Fortinet white logo
Fortinet white logo

Administration Guide

SCTP filtering capabilities

SCTP filtering capabilities

A Stream Control Transmission Protocol (SCTP) dissector and Payload Protocol Identifier (PPID) filter can be used to either terminate the SCTP session, or replace the offending data chunk with zeros to keep the client and server sequence numbers synchronized. The SCTP filter action can also pass the data chunk.

To configure and test an SCTP filter:
  1. Configure an SCTP filter profile that uses the reset action:

    config sctp-filter profile
        edit "sctp"
            set comment "Demo profile"
            config ppid-filters
                edit 1
                    set ppid 112233
                    set action reset
                    set comment "test chunk"
                next
            end
        next
    end
  2. Use the SCTP filter profile in a firewall policy:

    config firewall policy
        edit 1
            set name "1"
            set srcintf "port38"
            set dstintf "port37"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "new-deep-inspection"
            set sctp-filter-profile "sctp"
            set logtraffic all
        next
    end
  3. On the SCTP client, confirm that the connection works and send a data chunk with PPID 112233.

  4. The IPS engine detects the data chunk. The PPID matches the PPID filter, and the filter action is reset, so the data chunk is not received on the server, and the session is terminated.

  5. Change the filter action to replace:

    config sctp-filter profile
        edit "sctp"
            config ppid-filters
                edit 1
                    set action replace
                next
            end
        next
    end
  6. Resend the data chunk.

  7. The IPS engine detects the data chunk. The PPID matches the PPID filter, and the filter action is replace, so the data chunk is replaced with zeros.

SCTP filtering capabilities

SCTP filtering capabilities

A Stream Control Transmission Protocol (SCTP) dissector and Payload Protocol Identifier (PPID) filter can be used to either terminate the SCTP session, or replace the offending data chunk with zeros to keep the client and server sequence numbers synchronized. The SCTP filter action can also pass the data chunk.

To configure and test an SCTP filter:
  1. Configure an SCTP filter profile that uses the reset action:

    config sctp-filter profile
        edit "sctp"
            set comment "Demo profile"
            config ppid-filters
                edit 1
                    set ppid 112233
                    set action reset
                    set comment "test chunk"
                next
            end
        next
    end
  2. Use the SCTP filter profile in a firewall policy:

    config firewall policy
        edit 1
            set name "1"
            set srcintf "port38"
            set dstintf "port37"
            set srcaddr "all"
            set dstaddr "all"
            set action accept
            set schedule "always"
            set service "ALL"
            set utm-status enable
            set ssl-ssh-profile "new-deep-inspection"
            set sctp-filter-profile "sctp"
            set logtraffic all
        next
    end
  3. On the SCTP client, confirm that the connection works and send a data chunk with PPID 112233.

  4. The IPS engine detects the data chunk. The PPID matches the PPID filter, and the filter action is reset, so the data chunk is not received on the server, and the session is terminated.

  5. Change the filter action to replace:

    config sctp-filter profile
        edit "sctp"
            config ppid-filters
                edit 1
                    set action replace
                next
            end
        next
    end
  6. Resend the data chunk.

  7. The IPS engine detects the data chunk. The PPID matches the PPID filter, and the filter action is replace, so the data chunk is replaced with zeros.