Support Diameter protocol inspection on the FortiGate 7.4.2
This information is also available in the FortiOS 7.4 Administration Guide: |
Diameter protocol inspection is supported on the FortiGate, which offers the following capabilities.
-
Diameter-based packet forwarding and routing: the FortiGate can forward and route Diameter packets that match a firewall policy with an enabled and assigned
diameter-filter profile
. These diameter packets traverse over SCTP or TCP on the reserved port 3868. -
Packet sanity checking: this feature checks if the packet passing through the FortiGate conforms to the Diameter protocol standards as defined in RFC 3588.
-
This includes checking the release version field, error command flags, message length, reserved command flag bits, command code, and tracking the request and answer of the Diameter-based packets.
-
-
Logging: for network auditing purposes, the traffic for both dropped and forwarded Diameter-based packets of the supported commands can be logged. By default, these are disabled.
Diameter protocol is particularly important on interfaces that are used to exchange information with roaming partners, through the Internetwork Packet Exchange (IPX) network.
This feature requires a valid IPS license. |
config diameter-filter profile edit <name> set monitor-all-messages {enable | disable} set log-packet {enable | disable} set track-requests-answers {enable | disable} set missing-request-action {allow | block | reset | monitor} set protocol-version-invalid {allow | block | reset | monitor} set message-length-invalid {allow | block | reset | monitor} set request-error-flag-set {allow | block | reset | monitor} set cmd-flags-reserve-set {allow | block | reset | monitor} set command-code-invalid {allow | block | reset | monitor} set command-code-range <min-max> next end
monitor-all-messages {enable | disable} |
Enable/disable logging for all User-Name and Result-Code AVP messages. |
log-packet {enable | disable} |
Enable/disable packet log for triggered Diameter settings. |
track-requests-answers {enable | disable} |
Enable/disable validation that each answer has a corresponding request. |
missing-request-action {allow | block | reset | monitor} |
Set the action to be taken for answers without a corresponding request.
|
protocol-version-invalid {allow | block | reset | monitor} |
Set the action to be taken for an invalid protocol version.
|
message-length-invalid {allow | block | reset | monitor} |
Set the action to be taken for an invalid message length.
|
request-error-flag-set {allow | block | reset | monitor} |
Set the action to be taken for request messages with an error flag set.
|
cmd-flags-reserve-set {allow | block | reset | monitor} |
Set the action to be taken for messages with a command flag reserve bits set.
|
set command-code-invalid {allow | block | reset | monitor} |
Set the action to be taken for messages with an invalid command code.
|
set command-code-range <min-max> |
Set the valid range for command codes (min = 0, max = 16777215, default = 256-16777213). |
To configure Diameter protocol inspection:
-
Configure the Diameter filter profile:
config diameter-filter profile edit "diameter_profile" set monitor-all-messages disable set log-packet enable set track-requests-answers enable set missing-request-action block set protocol-version-invalid block set message-length-invalid block set request-error-flag-set block set cmd-flags-reserve-set block set command-code-invalid block set command-code-range 256-1677213 next end
-
Apply the Diameter filter to a firewall policy:
config firewall policy edit 1 set srcintf "port1" set dstintf "port3" set action accept set srcaddr "all" set dstaddr "all" set srcaddr6 "all" set dstaddr6 "all" set schedule "always" set service "ALL" set utm-status enable set ssl-ssh-profile "deep-inspection" set diameter-filter-profile "diameter_profile" set logtraffic all set auto-asic-offload disable next end
NTurbo does not fully support SCTP, so if the configuration includes Diameter-over-SCTP, the
auto-asic-offload
setting should be disabled in the firewall policy. Otherwise, IPS does not get the full session packets.
Sample logs
No matching request:
1: date=2023-11-09 time=11:04:32 eventtime=1699556673071701052 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=163572 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Response.Message.No.Matching.Request.Found" direction="outgoing" attackid=52234 ref="http://www.fortinet.com/ids/VID52234" incidentserialno=60817776 msg="diameter_decoder: Diameter.Response.Message.No.Matching.Request.Found, command_code=317"
Invalid protocol version:
1: date=2023-11-08 time=20:20:54 eventtime=1699503655386037801 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=117419 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Invalid.Version" direction="outgoing" attackid=52229 ref="http://www.fortinet.com/ids/VID52229" incidentserialno=60817657 msg="diameter_decoder: Diameter.Invalid.Version, protocol_version=2"
Incorrect message length:
1: date=2023-11-08 time=19:18:10 eventtime=1699499890820325221 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=113487 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Incorrect.Message.Length" direction="outgoing" attackid=52230 ref="http://www.fortinet.com/ids/VID52230" incidentserialno=60817601 msg="diameter_decoder: Diameter.Incorrect.Message.Length, message_length=174, packet_length=164"
Request error flag:
1: date=2023-11-08 time=19:27:29 eventtime=1699500449951027175 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=114134 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Request.Message.Error.Flag.Set" direction="outgoing" attackid=52231 ref="http://www.fortinet.com/ids/VID52231" incidentserialno=60817619 msg="diameter_decoder: Diameter.Request.Message.Error.Flag.Set, command_flags=A0"
Incorrect reserved bits:
1: date=2023-11-08 time=19:31:10 eventtime=1699500670891359990 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="po/cdoc/ImplementationDoc5906/FGT_FileFilter_7-4_2512_202311090951_correct config.confrt3" dstintfrole="undefined" sessionid=114400 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Incorrect.Reserved.Bits" direction="outgoing" attackid=52232 ref="http://www.fortinet.com/ids/VID52232" incidentserialno=60817626 msg="diameter_decoder: Diameter.Incorrect.Reserved.Bits, command_flags=82"
Out-of-range command code:
2: date=2023-11-08 time=16:59:41 eventtime=1699491581561225681 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=106658 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Message.Command.Overlong" direction="outgoing" attackid=52233 ref="http://www.fortinet.com/ids/VID52233" incidentserialno=60817600 msg="diameter_decoder: Diameter.Message.Command.Overlong, command_code=255, range_min=256, range_max=1677213"