Fortinet black logo

Administration Guide

Home FortiGate / FortiOS 7.4.3 Administration Guide
7.4.3
7.4.3
7.4.2
7.4.1
7.4.0
7.2.8
7.2.7
7.2.6
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.15
7.0.14
7.0.13
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.15
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0

Diameter protocol inspection

Diameter protocol inspection

Diameter protocol inspection is supported on the FortiGate, which offers the following capabilities.

  • Diameter-based packet forwarding and routing: the FortiGate can forward and route Diameter packets that match a firewall policy with an enabled and assigned diameter-filter profile. These diameter packets traverse over SCTP or TCP on the reserved port 3868.

  • Packet sanity checking: this feature checks if the packet passing through the FortiGate conforms to the Diameter protocol standards as defined in RFC 3588.

    • This includes checking the release version field, error command flags, message length, reserved command flag bits, command code, and tracking the request and answer of the Diameter-based packets.

  • Logging: for network auditing purposes, the traffic for both dropped and forwarded Diameter-based packets of the supported commands can be logged. By default, these are disabled.

Diameter protocol is particularly important on interfaces that are used to exchange information with roaming partners, through the Internetwork Packet Exchange (IPX) network.

Note

This feature requires a valid IPS license.

 
config diameter-filter profile
    edit <name>
        set monitor-all-messages {enable | disable}
        set log-packet {enable | disable}
        set track-requests-answers {enable | disable}
        set missing-request-action {allow | block | reset | monitor}
        set protocol-version-invalid {allow | block | reset | monitor}
        set message-length-invalid {allow | block | reset | monitor}
        set request-error-flag-set {allow | block | reset | monitor}
        set cmd-flags-reserve-set {allow | block | reset | monitor}
        set command-code-invalid {allow | block | reset | monitor}
        set command-code-range <min-max>
    next
end

monitor-all-messages {enable | disable}

Enable/disable logging for all User-Name and Result-Code AVP messages.

log-packet {enable | disable}

Enable/disable packet log for triggered Diameter settings.

track-requests-answers {enable | disable}

Enable/disable validation that each answer has a corresponding request.

missing-request-action {allow | block | reset | monitor}

Set the action to be taken for answers without a corresponding request.

  • allow: allow or pass matching traffic.
  • block: block or drop matching traffic.
  • reset: reset sessions for matching traffic.
  • monitor: allow and log matching traffic.

protocol-version-invalid {allow | block | reset | monitor}

Set the action to be taken for an invalid protocol version.

  • allow: allow or pass matching traffic.
  • block: block or drop matching traffic.
  • reset: reset sessions for matching traffic.
  • monitor: allow and log matching traffic.

message-length-invalid {allow | block | reset | monitor}

Set the action to be taken for an invalid message length.

  • allow: allow or pass matching traffic.
  • block: block or drop matching traffic.
  • reset: reset sessions for matching traffic.
  • monitor: allow and log matching traffic.

request-error-flag-set {allow | block | reset | monitor}

Set the action to be taken for request messages with an error flag set.

  • allow: allow or pass matching traffic.
  • block: block or drop matching traffic.
  • reset: reset sessions for matching traffic.
  • monitor: allow and log matching traffic.

cmd-flags-reserve-set {allow | block | reset | monitor}

Set the action to be taken for messages with a command flag reserve bits set.

  • allow: allow or pass matching traffic.
  • block: block or drop matching traffic.
  • reset: reset sessions for matching traffic.
  • monitor: allow and log matching traffic.

set command-code-invalid {allow | block | reset | monitor}

Set the action to be taken for messages with an invalid command code.

  • allow: allow or pass matching traffic.
  • block: block or drop matching traffic.
  • reset: reset sessions for matching traffic.
  • monitor: allow and log matching traffic.

set command-code-range <min-max>

Set the valid range for command codes (min = 0, max = 16777215, default = 256-16777213).
To configure Diameter protocol inspection:

  1. Configure the Diameter filter profile:

    config diameter-filter profile
    edit "diameter_profile"
        set monitor-all-messages disable
        set log-packet enable
        set track-requests-answers enable
        set missing-request-action block
        set protocol-version-invalid block
        set message-length-invalid block
        set request-error-flag-set block
        set cmd-flags-reserve-set block
        set command-code-invalid block
        set command-code-range 256-1677213
    next
end

  2. Apply the Diameter filter to a firewall policy:

    config firewall policy
    edit 1
        set srcintf "port1"
        set dstintf "port3"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "deep-inspection"
        set diameter-filter-profile "diameter_profile"
        set logtraffic all
        set auto-asic-offload disable
    next
end

    Note

    NTurbo does not fully support SCTP, so if the configuration includes Diameter-over-SCTP, the auto-asic-offload setting should be disabled in the firewall policy. Otherwise, IPS does not get the full session packets.

Sample logs

No matching request:
1: date=2023-11-09 time=11:04:32 eventtime=1699556673071701052 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=163572 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Response.Message.No.Matching.Request.Found" direction="outgoing" attackid=52234 ref="http://www.fortinet.com/ids/VID52234" incidentserialno=60817776 msg="diameter_decoder: Diameter.Response.Message.No.Matching.Request.Found, command_code=317"
Invalid protocol version:
1: date=2023-11-08 time=20:20:54 eventtime=1699503655386037801 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=117419 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Invalid.Version" direction="outgoing" attackid=52229 ref="http://www.fortinet.com/ids/VID52229" incidentserialno=60817657 msg="diameter_decoder: Diameter.Invalid.Version, protocol_version=2"
Incorrect message length:
1: date=2023-11-08 time=19:18:10 eventtime=1699499890820325221 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=113487 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Incorrect.Message.Length" direction="outgoing" attackid=52230 ref="http://www.fortinet.com/ids/VID52230" incidentserialno=60817601 msg="diameter_decoder: Diameter.Incorrect.Message.Length, message_length=174, packet_length=164"
Request error flag:
1: date=2023-11-08 time=19:27:29 eventtime=1699500449951027175 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=114134 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Request.Message.Error.Flag.Set" direction="outgoing" attackid=52231 ref="http://www.fortinet.com/ids/VID52231" incidentserialno=60817619 msg="diameter_decoder: Diameter.Request.Message.Error.Flag.Set, command_flags=A0"
Incorrect reserved bits:
1: date=2023-11-08 time=19:31:10 eventtime=1699500670891359990 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="po/cdoc/ImplementationDoc5906/FGT_FileFilter_7-4_2512_202311090951_correct config.confrt3" dstintfrole="undefined" sessionid=114400 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Incorrect.Reserved.Bits" direction="outgoing" attackid=52232 ref="http://www.fortinet.com/ids/VID52232" incidentserialno=60817626 msg="diameter_decoder: Diameter.Incorrect.Reserved.Bits, command_flags=82"
Out-of-range command code:
2: date=2023-11-08 time=16:59:41 eventtime=1699491581561225681 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=106658 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Message.Command.Overlong" direction="outgoing" attackid=52233 ref="http://www.fortinet.com/ids/VID52233" incidentserialno=60817600 msg="diameter_decoder: Diameter.Message.Command.Overlong, command_code=255, range_min=256, range_max=1677213"
Previous
Next

Diameter protocol inspection

Diameter protocol inspection is supported on the FortiGate, which offers the following capabilities.

  • Diameter-based packet forwarding and routing: the FortiGate can forward and route Diameter packets that match a firewall policy with an enabled and assigned diameter-filter profile. These diameter packets traverse over SCTP or TCP on the reserved port 3868.

  • Packet sanity checking: this feature checks if the packet passing through the FortiGate conforms to the Diameter protocol standards as defined in RFC 3588.

    • This includes checking the release version field, error command flags, message length, reserved command flag bits, command code, and tracking the request and answer of the Diameter-based packets.

  • Logging: for network auditing purposes, the traffic for both dropped and forwarded Diameter-based packets of the supported commands can be logged. By default, these are disabled.

Diameter protocol is particularly important on interfaces that are used to exchange information with roaming partners, through the Internetwork Packet Exchange (IPX) network.

Note

This feature requires a valid IPS license.

 
config diameter-filter profile
    edit <name>
        set monitor-all-messages {enable | disable}
        set log-packet {enable | disable}
        set track-requests-answers {enable | disable}
        set missing-request-action {allow | block | reset | monitor}
        set protocol-version-invalid {allow | block | reset | monitor}
        set message-length-invalid {allow | block | reset | monitor}
        set request-error-flag-set {allow | block | reset | monitor}
        set cmd-flags-reserve-set {allow | block | reset | monitor}
        set command-code-invalid {allow | block | reset | monitor}
        set command-code-range <min-max>
    next
end

monitor-all-messages {enable | disable}

Enable/disable logging for all User-Name and Result-Code AVP messages.

log-packet {enable | disable}

Enable/disable packet log for triggered Diameter settings.

track-requests-answers {enable | disable}

Enable/disable validation that each answer has a corresponding request.

missing-request-action {allow | block | reset | monitor}

Set the action to be taken for answers without a corresponding request.

  • allow: allow or pass matching traffic.
  • block: block or drop matching traffic.
  • reset: reset sessions for matching traffic.
  • monitor: allow and log matching traffic.

protocol-version-invalid {allow | block | reset | monitor}

Set the action to be taken for an invalid protocol version.

  • allow: allow or pass matching traffic.
  • block: block or drop matching traffic.
  • reset: reset sessions for matching traffic.
  • monitor: allow and log matching traffic.

message-length-invalid {allow | block | reset | monitor}

Set the action to be taken for an invalid message length.

  • allow: allow or pass matching traffic.
  • block: block or drop matching traffic.
  • reset: reset sessions for matching traffic.
  • monitor: allow and log matching traffic.

request-error-flag-set {allow | block | reset | monitor}

Set the action to be taken for request messages with an error flag set.

  • allow: allow or pass matching traffic.
  • block: block or drop matching traffic.
  • reset: reset sessions for matching traffic.
  • monitor: allow and log matching traffic.

cmd-flags-reserve-set {allow | block | reset | monitor}

Set the action to be taken for messages with a command flag reserve bits set.

  • allow: allow or pass matching traffic.
  • block: block or drop matching traffic.
  • reset: reset sessions for matching traffic.
  • monitor: allow and log matching traffic.

set command-code-invalid {allow | block | reset | monitor}

Set the action to be taken for messages with an invalid command code.

  • allow: allow or pass matching traffic.
  • block: block or drop matching traffic.
  • reset: reset sessions for matching traffic.
  • monitor: allow and log matching traffic.

set command-code-range <min-max>

Set the valid range for command codes (min = 0, max = 16777215, default = 256-16777213).
To configure Diameter protocol inspection:

  1. Configure the Diameter filter profile:

    config diameter-filter profile
    edit "diameter_profile"
        set monitor-all-messages disable
        set log-packet enable
        set track-requests-answers enable
        set missing-request-action block
        set protocol-version-invalid block
        set message-length-invalid block
        set request-error-flag-set block
        set cmd-flags-reserve-set block
        set command-code-invalid block
        set command-code-range 256-1677213
    next
end

  2. Apply the Diameter filter to a firewall policy:

    config firewall policy
    edit 1
        set srcintf "port1"
        set dstintf "port3"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set srcaddr6 "all"
        set dstaddr6 "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "deep-inspection"
        set diameter-filter-profile "diameter_profile"
        set logtraffic all
        set auto-asic-offload disable
    next
end

    Note

    NTurbo does not fully support SCTP, so if the configuration includes Diameter-over-SCTP, the auto-asic-offload setting should be disabled in the firewall policy. Otherwise, IPS does not get the full session packets.

Sample logs

No matching request:
1: date=2023-11-09 time=11:04:32 eventtime=1699556673071701052 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=163572 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Response.Message.No.Matching.Request.Found" direction="outgoing" attackid=52234 ref="http://www.fortinet.com/ids/VID52234" incidentserialno=60817776 msg="diameter_decoder: Diameter.Response.Message.No.Matching.Request.Found, command_code=317"
Invalid protocol version:
1: date=2023-11-08 time=20:20:54 eventtime=1699503655386037801 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=117419 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Invalid.Version" direction="outgoing" attackid=52229 ref="http://www.fortinet.com/ids/VID52229" incidentserialno=60817657 msg="diameter_decoder: Diameter.Invalid.Version, protocol_version=2"
Incorrect message length:
1: date=2023-11-08 time=19:18:10 eventtime=1699499890820325221 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=113487 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Incorrect.Message.Length" direction="outgoing" attackid=52230 ref="http://www.fortinet.com/ids/VID52230" incidentserialno=60817601 msg="diameter_decoder: Diameter.Incorrect.Message.Length, message_length=174, packet_length=164"
Request error flag:
1: date=2023-11-08 time=19:27:29 eventtime=1699500449951027175 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=114134 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Request.Message.Error.Flag.Set" direction="outgoing" attackid=52231 ref="http://www.fortinet.com/ids/VID52231" incidentserialno=60817619 msg="diameter_decoder: Diameter.Request.Message.Error.Flag.Set, command_flags=A0"
Incorrect reserved bits:
1: date=2023-11-08 time=19:31:10 eventtime=1699500670891359990 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="po/cdoc/ImplementationDoc5906/FGT_FileFilter_7-4_2512_202311090951_correct config.confrt3" dstintfrole="undefined" sessionid=114400 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Incorrect.Reserved.Bits" direction="outgoing" attackid=52232 ref="http://www.fortinet.com/ids/VID52232" incidentserialno=60817626 msg="diameter_decoder: Diameter.Incorrect.Reserved.Bits, command_flags=82"
Out-of-range command code:
2: date=2023-11-08 time=16:59:41 eventtime=1699491581561225681 logid="0419016386" type="utm" subtype="ips" eventtype="signature" level="alert" vd="vdom1" severity="info" srcip=10.1.100.32 srccountry="Reserved" dstip=172.16.200.33 dstcountry="Reserved" srcintf="port1" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=106658 action="dropped" proto=132 service="sctp/3868" policyid=1 poluuid="c17362a6-7a84-51ee-0025-80ce4c60ec49" policytype="policy" attack="Diameter.Message.Command.Overlong" direction="outgoing" attackid=52233 ref="http://www.fortinet.com/ids/VID52233" incidentserialno=60817600 msg="diameter_decoder: Diameter.Message.Command.Overlong, command_code=255, range_min=256, range_max=1677213"
Previous
Next