FortiCarrier Message Flood Protection

Viewing DLP archived messages

If DLP Archive is a selected duplicate message action, the messages that exceed the threshold are saved to the MMS DLP archive. The default behavior is to save all of the offending messages but you can configure the DLP archive setting to save only the first message that exceeds the threshold. See Viewing DLP archived messages.

Order of operations: flood checking before duplicate checking

Although duplicate checking involves only examination and comparison of message contents and not the sender or recipient, and flood checking involves only totalling the number of messages sent by each subscriber regardless of the message content, there are times when a selection of messages exceed both flood and duplicate thresholds.

The Carrier-enabled FortiGate unit checks for message floods before checking for duplicate messages. Flood checking is less resource-intensive and if the flood threshold invokes a Block action, the blocked messages are stopped before duplicate checking occurs. This saves both time and FortiOS Carrier system resources.

Bypassing duplicate message detection based on user’s carrier endpoints

You can use carrier endpoint filtering to exempt MMS sessions from duplicate message detection. Carrier endpoint filtering matches carrier endpoints in MMS sessions with carrier endpoint patterns. If you add a carrier endpoint pattern to a filter list and set the action to exempt from mass MMS, all messages from matching carrier endpoints bypass duplicate message detection. For more information about endpoints, see FortiOS Handbook User Authentication guide.

Configuring duplicate message detection

To have the Carrier-enabled FortiGate unit check for duplicate messages, configure the duplicate threshold in an MMS profile, and select the MMS profile in a security policy.

All traffic matching the security policy will be checked for duplicate messages according to the settings in the MMS profile.

The duplicate scanner will only scan content. It will not scan headers. Content must be exactly the same. If there is any difference at all in the content, it will not be considered a duplicate.

The modular nature of the profiles allows you great flexibility in how you configure the scanning options. MMS profiles can be used in any number of policies, with different GTP profiles.

In a complex configuration, there may be many security policies, each with a different MMS profile. For a simpler network, you may have many security policies all using the same MMS profile.

Sending administrator alert notifications

Sending administrator alert notifications

When duplicate messages are detected, the Carrier-enabled FortiGate unit can be configured to notify you immediately with an MMS message. Enable this feature by selecting Alert Notification in the duplicate message action. Each duplicate message threshold can be configured separately.

Configuring how and when to send alert notifications

You can configure different alert notifications for MM1 and MM4 duplicate messages. You can configure the FortiOS Carrier unit to send these alert notifications using the MM1, MM3, MM4, or MM7 content interface. Each of these content interfaces requires alert notification settings that the FortiOS Carrier unit uses to communicate with a server using the selected content interface.

For the MM1 content interface you require:

  • The hostname of the server l The URL of the server (usually “/”) l The server port (usually 80)

For the MM3 and MM4 content interfaces you require:

  • The hostname of the server l The server port (usually 80) l The server user domain

For the MM7 content interface you require:

  • The message type l REQ to send a notification message to the sender in the form of a submit request. The message goes from a VAS application to the MMSC.
  • REQ to send a notification message to the sender in the form of a deliver request. The message goes from the MMSC to a VAS application. l The hostname of the server l The URL of the server (usually “/”) l The server port (usually 80) l A user name and password to connect to the server l The value-added-service-provider (VASP) ID l The value-added-service (VAS) ID

To configure administrator alert notifications – web-based manager

  1. Go to Security Profiles > MMS Profile and edit or add a new MMS protection profile.
  2. Expand MMS Bulk Email Filtering Detection. There are three duplicate message thresholds.
  3. Expand the threshold that you want to configure alert notification for.
  4. For Duplicate Message Action, select the Alert Notification check box. Alert notification options appear.
  5. For the Source MSISDN, enter the MSISDN from which the alert notification message will be sent.

Sending administrator alert notifications

  1. Select the Message Protocol the alert notification will use: MM1, MM3, MM4, or MM7.
  2. Add the information required by FortiOS Carrier to send messages using the selected message protocol:
  3. For Notifications Per Second Limit, enter the number of notifications to send per second. Use this setting to reduce control the number of notifications sent by the FortiOS Carrier unit. If you enter zero (0), the notification rate is not limited.
  4. If required, change Window Start Time and Window Duration configure when the FortiOS Carrier unit sends alert notifications.

By default, notifications are sent at any time of the day. You can change the Window Start Time if you want to delay sending alert messages. You can also reduce the Window Duration if you want to stop sending alert notifications earlier.

For example, you might not want FortiOS Carrier sending notifications except during business hours. In this case the Window Start Time could be 9:00 and the Window Duration could be 8:00 hours.

You can set different alert notifications for each message threshold. For example, you could limit the message window for lower thresholds and set it to 24 hours for higher thresholds. This way administrators will only receive alert notifications outside of business hours for higher thresholds.

  1. For Day of Week, select the days of the week to send notifications.

For example, you may only want to send alert notifications on weekends for higher thresholds.

  1. In the Interval field, enter the maximum frequency that alert notification messages will be sent, in minutes or hours.

All alerts occurring during the interval will be included in a single alert notification message to reduce the number of alert messages that are sent.

Configuring who to send alert notifications to

In each MMS protection profile you add a list of recipient MSISDNs. For each of these MSISDNs you select the duplicate threshold that triggers sending notifications to this MSISDN.

To configure the alert notification recipients – web-based manager

  1. Go to Security Profiles > MMS Profile.
  2. Select the Edit icon of the MMS profile in which you want to configure the alert notification recipients.
  3. Expand MMS Bulk Email Filtering Detection.
  4. Expand Recipient MSISDN.
  5. Select Create New.
  6. In the New MSISDN window, enter the MSISDN to use for duplicate threshold alert notification.

Select the duplicate thresholds at which to send alert notifications to the MSISDN.

This entry was posted in Administration Guides, FortiCarrier and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.