Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.4.3 Administration Guide
7.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

Using IPS inspection for multicast UDP traffic

Using IPS inspection for multicast UDP traffic

IPS inspection can be applied for multicast UDP traffic in multicast firewall policies.

config firewall {multicast-policy | multicast-policy6}
    edit <id>
        set utm-status {enable | disable}
        set ips-sensor <name>
        set logtraffic {all | utm | disable}
    next
end
Tooltip

IPv4 and IPv6 multicast policies can be configured in the GUI. Go to System > Feature Visibility, and enable Multicast Policy and IPv6.

The multicast policy dialog page (Policy & Objects > Multicast Policy) includes a Security Profiles section where you can enable IPS and apply an IPS profile.

Example

In this example, an IPv4 multicast policy is configured with IPS inspection enabled. Multicast UDP traffic that contains IPS attacks is detected and blocked. A custom IPS signature is created with an infected EICAR pattern for the UDP protocol.

To use IPS inspection for multicast UDP traffic:

  1. Configure the IPS custom signature:

    config ips custom
    edit "meicar"
        set signature "F-SBID( --name \"meicar\"; --attack_id 9999; --protocol udp; --severity medium; --default_action clear_session; --pattern \"$EICAR-STANDARD-ANTIVIRUS-TEST-FILE\";)"
        set protocol UDP 
        set log disable
        set action block
    next
end

  2. Configure the IPS sensor:

    config ips sensor
    edit "test-meicar-1"
        config entries
            edit 1
                set rule 9999
                set status enable
                set action block
            next
        end
    next
end

  3. Configure the multicast policy:

    config firewall multicast-policy
    edit 1
        set srcintf "port38"
        set dstintf "port37"
        set srcaddr "all"
        set dstaddr "all"
        set utm-status enable
        set ips-sensor "test-meicar-1"
    next
end

  4. Add the server to the multicast group 239.1.1.10 and join it using a terminal:

    fosqa@ips_pc5:~$ iperf -s -u -B 239.1.1.10 -i 1
------------------------------------------------------------
Server listening on UDP port 5001
Binding to local address 239.1.1.10
Joining multicast group  239.1.1.10
Receiving 1470 byte datagrams
UDP buffer size:  208 KByte (default)
------------------------------------------------------------
[  3] local 239.1.1.10 port 5001 connected with 10.1.100.11 port 52972

  5. From a terminal on the client, send multicast UDP traffic with the EICAR file:

    root@PC01:~# iperf -c 239.1.1.10 -u -T 3 -t 20 -i 1 -F eicar
------------------------------------------------------------
Client connecting to 239.1.1.10, UDP port 5001
Sending 1470 byte datagrams, IPG target: 11215.21 us (kalman adjust)
Setting multicast TTL to 3
UDP buffer size:  208 KByte (default)
------------------------------------------------------------
[  4] local 10.1.100.11 port 33383 connected with 239.1.1.10 port 5001
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0- 0.0 sec  1.44 KBytes  1.03 Mbits/sec
[  4] Sent 1 datagrams

    The traffic will be blocked, and the server will not be able to receive the packets.

  6. Verify that the traffic is blocked.

    1. Verify the IPS event log:

      # execute log filter category 4
# execute log display
1 logs found.
1 logs returned.
							
1: date=2023-11-01 time=17:01:43 eventtime=1698883303178500916 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vd1" severity="medium" srcip=10.1.100.11 srccountry="Reserved" dstip=239.1.1.10 dstcountry="Reserved" srcintf="port38" srcintfrole="undefined" dstintf="port37" dstintfrole="undefined" sessionid=18 action="dropped" proto=17 service="udp/5001" policyid=1 poluuid="09bdd086-78e2-51ee-1d61-0955f9046b53" policytype="multicast-policy" attack="meicar" srcport=52673 dstport=5001 direction="outgoing" attackid=9999 profile="test-meicar-1" incidentserialno=245366798 msg="custom: meicar" crscore=10 craction=16384 crlevel="medium"

    2. Verify the IPS traffic log:

      # execute log filter category 0
# execute log display
1 logs found.
1 logs returned.
							
1: date=2023-11-01 time=17:04:39 eventtime=1698883474200006380 tz="-0700" logid="0002000012" type="traffic" subtype="multicast" level="notice" vd="vd1" srcip=10.1.100.11 srcport=52673 srcintf="port38" srcintfrole="undefined" dstip=239.1.1.10 dstport=5001 dstintf="port37" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=18 proto=17 action="accept" policyid=1 policytype="multicast-policy" poluuid="09bdd086-78e2-51ee-1d61-0955f9046b53" policyname="mcast-ips" service="udp/5001" trandisp="noop" duration=180 sentbyte=2996 rcvdbyte=0 sentpkt=2 rcvdpkt=0 appcat="unscanned" utmref=0-266

    3. Verify the multicast session list:

      # diagnose sys mcast-session list

session info: id=19 vf=1 proto=17 10.1.100.11.56538->239.1.1.10.5001
used=2 path=1 duration=2 expire=177 indev=10
state=00000000:
session-npu-info: ipid/vlifid=0/0 vlanid/vtag_in=0/0 in_npuid=0 tae_index=0 qid=0 fwd_map=0x00000000
path: log ndr policy=1, outdev=9, tos=0xff
Total 1 sessions
Previous
Next

Using IPS inspection for multicast UDP traffic

IPS inspection can be applied for multicast UDP traffic in multicast firewall policies.

config firewall {multicast-policy | multicast-policy6}
    edit <id>
        set utm-status {enable | disable}
        set ips-sensor <name>
        set logtraffic {all | utm | disable}
    next
end
Tooltip

IPv4 and IPv6 multicast policies can be configured in the GUI. Go to System > Feature Visibility, and enable Multicast Policy and IPv6.

The multicast policy dialog page (Policy & Objects > Multicast Policy) includes a Security Profiles section where you can enable IPS and apply an IPS profile.

Example

In this example, an IPv4 multicast policy is configured with IPS inspection enabled. Multicast UDP traffic that contains IPS attacks is detected and blocked. A custom IPS signature is created with an infected EICAR pattern for the UDP protocol.

To use IPS inspection for multicast UDP traffic:

  1. Configure the IPS custom signature:

    config ips custom
    edit "meicar"
        set signature "F-SBID( --name \"meicar\"; --attack_id 9999; --protocol udp; --severity medium; --default_action clear_session; --pattern \"$EICAR-STANDARD-ANTIVIRUS-TEST-FILE\";)"
        set protocol UDP 
        set log disable
        set action block
    next
end

  2. Configure the IPS sensor:

    config ips sensor
    edit "test-meicar-1"
        config entries
            edit 1
                set rule 9999
                set status enable
                set action block
            next
        end
    next
end

  3. Configure the multicast policy:

    config firewall multicast-policy
    edit 1
        set srcintf "port38"
        set dstintf "port37"
        set srcaddr "all"
        set dstaddr "all"
        set utm-status enable
        set ips-sensor "test-meicar-1"
    next
end

  4. Add the server to the multicast group 239.1.1.10 and join it using a terminal:

    fosqa@ips_pc5:~$ iperf -s -u -B 239.1.1.10 -i 1
------------------------------------------------------------
Server listening on UDP port 5001
Binding to local address 239.1.1.10
Joining multicast group  239.1.1.10
Receiving 1470 byte datagrams
UDP buffer size:  208 KByte (default)
------------------------------------------------------------
[  3] local 239.1.1.10 port 5001 connected with 10.1.100.11 port 52972

  5. From a terminal on the client, send multicast UDP traffic with the EICAR file:

    root@PC01:~# iperf -c 239.1.1.10 -u -T 3 -t 20 -i 1 -F eicar
------------------------------------------------------------
Client connecting to 239.1.1.10, UDP port 5001
Sending 1470 byte datagrams, IPG target: 11215.21 us (kalman adjust)
Setting multicast TTL to 3
UDP buffer size:  208 KByte (default)
------------------------------------------------------------
[  4] local 10.1.100.11 port 33383 connected with 239.1.1.10 port 5001
[ ID] Interval       Transfer     Bandwidth
[  4]  0.0- 0.0 sec  1.44 KBytes  1.03 Mbits/sec
[  4] Sent 1 datagrams

    The traffic will be blocked, and the server will not be able to receive the packets.

  6. Verify that the traffic is blocked.

    1. Verify the IPS event log:

      # execute log filter category 4
# execute log display
1 logs found.
1 logs returned.
							
1: date=2023-11-01 time=17:01:43 eventtime=1698883303178500916 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vd1" severity="medium" srcip=10.1.100.11 srccountry="Reserved" dstip=239.1.1.10 dstcountry="Reserved" srcintf="port38" srcintfrole="undefined" dstintf="port37" dstintfrole="undefined" sessionid=18 action="dropped" proto=17 service="udp/5001" policyid=1 poluuid="09bdd086-78e2-51ee-1d61-0955f9046b53" policytype="multicast-policy" attack="meicar" srcport=52673 dstport=5001 direction="outgoing" attackid=9999 profile="test-meicar-1" incidentserialno=245366798 msg="custom: meicar" crscore=10 craction=16384 crlevel="medium"

    2. Verify the IPS traffic log:

      # execute log filter category 0
# execute log display
1 logs found.
1 logs returned.
							
1: date=2023-11-01 time=17:04:39 eventtime=1698883474200006380 tz="-0700" logid="0002000012" type="traffic" subtype="multicast" level="notice" vd="vd1" srcip=10.1.100.11 srcport=52673 srcintf="port38" srcintfrole="undefined" dstip=239.1.1.10 dstport=5001 dstintf="port37" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=18 proto=17 action="accept" policyid=1 policytype="multicast-policy" poluuid="09bdd086-78e2-51ee-1d61-0955f9046b53" policyname="mcast-ips" service="udp/5001" trandisp="noop" duration=180 sentbyte=2996 rcvdbyte=0 sentpkt=2 rcvdpkt=0 appcat="unscanned" utmref=0-266

    3. Verify the multicast session list:

      # diagnose sys mcast-session list

session info: id=19 vf=1 proto=17 10.1.100.11.56538->239.1.1.10.5001
used=2 path=1 duration=2 expire=177 indev=10
state=00000000:
session-npu-info: ipid/vlifid=0/0 vlanid/vtag_in=0/0 in_npuid=0 tae_index=0 qid=0 fwd_map=0x00000000
path: log ndr policy=1, outdev=9, tos=0xff
Total 1 sessions
Previous
Next