Fortinet white logo
Fortinet white logo

Administration Guide

Using IPS inspection for multicast UDP traffic

Using IPS inspection for multicast UDP traffic

IPS inspection can be applied for multicast UDP traffic in multicast firewall policies.

config firewall {multicast-policy | multicast-policy6}
    edit <id>
        set utm-status {enable | disable}
        set ips-sensor <name>
        set logtraffic {all | utm | disable}
    next
end
Tooltip

IPv4 and IPv6 multicast policies can be configured in the GUI. Go to System > Feature Visibility, and enable Multicast Policy and IPv6.

The multicast policy dialog page (Policy & Objects > Multicast Policy) includes a Security Profiles section where you can enable IPS and apply an IPS profile.

Example

In this example, an IPv4 multicast policy is configured with IPS inspection enabled. Multicast UDP traffic that contains IPS attacks is detected and blocked. A custom IPS signature is created with an infected EICAR pattern for the UDP protocol.

To use IPS inspection for multicast UDP traffic:
  1. Configure the IPS custom signature:

    config ips custom
        edit "meicar"
            set signature "F-SBID( --name \"meicar\"; --attack_id 9999; --protocol udp; --severity medium; --default_action clear_session; --pattern \"$EICAR-STANDARD-ANTIVIRUS-TEST-FILE\";)"
            set protocol UDP 
            set log disable
            set action block
        next
    end
  2. Configure the IPS sensor:

    config ips sensor
        edit "test-meicar-1"
            config entries
                edit 1
                    set rule 9999
                    set status enable
                    set action block
                next
            end
        next
    end
  3. Configure the multicast policy:

    config firewall multicast-policy
        edit 1
            set srcintf "port38"
            set dstintf "port37"
            set srcaddr "all"
            set dstaddr "all"
            set utm-status enable
            set ips-sensor "test-meicar-1"
        next
    end
  4. Add the server to the multicast group 239.1.1.10 and join it using a terminal:

    fosqa@ips_pc5:~$ iperf -s -u -B 239.1.1.10 -i 1
    ------------------------------------------------------------
    Server listening on UDP port 5001
    Binding to local address 239.1.1.10
    Joining multicast group  239.1.1.10
    Receiving 1470 byte datagrams
    UDP buffer size:  208 KByte (default)
    ------------------------------------------------------------
    [  3] local 239.1.1.10 port 5001 connected with 10.1.100.11 port 52972
  5. From a terminal on the client, send multicast UDP traffic with the EICAR file:

    root@PC01:~# iperf -c 239.1.1.10 -u -T 3 -t 20 -i 1 -F eicar
    ------------------------------------------------------------
    Client connecting to 239.1.1.10, UDP port 5001
    Sending 1470 byte datagrams, IPG target: 11215.21 us (kalman adjust)
    Setting multicast TTL to 3
    UDP buffer size:  208 KByte (default)
    ------------------------------------------------------------
    [  4] local 10.1.100.11 port 33383 connected with 239.1.1.10 port 5001
    [ ID] Interval       Transfer     Bandwidth
    [  4]  0.0- 0.0 sec  1.44 KBytes  1.03 Mbits/sec
    [  4] Sent 1 datagrams

    The traffic will be blocked, and the server will not be able to receive the packets.

  6. Verify that the traffic is blocked.

    1. Verify the IPS event log:

      # execute log filter category 4
      # execute log display
      1 logs found.
      1 logs returned.
      							
      1: date=2023-11-01 time=17:01:43 eventtime=1698883303178500916 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vd1" severity="medium" srcip=10.1.100.11 srccountry="Reserved" dstip=239.1.1.10 dstcountry="Reserved" srcintf="port38" srcintfrole="undefined" dstintf="port37" dstintfrole="undefined" sessionid=18 action="dropped" proto=17 service="udp/5001" policyid=1 poluuid="09bdd086-78e2-51ee-1d61-0955f9046b53" policytype="multicast-policy" attack="meicar" srcport=52673 dstport=5001 direction="outgoing" attackid=9999 profile="test-meicar-1" incidentserialno=245366798 msg="custom: meicar" crscore=10 craction=16384 crlevel="medium"
    2. Verify the IPS traffic log:

      # execute log filter category 0
      # execute log display
      1 logs found.
      1 logs returned.
      							
      1: date=2023-11-01 time=17:04:39 eventtime=1698883474200006380 tz="-0700" logid="0002000012" type="traffic" subtype="multicast" level="notice" vd="vd1" srcip=10.1.100.11 srcport=52673 srcintf="port38" srcintfrole="undefined" dstip=239.1.1.10 dstport=5001 dstintf="port37" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=18 proto=17 action="accept" policyid=1 policytype="multicast-policy" poluuid="09bdd086-78e2-51ee-1d61-0955f9046b53" policyname="mcast-ips" service="udp/5001" trandisp="noop" duration=180 sentbyte=2996 rcvdbyte=0 sentpkt=2 rcvdpkt=0 appcat="unscanned" utmref=0-266
    3. Verify the multicast session list:

      # diagnose sys mcast-session list
      
      session info: id=19 vf=1 proto=17 10.1.100.11.56538->239.1.1.10.5001
      used=2 path=1 duration=2 expire=177 indev=10
      state=00000000:
      session-npu-info: ipid/vlifid=0/0 vlanid/vtag_in=0/0 in_npuid=0 tae_index=0 qid=0 fwd_map=0x00000000
      path: log ndr policy=1, outdev=9, tos=0xff
      Total 1 sessions

Using IPS inspection for multicast UDP traffic

Using IPS inspection for multicast UDP traffic

IPS inspection can be applied for multicast UDP traffic in multicast firewall policies.

config firewall {multicast-policy | multicast-policy6}
    edit <id>
        set utm-status {enable | disable}
        set ips-sensor <name>
        set logtraffic {all | utm | disable}
    next
end
Tooltip

IPv4 and IPv6 multicast policies can be configured in the GUI. Go to System > Feature Visibility, and enable Multicast Policy and IPv6.

The multicast policy dialog page (Policy & Objects > Multicast Policy) includes a Security Profiles section where you can enable IPS and apply an IPS profile.

Example

In this example, an IPv4 multicast policy is configured with IPS inspection enabled. Multicast UDP traffic that contains IPS attacks is detected and blocked. A custom IPS signature is created with an infected EICAR pattern for the UDP protocol.

To use IPS inspection for multicast UDP traffic:
  1. Configure the IPS custom signature:

    config ips custom
        edit "meicar"
            set signature "F-SBID( --name \"meicar\"; --attack_id 9999; --protocol udp; --severity medium; --default_action clear_session; --pattern \"$EICAR-STANDARD-ANTIVIRUS-TEST-FILE\";)"
            set protocol UDP 
            set log disable
            set action block
        next
    end
  2. Configure the IPS sensor:

    config ips sensor
        edit "test-meicar-1"
            config entries
                edit 1
                    set rule 9999
                    set status enable
                    set action block
                next
            end
        next
    end
  3. Configure the multicast policy:

    config firewall multicast-policy
        edit 1
            set srcintf "port38"
            set dstintf "port37"
            set srcaddr "all"
            set dstaddr "all"
            set utm-status enable
            set ips-sensor "test-meicar-1"
        next
    end
  4. Add the server to the multicast group 239.1.1.10 and join it using a terminal:

    fosqa@ips_pc5:~$ iperf -s -u -B 239.1.1.10 -i 1
    ------------------------------------------------------------
    Server listening on UDP port 5001
    Binding to local address 239.1.1.10
    Joining multicast group  239.1.1.10
    Receiving 1470 byte datagrams
    UDP buffer size:  208 KByte (default)
    ------------------------------------------------------------
    [  3] local 239.1.1.10 port 5001 connected with 10.1.100.11 port 52972
  5. From a terminal on the client, send multicast UDP traffic with the EICAR file:

    root@PC01:~# iperf -c 239.1.1.10 -u -T 3 -t 20 -i 1 -F eicar
    ------------------------------------------------------------
    Client connecting to 239.1.1.10, UDP port 5001
    Sending 1470 byte datagrams, IPG target: 11215.21 us (kalman adjust)
    Setting multicast TTL to 3
    UDP buffer size:  208 KByte (default)
    ------------------------------------------------------------
    [  4] local 10.1.100.11 port 33383 connected with 239.1.1.10 port 5001
    [ ID] Interval       Transfer     Bandwidth
    [  4]  0.0- 0.0 sec  1.44 KBytes  1.03 Mbits/sec
    [  4] Sent 1 datagrams

    The traffic will be blocked, and the server will not be able to receive the packets.

  6. Verify that the traffic is blocked.

    1. Verify the IPS event log:

      # execute log filter category 4
      # execute log display
      1 logs found.
      1 logs returned.
      							
      1: date=2023-11-01 time=17:01:43 eventtime=1698883303178500916 tz="-0700" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vd1" severity="medium" srcip=10.1.100.11 srccountry="Reserved" dstip=239.1.1.10 dstcountry="Reserved" srcintf="port38" srcintfrole="undefined" dstintf="port37" dstintfrole="undefined" sessionid=18 action="dropped" proto=17 service="udp/5001" policyid=1 poluuid="09bdd086-78e2-51ee-1d61-0955f9046b53" policytype="multicast-policy" attack="meicar" srcport=52673 dstport=5001 direction="outgoing" attackid=9999 profile="test-meicar-1" incidentserialno=245366798 msg="custom: meicar" crscore=10 craction=16384 crlevel="medium"
    2. Verify the IPS traffic log:

      # execute log filter category 0
      # execute log display
      1 logs found.
      1 logs returned.
      							
      1: date=2023-11-01 time=17:04:39 eventtime=1698883474200006380 tz="-0700" logid="0002000012" type="traffic" subtype="multicast" level="notice" vd="vd1" srcip=10.1.100.11 srcport=52673 srcintf="port38" srcintfrole="undefined" dstip=239.1.1.10 dstport=5001 dstintf="port37" dstintfrole="undefined" srccountry="Reserved" dstcountry="Reserved" sessionid=18 proto=17 action="accept" policyid=1 policytype="multicast-policy" poluuid="09bdd086-78e2-51ee-1d61-0955f9046b53" policyname="mcast-ips" service="udp/5001" trandisp="noop" duration=180 sentbyte=2996 rcvdbyte=0 sentpkt=2 rcvdpkt=0 appcat="unscanned" utmref=0-266
    3. Verify the multicast session list:

      # diagnose sys mcast-session list
      
      session info: id=19 vf=1 proto=17 10.1.100.11.56538->239.1.1.10.5001
      used=2 path=1 duration=2 expire=177 indev=10
      state=00000000:
      session-npu-info: ipid/vlifid=0/0 vlanid/vtag_in=0/0 in_npuid=0 tae_index=0 qid=0 fwd_map=0x00000000
      path: log ndr policy=1, outdev=9, tos=0xff
      Total 1 sessions