port
	DNP3 service	toggle to enable/disable this service, enable this service capture attack through DNP3 on default DNP3 port
	ENIP service	Toggle to enable/disable this service. Enable this service to capture attacks through ENIP on default ENIP port
Schneider EcoStruxure BMS server decoy	SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network SNMP response is customized for Schneider EcoStruxure BMS server decoy Community name is user-defined
	BACNET service	Toggle to enable/disable this service. Enable this service tp capture attacks through BACNET on default BACNET port
	HTTP service	Toggle to enable/disable this service. Enable this service to capture attacks through HTTP on default HTTP port
	TRICONEX service	Toggle to enable/disable this service, enable this service capture attack to TRICONEX service
Siemens S7-200 PLC decoy	HTTP service	Toggle to enable/disable this service. Enable this service capture attack through HTTP on default HTTP port HTTP page title is user defined Plant Identification is user-defined Serial Number is user-defined
	TFTP service	Toggle to enable/disable this service. Enable this to service capture attacks through TFTP on default TFTP port
	SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network SNMP response is customized for Siemens S7-200 PLC decoy Community name is user-defined
	MODBUS service	Toggle to enable/disable this service. Enable this service capture attack through MODBUS on default MODBUS port
	S7COMM service	Toggle to enable/disable this service. Enable this service capture attack through S7COMM on default S7COMM port Module Type is user-defined PLC Name is user-defined
Rockwell PLC decoy	HTTP service	Toggle to enable/disable this service, enable this service capture attack through HTTP on default HTTP port HTTP page title is user defined
	TFTP service	Toggle to enable/disable this service. Enable this service to capture attacks through TFTP on default TFTP port
	SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network SNMP response is customized for Siemens Rockwell PLC decoy Community name is user-defined
	ENIP service	Toggle to enable/disable this service, enable this service capture attack through ENIP on default ENIP port ENIP serial number is user-defined
Siemens S7-300 PLC decoy	TFTP service	Toggle to enable/disable this service. Enable this service to capture attacks through TFTP on the default TFTP port
	SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network SNMP response is customized for Siemens S7-300 PLC decoy Community name is user-defined
	IEC104 service	Toggle to enable/disable this service, enable this service capture attack through IEC104 on default IEC104 port
IPMI Device decoy	HTTP service	Toggle to enable/disable this service. Enable this service to capture attacks through HTTP on default HTTP port
	SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network SNMP response is customized for IPMI Device decoy community name is user-defined
	FTP service	Toggle to enable/disable this service. Enable this service to capture attack through FTP on default FTP port FTP banner is user-defined
	IPMI service	toggle to enable/disable this service, enable this service capture attack through IPMI on default IPMI port
KAMSTRUP 382 decoy	KAMSTRUP service	Toggle to enable/disable this service. Enable this service to simulate a Kamstrup device To deploy a KAMSTRUP decoy, this service must be enabled since it is the only service available
VAV-DD BACnet controller decoy	SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network SNMP response is customized for VAV-DD BACnet controller decoy Community name is user-defined
VAV-DD BACnet controller decoy	BACNET service	Toggle to enable/disable this service. Enable this service capture attack through BACNET on default BACNET port
Guardian-AST decoy	Guardian-AST service	Toggle to enable/disable this service. Enable this service to simulate a AST’s satellite communications remote asset tracking system named Guardian To deploy a Guardian-AST decoy, this service must be enabled since it is the only service available
Ascent Compass MNG decoy	HTTP service	Toggle to enable/disable this service. Enable this service to capture attacks through HTTP on default HTTP port
	FTP service	Toggle to enable/disable this service. Enable this service capture attack through FTP on default FTP port FTP banner is user-defined
	SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network SNMP response is customized for Ascent Compass MNG decoy Community name is user-defined
	BACNET service	Toggle to enable/disable this service. Enable this service to capture attacks through BACNET on default BACNET port

FortiDeceptor decoys

The current FortiDeceptor decoys are:

Windows	Windows 7 Windows 10 (can be deployed as a gold image) Windows 2016 (deployed as a gold image) Windows 2019 (deployed as a gold image)
Linux	Ubuntu Desktop
IoT/OT	SCADA version 3 Medical OS POS OS ERP OS 8 OT protocols IoT OS
VPN	Fortinet SSL-VPN (FG-60E, FG-100F, FG-1500D, FG-2000E, FG-3700D)

The current FortiDeceptor monitor services are:

Windows	RDP SMB TCPListener NBNSSpoofSpotter
Linux	SSH SAMBA TCPListener HTTP HTTPS GIT
IoT/OT	HTTP FTP TFTP SNMP MODBUS S7COMM BACNET IPMI TRICONEX ENIP Kamstrup DNP3 Telnet PACS-WEB PACS DICOM server Infusion Pump (TELNET) Infusion Pump (FTP) POS-WEB ERP-WEP GUARDIAN-AST IEC104 Jetdirect Printer-WEB IP Camera-WEB UPnP RTSP CDP
SSL VPN	HTTPS

The current FortiDeceptor IP address capacity are:

A single FortiDeceptor appliance (HW/VM) can host up to 16 deception VMs.
A single deception VM supports up to 16 IP addresses or decoys, Each IP represent a decoy.
A single FortiDeceptor appliance (HW/VM) can support up to 256 IP addresses.
With 4 decoys per segment on average, a single FortiDeceptor appliance (HW/VM) can support up to 64 segments (VLANS).
FortiDeceptor decoys services details

IoT OS

HP printer decoy	SNMP service	Enable this towill open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within network Community name is user-defined SNMP response is customized for HP printer decoy
	Jetdirect	Enable this service will open port 9100 on decoy VM, and respond to PJL (Printer Job Language) request.
	Printer-WEB	A web GUI that simulate administration GUI of HP Officejet Pro X451dw printer.
IP camera decoy	IP Camera-WEB	A login-required service that displays videos to simulate IP cameras, although there are default videos, users should upload 1-8 .mp4 videos to best fit the working environment.
	SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network Community name is user-defined SNMP response is customized for IP camera decoy
	UPnP service	Enable this service to open port 8080 on decoy VM and simulate UPnP service: a UPnP msg will broadcast within the network. Within the msg there is a url for the attacker to download a .xml file showing device information.
	RTSP service	When this this service is enabled, you will also need to upload a video to a predefined location so the attacker can watch the video. The RTSP port can be adjusted To upload, you can use ffmpeg, or any other methods to infinitely loop a video, so it is available to the attacker For example, to infinitely loop a video:`sudo ffmpeg -re -stream_loop -1 -i {path_to_local_video} -c copy -f rtsp rtsp://{ip}:{port}/{name_you_choose};` For attacker, the live camera stream is available at `rtsp://{ip}:{port}/{name_you_choose}`
Cisco router decoy	Models	4 cisco images (model) are supported - 2691, 3660, 3725 and 3745, also if users upload a cisco image that cannot be used, an error msg will appear.
	Router Running-Config (optional)	User can upload a customized cisco config file to predefine the Cisco router setting
	Telnet service	A login-required service that enables attackers to utilize all Cisco router’s functions.
	HTTP service	A login-required GUI service that like the telnet service but provide less functionalities.
	SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network. Community name is user-defined. SNMP response is customized for Cisco router decoy
	CDP service	Enable CDP so the decoy VM will send CDP traffic within the network.

Medical

Infusion Pump (Telnet) service	Simulate Infusion Pump (telnet) A username/password is required to login.
Infusion Pump (FTP)	Simulates Infusion Pump (FTP) A username/password is required to login.
PACS service	A user-defined name for the PACS system.
PACS-WEB service	Login-required web GUI for PACS, with existing medical data Port can be adjusted
DICOM Server service	Server port can be adjusted Server name can be adjusted DICOM operations (e.g. C-STORE, C-FIND) are supported

POS

POS-WEB service

Login-required web GUI simulate POS website
Port can be adjusted

CRM(ERP)

ERP-WEB service

Login-required web GUI simulates ERP website
Port can be adjusted

SCADA (version3) OS

Schneider SCADAPack 333E decoy	SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network Community name is user-defined SNMP response is customized for Schneider SCADAPack 333E decoy
	DNP3 service	Toggle to enable/disable this service, enable this service capture attack through DNP3
	Telnet service	Login-required telnet service simulates SCADAPack E Smart RTU command line environment
Schneider Power Meter - PM5560 decoy	SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) requests from within the network Community name is user-defined SNMP response is customized for Schneider Power Meter - PM5560 decoy
	BACNET service	Toggle to enable/disable this service. Enable this service to capture attacks through BACNET on default BACNET port
	HTTP service	Toggle to enable/disable this service. Enable this service to capture attacks through HTTP on default HTTP port
	DNP3 service	toggle to enable/disable this service, enable this service capture attack through DNP3 on default DNP3 port
	ENIP service	Toggle to enable/disable this service. Enable this service to capture attacks through ENIP on default ENIP port
Schneider EcoStruxure BMS server decoy	SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network SNMP response is customized for Schneider EcoStruxure BMS server decoy Community name is user-defined
	BACNET service	Toggle to enable/disable this service. Enable this service tp capture attacks through BACNET on default BACNET port
	HTTP service	Toggle to enable/disable this service. Enable this service to capture attacks through HTTP on default HTTP port
	TRICONEX service	Toggle to enable/disable this service, enable this service capture attack to TRICONEX service
Siemens S7-200 PLC decoy	HTTP service	Toggle to enable/disable this service. Enable this service capture attack through HTTP on default HTTP port HTTP page title is user defined Plant Identification is user-defined Serial Number is user-defined
	TFTP service	Toggle to enable/disable this service. Enable this to service capture attacks through TFTP on default TFTP port
	SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network SNMP response is customized for Siemens S7-200 PLC decoy Community name is user-defined
	MODBUS service	Toggle to enable/disable this service. Enable this service capture attack through MODBUS on default MODBUS port
	S7COMM service	Toggle to enable/disable this service. Enable this service capture attack through S7COMM on default S7COMM port Module Type is user-defined PLC Name is user-defined
Rockwell PLC decoy	HTTP service	Toggle to enable/disable this service, enable this service capture attack through HTTP on default HTTP port HTTP page title is user defined
	TFTP service	Toggle to enable/disable this service. Enable this service to capture attacks through TFTP on default TFTP port
	SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network SNMP response is customized for Siemens Rockwell PLC decoy Community name is user-defined
	ENIP service	Toggle to enable/disable this service, enable this service capture attack through ENIP on default ENIP port ENIP serial number is user-defined
Siemens S7-300 PLC decoy	TFTP service	Toggle to enable/disable this service. Enable this service to capture attacks through TFTP on the default TFTP port
	SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network SNMP response is customized for Siemens S7-300 PLC decoy Community name is user-defined
	IEC104 service	Toggle to enable/disable this service, enable this service capture attack through IEC104 on default IEC104 port
IPMI Device decoy	HTTP service	Toggle to enable/disable this service. Enable this service to capture attacks through HTTP on default HTTP port
	SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network SNMP response is customized for IPMI Device decoy community name is user-defined
	FTP service	Toggle to enable/disable this service. Enable this service to capture attack through FTP on default FTP port FTP banner is user-defined
	IPMI service	toggle to enable/disable this service, enable this service capture attack through IPMI on default IPMI port
KAMSTRUP 382 decoy	KAMSTRUP service	Toggle to enable/disable this service. Enable this service to simulate a Kamstrup device To deploy a KAMSTRUP decoy, this service must be enabled since it is the only service available
VAV-DD BACnet controller decoy	SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network SNMP response is customized for VAV-DD BACnet controller decoy Community name is user-defined
VAV-DD BACnet controller decoy	BACNET service	Toggle to enable/disable this service. Enable this service capture attack through BACNET on default BACNET port
Guardian-AST decoy	Guardian-AST service	Toggle to enable/disable this service. Enable this service to simulate a AST’s satellite communications remote asset tracking system named Guardian To deploy a Guardian-AST decoy, this service must be enabled since it is the only service available
Ascent Compass MNG decoy	HTTP service	Toggle to enable/disable this service. Enable this service to capture attacks through HTTP on default HTTP port
	FTP service	Toggle to enable/disable this service. Enable this service capture attack through FTP on default FTP port FTP banner is user-defined
	SNMP service	Enable this service to open port 161 on decoy VM, and respond to SNMP(v1 or v2c) request from within the network SNMP response is customized for Ascent Compass MNG decoy Community name is user-defined
	BACNET service	Toggle to enable/disable this service. Enable this service to capture attacks through BACNET on default BACNET port

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Unified SASE

Single Vendor SASE

Cloud Network Security

Secure Endpoint Connectivity

Web Application / API Protection

Security Operations

Security Operations Automation

Identity

Early Detection & Prevention

Secure Networking

Hybrid Mesh Firewall

NOC Management

LAN

WAN

Communication & Surveillance

Unified SASE

Single Vendor SASE

Secure Endpoint Connectivity

Cloud Network Security

Cloud-Native Security

Web Application / API Protection

Security Operations

Security Operations Automation

Endpoint

Data Protection

Identity

Email

Early Detection & Prevention

Expert Services

Edge Firewall

Orchestration & management

SD Branch

Application Delivery

Single Vendor SASE

Secure Endpoint Connectivity

Secure Private Access

Thin Edge

Identity

Application Gateway

Enterprise Asset Management

Endpoint Agent

Agentless Security Posture

Identity

Wireless

Switching

Identity

Privilege Acccess Management

Next Generation Firewall

Orchestration & management

Expert Services

All

All

Account Management

SAAS Management

SAAS Application Security

Managed Services

Platform as a service (PAAS)

Other SAAS Services

4D Pillars

Cloud

Popular Solutions

Administration Guide

FortiDeceptor decoys

FortiDeceptor decoys

FortiDeceptor decoys

FortiDeceptor decoys