IPv6 DoS Policy

To configure a IPv6 DoS Policy in the GUI

1. Go to Policy & Objects > IPv6 DoS Policy

The right side window will display a table of the existing IPv6 DoS Policies.

• To edit an existing policy, double click on the policy you wish to edit l To create a new policy, select the Create New icon in the top left side of the right window.

2. Set the Incoming Interface parameter by using the drop down menu to select a single interface.
3. Set the Source IPv6 Address parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
4. Set the Destination IPv6 Address parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.
5. Set the Services parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
6. Set the parameters for the various traffic anomalies.

All of the anomalies that profiles have been created for are in 2 tables. These tables break up the anomaly profiles into L3 Anomalies and L4 Anomalies. All of the anomalies have the following parameters that can be set on a per anomaly or per column basis.

• Status – enable or disable the indicated profile l Logging – enable or disable logging of the indicated profile being triggered l Action – whether to Pass or Block traffic when the threshold is reached l Threshold – the number of anomalous packets detected before triggering the action.

The listing of anomaly profiles includes:

L3 Anomalies

• ip_src_session l ip_dst_session

L4 Anomalies

• tcp_syn_flood l tcp_port_scan l tcp_src_session l tcp_dst_session l udp_flood l udp_scan

 

Multicast

• udp_src_session l udp_dst_session l icmp_flood l icmp_sweep l icmp_src_session l icmp_dst_session l sctp_flood l sctp_scan

7. Toggle whether or not to Enable this policy.The default is enabled.
8. Select the OK button to save the policy.

Configuring the IPv6 DoS Policy in the GUI

The configuring of the IPv6 version of the DoS policy is the same as in the IPv4 version , with the exception of first command.

Using the CLI of your choice, enter the following commands:

config firewall DoS-policy6

The rest of the settings are the same as in IPv4 Dos Policy.

IPv4 DoS Policy

To configure a IPv4 DoS Policy in the GUI

1. Goto Policy & Objects > IPv4 DoS Policy

The right side window will display a table of the existing IPv4 DoS Policies.

• To edit an existing policy, double click on the policy you wish to edit l To create a new policy, select the Create New icon in the top left side of the right window.

2. Set the Incoming Interface parameter by using the drop down menu to select a single interface.
3. Set the Source Address parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
4. Set the Destination Address parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.
5. Set the Services parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
6. Set the parameters for the various traffic anomalies.

All of the anomalies that profiles have been created for are in 2 tables. These tables break up the anomaly profiles into L3 Anomalies and L4 Anomalies. All of the anomalies have the following parameters that can be set on a per anomaly or per column basis.

• Status – enable or disable the indicated profile l Logging – enable or disable logging of the indicated profile being triggered l Action – whether to Pass or Block traffic when the threshold is reached l Threshold – the number of anomalous packets detected before triggering the action.

The listing of anomaly profiles includes:

L3 Anomalies

• ip_src_session l ip_dst_session

L4 Anomalies

• tcp_syn_flood l tcp_port_scan l tcp_src_session l tcp_dst_session l udp_flood l udp_scan l udp_src_session l udp_dst_session IPv4
• icmp_flood l icmp_sweep l icmp_src_session l sctp_flood l sctp_scan l sctp_src_session l sctp_dst_session

7. Toggle whether or not to Enable this policy.The default is enabled.
8. Select the OK button to save the policy.

Example

The company wishes to protect against Denial of Service attach. They have chosen some where they wish to block the attacks of the incidence goes above a certain threshold and for some others they are just trying to get a baseline of activity for those types of attacks so they are letting the traffic pass through without action.

• The interface to the Internet is on WAN1 l There is no requirement to specify which addresses are being protected or protected from. l The protection is to extend to all services.
• The TCP attacks are to be blocked l The UDP, ICMP, and IP attacks are to be recorded but not blocked.
• The SCTP attack filters are disabled
• The tcp_syn_flood attach’s threshold is to be changed from the default to 1000

Configuring the DoS Policy in the GUI

1. Go to Policy & Objects > Policy > DoS.
2. Create a new policy
3. Fill out the fields with the following information:

Field		Value
Incoming Interface		wan1
Source Address		all
Destination Addresses		all
Service		ALL

L3 Anomalies

Name	Status	Logging	Action	Threshold
ip_src_session	enabled	enabled	Pass	5000
ip_dst_session	enabled	enabled	Pass	5000

L4 Anomalies

Name	Status		Logging	Action	Threshold
tcp_syn_flood	enabled		enabled	Block	1000
tcp_port_scan	enabled		enabled	Block	<default value>
tcp_src_session	enabled		enabled	Block	<default value>
tcp_dst_session	enabled		enabled	Block	<default value>
udp_flood	enabled		enabled	Pass	<default value>
udp_scan	enabled		enabled	Pass	<default value>
udp_src_session	enabled		enabled	Pass	<default value>
udp_dst_session	enabled		enabled	Pass	<default value>
icmp_flood	enabled		enabled	Pass	<default value>
icmp_sweep	enabled		enabled	Pass	<default value>
icmp_src_session	enabled		enabled	Pass	<default value>
icmp_dst_session	enabled		enabled	Pass	<default value>
sctp_flood	not enabled		not enabled	Pass	<default value>
sctp_scan	not enabled		not enabled	Pass	<default value>
sctp_src_session	not enabled		not enabled	Pass	<default value>
sctp_dst_session	not enabled		not enabled	Pass	<default value>

4. Toggle the button next to Enable this policy to ON.
5. Select OK.

Configuring the IPv4 DoS Policy in the GUI

Using the CLI of your choice, enter the following commands:

config firewall DoS-policy edit 0

set status enable set interface wan1 set srcaddr all set dstaddr all set service ALL config anomaly

IPv4

edit “tcp_syn_flood” set status enable set log disable set action block set threshold 1000 next

edit “tcp_port_scan” set status enable set log disable set action block set threshold 1000 next

edit “tcp_src_session”

set status enable set log disable set action block set threshold 5000 next

edit “tcp_dst_session”

set status enable set log disable set action block set threshold 5000 next

edit “udp_flood” set status enable set log disable set action pass set threshold 2000 next

edit “udp_scan” set status enable set log disable set action pass set quarantine none set threshold 2000 next

edit “udp_src_session”

set status enable set log disable set action pass set threshold 5000 next

edit “udp_dst_session”

set status enable set log disable set action pass set threshold 5000 next

edit “icmp_flood” set status enable set log disable set action pass set threshold 250 next

edit “icmp_sweep” set status enable set log disable set action pass set threshold 100 next

edit “icmp_src_session” set status enable set log disable set action pass set threshold 300 next

edit “icmp_dst_session” set status enable set log disable set action pass set threshold 1000 next

edit “ip_src_session” set status disable set log enable set action pass set threshold 5000 next

edit “ip_dst_session” set status disable set log enable set action pass set threshold 5000 next

edit “sctp_flood” set status disable set log disable set action pass set threshold 2000 next

edit “sctp_scan” set status disable set log disable set action pass set threshold 1000 next

edit “sctp_src_session” set status disable set log disable set action pass set threshold 5000 next

edit “sctp_dst_session” set status disable set log disable set action pass set threshold 5000 next end end end

IPv6

In this example of the CLI, all of the relevant settings have been left in, but some of them are default settings and would not have to have been specifically set to work. For instance, if the action parameter is not set it automatically defaults to pass.

IPv6 Access Control List

The IPv6 Access Control List is a specialized policy for denying IPv6 traffic based on:

l the incoming interface l the source addresses of the traffic l the destination addresses of the traffic l the services or ports the traffic is using

The only action available in this policy is DENY

To configure a IPv6 Access Control List entry in the GUI

1. Goto Policy & Objects > IPv6 Access Control List

The right side window will display a table of the existing IPv6 Access Control List entries.

l To edit an existing entry, double click on the policy you wish to edit l To create a new entry, select the Create New icon in the top left side of the right window.

2. Set the Incoming Interface parameter by using the drop down menu to select a single interface.
3. Set the Source IPv6 Address parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
4. Set the Destination IPv6 Address parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.
5. Set the Services parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
6. Toggle whether or not to Enable this policy.The default is enabled.
7. Select the OK button to save the policy.

To configure a IPv6 Access Control List entry in the CLI

Use the following syntax:

config firewall acl6 edit <acl Policy ID #> set status enable set interface <interface> set srcaddr <address object> set dstaddr <address object> set service <service object>

 

end

end

IPv4 Access Control List

The IPv4 Access Control List is a specialized policy for denying IPv4 traffic based on:

l the incoming interface l the source addresses of the traffic l the destination addresses of the traffic l the services or ports the traffic is using

The only action available in this policy is DENY

For more information on see Access Control Lists

To configure a IPv4 Access Control List entry in the GUI

1. Goto Policy & Objects > IPv4 Access Control List

The right side window will display a table of the existing IPv4 Access Control List entries.

l To edit an existing entry, double click on the policy you wish to edit l To create a new entry, select the Create New icon in the top left side of the right window.

2. Set the Incoming Interface parameter by using the drop down menu to select a single interface.
3. Set the Source Address parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
4. Set the Destination Address parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.
5. Set the Services parameter by selecting the field with the “+” next to the field label. Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
6. Toggle whether or not to Enable this policy.The default is enabled.
7. Select the OK button to save the policy.

To configure a IPv4 Access Control List entry in the CLI

Use the following syntax: config firewall acl IPv6 Access Control List

edit <acl Policy ID #> set status enable set interface <interface> set srcaddr <address object> set dstaddr <address object> set service <service object>

end

end

Central SNAT

Central NAT is disabled by default. To toggle the feature on or off, use the following commands:

config system settings set central-nat [enable | disable] end

When Central NAT is enable the Central SNAT section will appear under the Policy & Objects heading in the GUI.

The Central SNAT window contains a table of all of the Central SNAT policies.

To configure a Central SNAT entry in the GUI

1. Goto Policy & Objects > Central SNAT

The right side window will display a table of the existing Central SNAT entries.

l To edit an existing entry, double click on the policy you wish to edit l To create a new entry, select the Create New icon in the top left side of the right window.

2. Set the Incoming Interface(s) by clicking on the “+” in the field. This will slide out a window from the right. Here, you can select from the available interfaces. Selecting a listed interface will highlight it in the window and add it to the field. Clicking on an object in this window while it’s highlighted will remove it from the field. Multiple selections are allowed.

 

Central SNAT

3. Set the Outgoing Interface(s) by clicking on the “+” in the field. This will slide out a window from the right. Here, you can select from the available interfaces. Selecting a listed interface will highlight it in the window and add it to the field. Clicking on an object in this window while it’s highlighted will remove it from the field. Multiple selections are allowed.
4. Set the Source Address by clicking on the “+” in the field. This will slide out a window from the right. Here, you can select from the available address objects. Selecting a listed object will highlight it in the window and add it to the field. Clicking on an object in this window while it’s highlighted will remove it from the field. Multiple selections are allowed. For more information on addresses, check the Firewall Objects section called Addresses.
5. Set the Destination Address by clicking on the “+” in the field. This will slide out a window from the right. Here, you can select from the available address objects. Selecting a listed object will highlight it in the window and add it to the field. Clicking on an object in this window while it’s highlighted will remove it from the field. Multiple selections are allowed.

Under the NAT Heading

6. Set the IP Pool Configuration parameter by selecting either Use Outgoing Interface Address or Use Dynamic IP Pool.

o If Use Dynamic IP Pool is chosen, a field will appear just beneath the option that is used to select which IP Pool object will be used.Set the IP Pool by clicking on the “+” in the field. This will slide out a window from the right. Here, you can select from the available objects.

7. Set the Protocol parameter.

There are 5 options for the Protocol.

l ANY – any protocol traffic l TCP – TCP traffic only. Protocol number set to 6 l UDP – UDP traffic only . Protocol number set to 17 l SCTP – SCTP traffic only. Protocol number set to 132 l Specify – User can specify the traffic filter protocol by setting the protocol number in the field.

6. If the IP Pool is of the type: Overload, Explicit Port Mapping can be enabled.

To enable or disable, use the check box. Once enabled, the following additional parameters will appear.

• Original Source Port – in the left number field, set the starting number of the source port range.
• Translated Port – in the left number field, set the starting number of the translated port range. If it is a single port range leave the right number field alone. If the right number field is set to a number higher than the left, the right number field for the Original Source Port will change to make sure the 2 number ranges have a matching number of ports.

7. Select the OK button to save the entry.

To configure Central SNAT in the CLI

1. Using the CLI interface of your choice, run the following command to get to the correct context.

config firewall central-snat-map

• To edit an existing entry, run the command show or show full-configuration to get a listing of all of the entries in the map. Take note of the policy ID for the entry to be edited.
• To create a new entry the next step will use the policy ID 0 which will check for an unused ID number and create an entry with that number.

2. Edit or create an entry with the correct policy ID edit <policyID number>

Access Control List

Run the following commands to set the parameters of the entry:

set status [enable|disable]

set orig-addr <valid address object preconfigured on the FortiGate> set srcintf <name of interface on the FortiGate>

set dst-addr <valid address object preconfigured on the FortiGate> set dstintf <name of interface on the FortiGate> set protocol <integer for protocol number> set orig-port <integer for original port number> set nat-port <integer for translated port number>

3. Save the entry by running the command end or next.

NAT64 Policy

To configure a NAT64 policy in the GUI

1. Go to Policy & Objects > NAT64 Policy

The right side window will display a table of the existing NAT64 Policies.

• To edit an existing policy, double click on the policy you wish to edit l To create a new policy, select the Create New icon in the top left side of the right window.

2. Set the Incoming Interface parameter by selecting the field with the “+” next to the field label. Selecting the field will slide out a window from the right where you can select from the available interfaces. You can select one or more specific interfaces or you can select the any Choosing the any option will remove any other interfaces. For more information on interfaces, check the Concepts section called Interfaces and Zones.
3. Set the Outgoing Interface parameter by selecting the field with the “+” next to the field label. (Same rules apply as with the above step.)
4. Set the Source Address parameter by selecting the field with the “+” next to the field label. The source in this case is an IPv6 Address object of the initiating traffic. When the field is selected a window will slide out from the right. In order to be able to select one of these options it needs to be configured as a firewall object before hand. The “+” icon next to the Search field is a shortcut for creating a new firewall object based on the tab that is currently selected. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.
5. Set the Destination Address parameter by selecting the field with the “+” next to the field label. This field is similar to the Source Address Single or multiple options can be selected unless the all option is chosen in

 

NAT64 Policy

which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.

6. Set the Schedule parameter by using the drop down menu to select a preconfigured schedule. The “+” icon next to the Search field is a shortcut for creating a new schedule object. For more information on addresses, check the Firewall Objects section called Firewall schedules
7. Set the Service parameter by selecting the field with the “+” next to the field label. (Same mechanics for selection apply as with the other similar fields in this window.) Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
8. Set the Action Select one of the following options for the action:
   • ACCEPT – lets the traffic through to the next phase of analysis l DENY – drops the session

While there are not as many Action options as with the IPv4 policy, because the choice of Action determines the settings and options below this parameter in the window the rest of the step are associated with a specific Action.

Settings if the ACCEPT action is selected.

Firewall / Network Options

10. Skip the NAT setting. This type of policy is intended only for traffic that is being NATed from IPv6 to IPv4, because without NATing the traffic couldn’t reach its destination, so disabling NAT would be pointless.
11. Set the IP Pool Configuration by selection one of the options of:

l Use Outgoing Interface Address l Use Dynamic IP Pool

If the Use Dynamic IP Pool option is selected, an additional field will appear with the + icon. Selecting this field will slide out a window from the right where a preexisting IP Pool can be chosen. One or more IP Pools can be chosen and the “+” icon next to the Search field is a shortcut for creating a new IP Pool.

12. Set the Log Allowed Traffic parameter by toggling the slider button (gray means it is disabled).

If the Log Allowed Traffic setting is enabled, choose whether to log just Security Events or All Sessions and determine whether or not to keep a record of the packets by toggling the Capture Packets setting on or off.

13. Add a comment to give a detailed description of the policy in the Comments field (up to 1023 characters).
14. Toggle whether or not to Enable this policy.The default is enabled.
15. Select the OK button to save the policy.

Settings if the DENY action is selected

Enable the Log Violation Traffic setting by toggling the slider button.

10. Add a comment to give a detailed description of the policy in the Comments field (up to 1023 characters).
11. Toggle whether or not to Enable this policy.The default is enabled.
12. Select the OK button to save the policy.

 

IPv6 Policy

To configure a IPv6 policy in the GUI

1. Go to Policy & Objects > IPv6 Policy

The right side window will display a table of the existing IPv6 Policies.

• To edit an existing policy, double click on the policy you wish to edit l To create a new policy, select the Create New icon in the top left side of the right window.

2. Make sure the policy has a name in the Name field
3. Set the Incoming Interface parameter by selecting the field with the “+” next to the field label. Selecting the field will slide out a window from the right where you can select from the available interfaces. You can select one or more specific interfaces or you can select the any Choosing the any option will remove any other interfaces. For more information on interfaces, check the Concepts section called Interfaces and Zones.
4. Set the Outgoing Interface parameter by selecting the field with the “+” next to the field label. (Same rules apply as with the above step.)
5. Set the Source parameter by selecting the field with the “+” next to the field label. The source in this case is either the source address, source user or source device of the initiating traffic. When the field is selected a window will slide out from the right. Tabs indicating Address, User or Device options are there to help categorize the options along with the option to search. In order to be able to select one of these options it needs to be configured as a

IPv6

firewall object before hand. The “+” icon next to the Search field is a shortcut for creating a new firewall object based on the tab that is currently selected. For the Address and Device tabs, single or multiple options can be selected unless the all option is chosen in which case, it will be the only option.

6. Set the Destination Address parameter by selecting the field with the “+” next to the field label. This field is similar to the Source field but address objects are the only available options to select. Single or multiple options can be selected unless the all option is chosen in which case, it will be the only option. For more information on addresses, check the Firewall Objects section called Addresses.
7. Set the Schedule parameter by using the drop down menu to select a preconfigured schedule. The “+” icon next to the Search field is a shortcut for creating a new schedule object. For more information on addresses, check the Firewall Objects section called Firewall schedules
8. Set the Service parameter by selecting the field with the “+” next to the field label. (Same mechanics for selection apply as with the other similar fields in this window.) Single or multiple options can be selected unless the ALL option is chosen in which case, it will be the only option. For more information on services, check the Firewall Objects section called Services and TCP ports.
9. Set the Action Select one of the following options for the action:
   • ACCEPT – lets the traffic through to the next phase of analysis l DENY – drops the session

While there are not as many Action options as with the IPv4 policy, because the choice of Action determines the settings and options below this parameter in the window the rest of the step are associated with a specific Action.

Settings if the ACCEPT action is selected.

Firewall / Network Options

10. Set the NAT parameter by toggling the slider button.(gray means it is disabled)
11. Set the IP Pool Configuration by selection one of the options of:
    • Use Outgoing Interface Address l Use Dynamic IP Pool

If the Use Dynamic IP Pool option is selected:

• An additional field will appear with the + Selecting this field will slide out a window from the right where a preexisting IP Pool can be chosen. One or more IP Pools can be chosen and the “+” icon next to the Search field is a shortcut for creating a new IP Pool.
• An additional option to Preserve the Source Port will appear as a toggle option. If the slider button is grayed out it is disabled.

Security Profiles

12. Enabling the Use Security Profile Group option will allow the selection of a profile group instead of selecting the individual profiles for the policy.
13. Disable or enable the various Security Profiles. Once a Profile has been toggled into the enabled mode a drop down menu will appear for the purpose of choosing a specific profile. Only one profile can be chosen for each profile type. The “+” icon next to the Search field in the drop down menu is a shortcut for creating a new profile. The list of Security Profiles available to set includes:
    • AntiVirus l Web Filter l Application Control

NAT64

IPS

Anti-Spam

DLP Sensor

VoIP l ICAP

Logging Options

14. Set the Log Allowed Traffic parameter by toggling the slider button (gray means it is disabled).

If the Log Allowed Traffic setting is enabled, choose whether to log just Security Events or All Sessions and determine whether or not to keep a record of the packets by toggling the Capture Packets setting on or off.

15. Add a comment to give a detailed description of the policy in the Comments field (up to 1023 characters).
16. Toggle whether or not to Enable this policy.The default is enabled.
17. Select the OK button to save the policy.

Settings if the DENY action is selected

Enable the Log Violation Traffic setting by toggling the slider button.

10. Add a comment to give a detailed description of the policy in the Comments field (up to 1023 characters).
11. Toggle whether or not to Enable this policy.The default is enabled.
12. Select the OK button to save the policy.