Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • New Features

    7.4.0
    7.6.0
    7.4.0
    7.2.0
    7.0.0
    6.4.0
    6.2.0

    Support IPS inspection for multicast UDP traffic 7.4.2

    Support IPS inspection for multicast UDP traffic 7.4.2

    Note

    This information is also available in the FortiOS 7.4 Administration Guide:

    IPS inspection can be applied for multicast UDP traffic in multicast firewall policies.

    config firewall {multicast-policy | multicast-policy6}
    edit <id>
        set utm-status {enable | disable}
        set ips-sensor <name>
        set logtraffic {all | utm | disable}
    next
end
    Tooltip

    IPv4 and IPv6 multicast policies can be configured in the GUI. Go to System > Feature Visibility, and enable Multicast Policy and IPv6.

    The multicast policy dialog page (Policy & Objects > Multicast Policy) includes a Security Profiles section where you can enable IPS and apply an IPS profile.

    Example

    In this example, an IPv4 multicast policy is configured with IPS inspection enabled. Multicast UDP traffic that contains IPS attacks is detected and blocked. A custom IPS signature is created with an infected EICAR pattern for the UDP protocol.

    To use IPS inspection for multicast UDP traffic:

    1. Configure the IPS custom signature:

      config ips custom
    edit "meicar"
        set signature "F-SBID( --name \"meicar\"; --attack_id 9999; --protocol udp; --severity medium; --default_action clear_session; --pattern \"$EICAR-STANDARD-ANTIVIRUS-TEST-FILE\";)"
        set protocol UDP 
        set log disable
        set action block
    next
end

    2. Configure the IPS sensor:

      config ips sensor
    edit "test-meicar-1"
        config entries
            edit 1
                set rule 9999
                set status enable
                set action block
            next
        end
    next
end

    3. Configure the multicast policy:

      config firewall multicast-policy
    edit 1
        set srcintf "port38"
        set dstintf "port37"
        set srcaddr "all"
        set dstaddr "all"
        set utm-status enable
        set ips-sensor "test-meicar-1"
    next
end

    4. Add the server to the multicast group 239.1.1.10 and join it using a terminal:

      fosqa@ips_pc5:~$ iperf -s -u -B 239.1.1.10 -i 1
------------------------------------------------------------
Server listening on UDP port 5001
Binding to local address 239.1.1.10
Joining multicast group  239.1.1.10
Receiving 1470 byte datagrams
UDP buffer size:  208 KByte (default)
------------------------------------------------------------
[  3] local 239.1.1.10 port 5001 connected with 10.1.100.11 port 52972

    5. From a terminal on the client, send multicast UDP traffic with the EICAR file:

      root@PC01:~# iperf -c 239.1.1.10 -u -T 3 -t 20 -i 1 -F eicar
------------------------------------------------------------
Client connecting to 239.1.1.10, UDP port 5001
Sending 1470 byte datagrams, IPG target: 11215.21 us (kalman adjust)
Setting multicast TTL to 3
UDP buffer size:  208 KByte (default)
------------------------------------------------------------
[  4] local 10.1.100.11 port 33383 connected with 239.1.1.10 port 5001
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0- 0.0 sec  1.44 KBytes  1.03 Mbits/sec
[  4] Sent 1 datagrams

      The traffic will be blocked, and the server will not be able to receive the packets.

    6. Verify that the traffic is blocked.

      1. Verify the IPS event log:

        # execute log filter category 4
# execute log display
1 logs found.
1 logs returned.
							
1: date=2023-11-01 time=17:01:43 eventtime=1698883303178500916 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vd1" severity="medium" srcip=10.1.100.11 srccountry="Reserved" dstip=239.1.1.10 dstcountry="Reserved" srcintf="port38" srcintfrole="undefined" dstintf="port37" dstintfrole="undefined" sessionid=18 action="dropped" proto=17 service="udp/5001" policyid=1 poluuid="09bdd086-78e2-51ee-1d61-0955f9046b53" policytype="multicast-policy" attack="meicar" srcport=52673 dstport=5001 direction="outgoing" attackid=9999 profile="test-meicar-1" incidentserialno=245366798 msg="custom: meicar" crscore=10 craction=16384 crlevel="medium"

      2. Verify the IPS traffic log:

        # execute log filter category 0
# execute log display
1 logs found.
1 logs returned.
							
1: date=2023-11-01 time=17:04:39 eventtime=1698883474200006380 tz="-0700" logid="0002000012" type="traffic" subtype="multicast" level="notice" vd="vd1" srcip=10.1.100.11 srcport=52673 srcintf="port38" srcintfrole="undefined" dstip=239.1.1.10 dstport=5001 dstintf="port37" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=18 proto=17 action="accept" policyid=1 policytype="multicast-policy" poluuid="09bdd086-78e2-51ee-1d61-0955f9046b53" policyname="mcast-ips" service="udp/5001" trandisp="noop" duration=180 sentbyte=2996 rcvdbyte=0 sentpkt=2 rcvdpkt=0 appcat="unscanned" utmref=0-266

      3. Verify the multicast session list:

        # diagnose sys mcast-session list

session info: id=19 vf=1 proto=17 10.1.100.11.56538->239.1.1.10.5001
used=2 path=1 duration=2 expire=177 indev=10
state=00000000:
session-npu-info: ipid/vlifid=0/0 vlanid/vtag_in=0/0 in_npuid=0 tae_index=0 qid=0 fwd_map=0x00000000
path: log ndr policy=1, outdev=9, tos=0xff
Total 1 sessions
    Previous
    Next

    Support IPS inspection for multicast UDP traffic 7.4.2

    Support IPS inspection for multicast UDP traffic 7.4.2

    Note

    This information is also available in the FortiOS 7.4 Administration Guide:

    IPS inspection can be applied for multicast UDP traffic in multicast firewall policies.

    config firewall {multicast-policy | multicast-policy6}
    edit <id>
        set utm-status {enable | disable}
        set ips-sensor <name>
        set logtraffic {all | utm | disable}
    next
end
    Tooltip

    IPv4 and IPv6 multicast policies can be configured in the GUI. Go to System > Feature Visibility, and enable Multicast Policy and IPv6.

    The multicast policy dialog page (Policy & Objects > Multicast Policy) includes a Security Profiles section where you can enable IPS and apply an IPS profile.

    Example

    In this example, an IPv4 multicast policy is configured with IPS inspection enabled. Multicast UDP traffic that contains IPS attacks is detected and blocked. A custom IPS signature is created with an infected EICAR pattern for the UDP protocol.

    To use IPS inspection for multicast UDP traffic:

    1. Configure the IPS custom signature:

      config ips custom
    edit "meicar"
        set signature "F-SBID( --name \"meicar\"; --attack_id 9999; --protocol udp; --severity medium; --default_action clear_session; --pattern \"$EICAR-STANDARD-ANTIVIRUS-TEST-FILE\";)"
        set protocol UDP 
        set log disable
        set action block
    next
end

    2. Configure the IPS sensor:

      config ips sensor
    edit "test-meicar-1"
        config entries
            edit 1
                set rule 9999
                set status enable
                set action block
            next
        end
    next
end

    3. Configure the multicast policy:

      config firewall multicast-policy
    edit 1
        set srcintf "port38"
        set dstintf "port37"
        set srcaddr "all"
        set dstaddr "all"
        set utm-status enable
        set ips-sensor "test-meicar-1"
    next
end

    4. Add the server to the multicast group 239.1.1.10 and join it using a terminal:

      fosqa@ips_pc5:~$ iperf -s -u -B 239.1.1.10 -i 1
------------------------------------------------------------
Server listening on UDP port 5001
Binding to local address 239.1.1.10
Joining multicast group  239.1.1.10
Receiving 1470 byte datagrams
UDP buffer size:  208 KByte (default)
------------------------------------------------------------
[  3] local 239.1.1.10 port 5001 connected with 10.1.100.11 port 52972

    5. From a terminal on the client, send multicast UDP traffic with the EICAR file:

      root@PC01:~# iperf -c 239.1.1.10 -u -T 3 -t 20 -i 1 -F eicar
------------------------------------------------------------
Client connecting to 239.1.1.10, UDP port 5001
Sending 1470 byte datagrams, IPG target: 11215.21 us (kalman adjust)
Setting multicast TTL to 3
UDP buffer size:  208 KByte (default)
------------------------------------------------------------
[  4] local 10.1.100.11 port 33383 connected with 239.1.1.10 port 5001
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0- 0.0 sec  1.44 KBytes  1.03 Mbits/sec
[  4] Sent 1 datagrams

      The traffic will be blocked, and the server will not be able to receive the packets.

    6. Verify that the traffic is blocked.

      1. Verify the IPS event log:

        # execute log filter category 4
# execute log display
1 logs found.
1 logs returned.
							
1: date=2023-11-01 time=17:01:43 eventtime=1698883303178500916 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vd1" severity="medium" srcip=10.1.100.11 srccountry="Reserved" dstip=239.1.1.10 dstcountry="Reserved" srcintf="port38" srcintfrole="undefined" dstintf="port37" dstintfrole="undefined" sessionid=18 action="dropped" proto=17 service="udp/5001" policyid=1 poluuid="09bdd086-78e2-51ee-1d61-0955f9046b53" policytype="multicast-policy" attack="meicar" srcport=52673 dstport=5001 direction="outgoing" attackid=9999 profile="test-meicar-1" incidentserialno=245366798 msg="custom: meicar" crscore=10 craction=16384 crlevel="medium"

      2. Verify the IPS traffic log:

        # execute log filter category 0
# execute log display
1 logs found.
1 logs returned.
							
1: date=2023-11-01 time=17:04:39 eventtime=1698883474200006380 tz="-0700" logid="0002000012" type="traffic" subtype="multicast" level="notice" vd="vd1" srcip=10.1.100.11 srcport=52673 srcintf="port38" srcintfrole="undefined" dstip=239.1.1.10 dstport=5001 dstintf="port37" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=18 proto=17 action="accept" policyid=1 policytype="multicast-policy" poluuid="09bdd086-78e2-51ee-1d61-0955f9046b53" policyname="mcast-ips" service="udp/5001" trandisp="noop" duration=180 sentbyte=2996 rcvdbyte=0 sentpkt=2 rcvdpkt=0 appcat="unscanned" utmref=0-266

      3. Verify the multicast session list:

        # diagnose sys mcast-session list

session info: id=19 vf=1 proto=17 10.1.100.11.56538->239.1.1.10.5001
used=2 path=1 duration=2 expire=177 indev=10
state=00000000:
session-npu-info: ipid/vlifid=0/0 vlanid/vtag_in=0/0 in_npuid=0 tae_index=0 qid=0 fwd_map=0x00000000
path: log ndr policy=1, outdev=9, tos=0xff
Total 1 sessions
    Previous
    Next