One-Arm IDS

One-Arm IDS

Interface-based policy only defines what and how IPS functions are applied to the packets transmitted by the interface. It works no matter if the port is used in a forwarding path or used as an One-Arm device.

To enable One-Arm IDS, the user should first enable sniff-mode on the interface, config system interface

edit port2 set ips-sniffer-mode enable

next

end

Once sniff-mode is turned on, both incoming and outgoing packets will be dropped after IPS inspections. The port can be connected to a hub or a switch’s SPAN port. Any packet picked up by the interface will still follow the interface policy so different IPS and DoS anomaly checks can be applied.

DoS protection

DoS protection

Denial of Service (DoS) policies are primarily used to apply DoS anomaly checks to network traffic based on the FortiGate interface it is entering as well as the source and destination addresses. DoS checks are a traffic anomaly detection feature to identify network traffic that does not fit known or common traffic patterns and behavior. A common example of anomalous traffic is the denial of service attack. A denial of service occurs when an attacking system starts an abnormally large number of sessions with a target system. The large number of sessions slows down or disables the target system, so that legitimate users can no longer use it.

DoS policies are similar to firewall policies except that instead of defining the way traffic is allowed to flow, they keep track of certain traffic patterns and attributes and will stop traffic displaying those attributes. Further, DoS policies affect only incoming traffic on a single interface. You can further limit a DoS policy by source address, destination address, and service.

DoS configurations have been changed a couple of times in the past. In FortiOS 4.0, DoS protection is moved to the interface policy, so when it is enabled, it is the first thing checked when a packet enters FortiGate. Because of this early detection, DoS policies are a very efficient defense that uses few resources. Denial of service attacks, for example, are detected and its packets dropped before requiring security policy look-ups, antivirus scans, and other protective but resource-intensive operations.

A DoS policy examines network traffic arriving at an interface for anomalous patterns usually indicating an attack. This does not mean that all anomalies experience by the firewall are the result of an intentional attack.

Because an improperly configured DoS anomaly check can interfere with network traffic, no DoS checks are preconfigured on a factory default FortiGate unit. You must create your own before they will take effect. Thresholds for newly created sensors are preset with recommended values that you can adjust to meet the needs of your network.

To create a Denial of Service policy determine if it needs to be an IPv4 or IPv6 policy, then go to:

Policy & Objects > IPv4 DoS Policy for IPv4.

Policy & Objects > IPv6 DoS Policy for IPv6.

The Enable SSH Deep Scan feature is enabled by default when creating a new

SSL/SSH Inspection profile. There are situations were this feature can cause issues so be sure that you would like it enabled before applying it.

 

Settings used in configuring DoS

Incoming interface

The interface to which this security policy applies. It will be the that the traffic is coming into the firewall on.

Source address

This will be the address that the traffic is coming from and must be a address listed in the Address section of the Firewall Objects. This can include the predefined “all” address which covers any address coming in on any interface. Multiple addresses or address groups can be chosen

Destination address

This will be the address that the traffic is addressed to. In this case it must be an address that is associated with the firewall itself. For instance it could be one of the interface address of the firewall, a secondary IP address or the interface address assigned to a Virtual IP address. Just like with the Source Address this address must be already configured before being used in the DoS policy. Multiple addresses, virtual IPs or virtual IP groups can be chosen.

Service

While the Service field allows for the use of the ALL service some administrators prefer to optimize the resources of the firewall and only check on the services that will be answered on an interface. Multiple services or service groups can be chosen.

Anomalies

The anomalies can not be configured by the user. They are predefined sensors set up for specific patterns of anomalous traffic

The anomalies that have been predefined for use in the DoS Policies are:

Anomaly Name Description Recommended Threshold
tcp_syn_flood If the SYN packet rate of new TCP connections, including retransmission, to one destination IP address exceeds the configured threshold value, the action is executed. 2000 packets per second.
tcp_port_scan If the SYN packet rate of new TCP connections, including retransmission, from one source IP address exceeds the configured threshold value, the action is executed. 1000 packets per second.
tcp_src_session If the number of concurrent TCP connections from one source IP address exceeds the configured threshold value, the action is executed. 5000 concurrent sessions.

 

Anomaly Name Description Recommended Threshold
tcp_dst_session If the number of concurrent TCP connections to one destination IP address exceeds the configured threshold value, the action is executed. 5000 concurrent sessions.
udp_flood If the UDP traffic to one destination IP address exceeds the configured threshold value, the action is executed. 2000 packets per second.
udp_scan If the number of UDP sessions originating from one source IP address exceeds the configured threshold value, the action is executed. 2000 packets per second.
udp_src_session If the number of concurrent UDP connections from one source IP address exceeds the configured threshold value, the action is executed. 5000 concurrent sessions.
udp_dst_session If the number of concurrent UDP connections to one destination IP address exceeds the configured threshold value, the action is executed. 5000 concurrent sessions.
icmp_flood If the number of ICMP packets sent to one destination IP address exceeds the configured threshold value, the action is executed. 250 packets per second.
icmp_sweep If the number of ICMP packets originating from one source IP address exceeds the configured threshold value, the action is executed. 100 packets per second.
icmp_src_ session If the number of concurrent ICMP connections from one source IP address exceeds the configured threshold value, the action is executed. 300 concurrent sessions
icmp_dst_ session If the number of concurrent ICMP connections to one destination IP address exceeds the configured threshold value, the action is executed. 3000 concurrent sessions
ip_src_session If the number of concurrent IP connections from one source IP address exceeds the configured threshold value, the action is executed. 5000 concurrent sessions.
ip_dst_session If the number of concurrent IP connections to one destination IP address exceeds the configured threshold value, the action is executed. 5000 concurrent sessions.
sctp_flood If the number of SCTP packets sent to one destination IP address exceeds the configured threshold value, the action is executed. 2000 packets per second
Anomaly Name Description Recommended Threshold
sctp_scan If the number of SCTP sessions originating from one source IP address exceeds the configured threshold value, the action is executed. 1000 packets per second
sctp_src_session If the number of concurrent SCTP connections from one source IP address exceeds the configured threshold value, the action is executed. 5000 concurrent sessions
sctp_dst_session If the number of concurrent SCTP connections to one destination IP address exceeds the configured threshold value, the action is executed. 5000 concurrent sessions

Status

The status field is enabled to enable the sensor for the associated anomaly. In terms of actions performed there is no difference between disabling a sensor and having the action as “Pass” but by disabling sensors that are not being used for blocking or logging you can save some resources of the firewall that can be better used elsewhere.

Logging

Regardless of whether the traffic is blocked or passed through the anomalous traffic will be logged.

Pass

Allows the anomalous traffic to pass through unimpeded.

Block

For Thresholds based on the number of concurrent sessions blocking the anomaly will not allow more than the number of concurrent sessions set as the threshold.

For rate based thresholds where the threshold is measured in packets per second, the Action setting “Block” prevents the overwhelming of the firewall by anomalous traffic in one of 2 ways. Setting which of those 2 ways will be issued is determined in the CLI.

l continuous – blocks packets once an anomaly is detected. This overrides individual anomaly settings. l periodical – allows matching anomalous traffic up to the rate set by the threshold.

If the period for a particular anomaly is 60 seconds, such as those where the threshold is measured in concurrent sessions, after the 60 second timer has expired, the number of allowed packets that match the anomaly criteria is reset to zero. This means that if you allow 10 sessions through before blocking, after the 60 seconds is up, another 10 will be allowed. The attrition of sessions from expiration should keep the allowed sessions from reaching the maximum.

To set the type of block action for the rate based anomaly sensors:

config ips global set anomaly-mode continuous set anomaly-mode periodical end

Threshold

The threshold can be either in terms of concurrent session or in packets per second depending on which sensor is being referred to.

Quarantine

The quarantine feature is found in the CLI. This setting is used to block any further traffic from a source address that is now considered to be a malicious actor or a source of traffic dangerous to the network. Not only is no more traffic accepted for the duration of the quarantine through the DoS policy but the source IP address of the traffic is added to the banned source ip list. This list is kept in the kernel and used by

l Antivirus l Data Leak Prevention (DLP) l Denial of Service (DoS) l Intrusion Prevention System (IPS)

Any policies that use any of these features will block traffic from the attacker’s IP address.

Syntax

config firewall {DoS-policy|DoS-policy6} edit <policyid> set quarantine {none|attacker} set quarantine-exipiry {string} set quarantine-log {enable|disable}

end

Option Description
quarantine Quarantine method.

l  none – Quarantine is disabled.

l  attacker – Block all traffic sent from the attacker’s IP address. The quarantined IP address is also added to the banned ip list. The destination address is not affected.

quarantine-expiry Duration of quarantine

The format is ###d##h##m, ranging from 1 minute to 364 days, 23 hours, and 59 minutes starting from now. The default is 0d0h5m. Requires quarantine set to attacker.

quarantine-log Enables or disables the logging of quarantine events.

Interface policies

Interface policies

Interface policies are implemented before the “security” policies and are only flow based. They are configured in the CLI.

This feature allows you to attach a set of IPS policies with the interface instead of the forwarding path, so packets can be delivered to IPS before entering firewall. This feature is used for following IPS deployments:

  • One-Arm: by defining interface policies with IPS and DoS anomaly checks and enabling sniff-mode on the interface, the interface can be used for one-arm IDS;
  • IPv6 IPS: IPS inspection can be enabled through interface IPv6 policy. Only IPS signature scan is supported in

FortiOS 4.0. IPv6 DoS protection is not supported; l Scan traffics that destined to FortiGate; l Scan and log traffics that are silently dropped or flooded by Firewall or Multicast traffic.

IPS sensors can be assigned to an interface policy. Both incoming and outgoing packets are inspected by IPS sensor (signature).

Here is an example of an interface policy,

# show full-configuration

config firewall interface-policy edit 1 set status enable

set comments ‘test interface policy #1’ set logtraffic utm set interface “port9” set srcaddr “all” set dstaddr “all”

set service “ALL” set application-list-status disable set ips-sensor-status disable set dsri disable set av-profile-status enable set av-profile “default” set webfilter-profile-status disable set spamfilter-profile-status disable set dlp-sensor-status disable set scan-botnet-connections disable next

end

DSRI

DSRI

The Disable Server Response Inspection (DSRI) options is available for configuration in the CLI. This is used to assist performance when only URL filtering is being used. This allows the system to ignore the HTTP server responses. The setting is configured to be disabled by default.

Interface policies

CLI syntax for changing the status of the DSRI setting

In IPv4 or IPv6 firewall policies

config firewall policy|policy6 edit 0 set dsri enable|disable end

In IPv4 or IPv6 interface policies

config firewall interface-policy|interface-policy6 edit 0 set dsri enable|disable end

When using the sniffer

config firewall sniffer edit 0 set dsri enable|disable end

VPN policies

VPN policies

At one point, if you wanted to have secure digital communications between 2 points a private network would be created. This network would only allow the people that were intended to get the communications on it. This is very straightforward if the 2 points are in the same room or even in the same building. It can all be done physically. If you are supposed to be on the secure network

VPNs are an answer to one of today’s biggest concerns, how to make digital communications secure between to points that must communicate over the Internet which anybody can have access to.

There are two types of VPNs supported by FortiOS, SSL and IPsec. They are differentiated by the security protocol suites that are used to secure the traffic. These are both described in more detail in the VPN section, but the IPsec VPN can be configured as an Action with a firewall policy.

IPsec policies

IPsec policies allow IPsec VPN traffic access to the internal network from a remote location. These policies include authentication information that authenticates users and user group or groups. These policies specify the following:

  • the FortiGate firewall interface that provides the physical connection to the remote VPN gateway, usually an interface connected to the Internet
  • the FortiGate firewall interface that connects to the private network l IP addresses associated with data that has to be encrypted and decrypted l optional: a schedule that restricts when the VPN can operate, and services (or types of data) that can be sent.

For a route-based (interface mode) VPN, you do not configure an IPsec security policy. Instead, you configure two regular ACCEPT security policies, one for each direction of communication, with the IPsec virtual interface as the source or destination interface, as appropriate.

Protocol number

Protocol number

IP is responsible for more than the address that it is most commonly associated with and there are a number of associated protocols that make up the Network Layer. While there are not 256 of them, the field that identifies them is a numeric value between 0 and 256.

In the Internet Protocol version 4 (IPv4) [RFC791] there is a field called “Protocol” to identify the next level protocol. This is an 8 bit field. In Internet Protocol version 6 (IPv6) [RFC2460], this field is called the “Next Header” field.

Protocol numbers

# Protocol Protocol’s Full Name
0 HOPOPT IPv6 Hop-by-Hop Option
1 ICMP Internet Control Message Protocol
2 IGMP Internet Group Management
3 GGP Gateway-to-Gateway
4 IPv4 IPv4 encapsulation Protocol
5 ST Stream
6 TCP Transmission Control Protocol
7 CBT CBT
8 EGP Exterior Gateway Protocol
9 IGP Any private interior gateway (used by Cisco for their IGRP)
10 BBN-RCC-MON BBN RCC Monitoring
11 NVP-II Network Voice Protocol
12 PUP PUP

 

# Protocol Protocol’s Full Name
13 ARGUS ARGUS
14 EMCON EMCON
15 XNET Cross Net Debugger
16 CHAOS Chaos
17 UDP User Datagram Protocol
18 MUX Multiplexing
19 DCN-MEAS DCN Measurement Subsystems
20 HMP Host Monitoring
21 PRM Packet Radio Measurement
22 XNS-IDP XEROX NS IDP
23 TRUNK-1 Trunk-1
24 TRUNK-2 Trunk-2
25 LEAF-1 Leaf-1
26 LEAF-2 Leaf-2
27 RDP Reliable Data Protocol
28 IRTP Internet Reliable Transaction
29 ISO-TP4 ISO Transport Protocol Class 4
30 NETBLT Bulk Data Transfer Protocol
31 MFE-NSP MFE Network Services Protocol
32 MERIT-INP MERIT Internodal Protocol
33 DCCP Datagram Congestion Control Protocol
34 3PC Third Party Connect Protocol
35 IDPR Inter-Domain Policy Routing Protocol
36 XTP XTP

 

# Protocol Protocol’s Full Name
37 DDP Datagram Delivery Protocol
38 IDPR-CMTP IDPR Control Message Transport Proto
39 TP++ TP++ Transport Protocol
40 IL IL Transport Protocol
41 IPv6 IPv6 encapsulation
42 IPv6 SDRPSource Demand Routing Protocol
43 IPv6-Route Routing Header for IPv6
44 IPv6-Frag Fragment Header for IPv6
45 IDRP Inter-Domain Routing Protocol
46 RSVP Reservation Protocol
47 GRE General Routing Encapsulation
48 DSR Dynamic Source Routing Protocol
49 BNA BNA
50 ESP Encap Security Payload
51 AH Authentication Header
52 I-NLSP Integrated Net Layer Security TUBA
53 SWIPE IP with Encryption
54 NARP NBMA Address Resolution Protocol
55 MOBILE IP Mobility
56 TLSP Transport Layer Security Protocol using Kryptonet key management
57 SKIP SKIP
58 IPv6-ICMP ICMP for IPv6
59 IPv6-NoNxt No Next Header for IPv6
60 IPv6-Opts Destination Options for IPv6

 

# Protocol Protocol’s Full Name
61   any host internal protocol
62 CFTP CFTP
63   any local network
64 SAT-EXPAK SATNET and Backroom EXPAK
65 KRYPTOLAN Kryptolan
66 RVD MIT Remote Virtual Disk Protocol
67 IPPC Internet Pluribus Packet Core
68   any distributed file system
69 SAT-MON SATNET Monitoring
70 VISA VISA Protocol
71 IPCV Internet Packet Core Utility
72 CPNX Computer Protocol Network Executive
73 CPHB Computer Protocol Heart Beat
74 WSN Wang Span Network
75 PVP Packet Video Protocol
76 BR-SAT-MON Backroom SATNET Monitoring
77 SUN-ND SUN ND PROTOCOL-Temporary
78 WB-MON WIDEBAND Monitoring
79 WB-EXPAK WIDEBAND EXPAK
80 ISO-IP ISO Internet Protocol
81 VMTP VMTP
82 SECURE-VMTP SECURE-VMTP
83 VINES VINES
84 TTP TTP

 

# Protocol Protocol’s Full Name
84 IPTM Protocol Internet Protocol Traffic
85 NSFNET-IGP NSFNET-IGP
86 DGP Dissimilar Gateway Protocol
87 TCF TCF
88 EIGRP EIGRP
89 OSPFIGP OSPFIGP
90 Sprite-RPC Sprite RPC Protocol
91 LARP Locus Address Resolution Protocol
92 MTP Multicast Transport Protocol
93 AX.25 AX.25 Frames
94 IPIP IP-within-IP Encapsulation Protocol
95 MICP Mobile Internetworking Control Pro.
96 SCC-SP Semaphore Communications Sec. Pro.
97 ETHERIP Ethernet-within-IP Encapsulation
98 ENCAP Encapsulation Header
99   any private encryption scheme
100 GMTP GMTP
101 IFMP Ipsilon Flow Management Protocol
102 PNNI PNNI over IP
103 PIM Protocol Independent Multicast
104 ARIS ARIS
105 SCPS SCPS
106 QNX QNX
107 A/N Active Networks

 

# Protocol Protocol’s Full Name
108 IPComp IP Payload Compression Protocol
109 SNP Sitara Networks Protocol
110 Compaq-Peer Compaq Peer Protocol
111 IPX-in-IP IPX in IP
112 VRRP Virtual Router Redundancy Protocol
113 PGM PGM Reliable Transport Protocol
114   any 0-hop protocol
115 L2TP Layer Two Tunneling Protocol
116 DDX D-II Data Exchange (DDX)
117 IATP Interactive Agent Transfer Protocol
118 STP Schedule Transfer Protocol
119 SRP SpectraLink Radio Protocol
120 UTI UTI
121 SMP Simple Message Protocol
122 SM SM
123 PTP Performance Transparency Protocol
124 ISIS over IPv4  
125 FIRE  
126 CRTP Combat Radio Transport Protocol
127 CRUDP Combat Radio User Datagram
128 SSCOPMCE  
129 IPLT  
130 SPS Secure Packet Shield
131 PIPE Private IP Encapsulation within IP
# Protocol Protocol’s Full Name
132 SCTP Stream Control Transmission Protocol
133 FC Fibre Channel
134 RSVP-E2EIGNORE  
135 Mobility Header  
136 UDPLite  
137 MPLS-in-IP  
138 manet  
139 HIP  
140 Shim6  
141 WESP  
142 ROHC  
143 − 252 Unassigned Unassigned
253   Use for experimentation and testing
254   Use for experimentation and testing
255 Reserved  

Further information can be found by researching RFC 5237.

Protocol number

IP is responsible for more than the address that it is most commonly associated with and there are a number of associated protocols that make up the Network Layer. While there are not 256 of them, the field that identifies them is a numeric value between 0 and 256.

In the Internet Protocol version 4 (IPv4) [RFC791] there is a field called “Protocol” to identify the next level protocol. This is an 8 bit field. In Internet Protocol version 6 (IPv6) [RFC2460], this field is called the “Next Header” field.

Protocol numbers

# Protocol Protocol’s Full Name
0 HOPOPT IPv6 Hop-by-Hop Option

 

# Protocol Protocol’s Full Name
1 ICMP Internet Control Message Protocol
2 IGMP Internet Group Management
3 GGP Gateway-to-Gateway
4 IPv4 IPv4 encapsulation Protocol
5 ST Stream
6 TCP Transmission Control Protocol
7 CBT CBT
8 EGP Exterior Gateway Protocol
9 IGP Any private interior gateway (used by Cisco for their IGRP)
10 BBN-RCC-MON BBN RCC Monitoring
11 NVP-II Network Voice Protocol
12 PUP PUP
13 ARGUS ARGUS
14 EMCON EMCON
15 XNET Cross Net Debugger
16 CHAOS Chaos
17 UDP User Datagram Protocol
18 MUX Multiplexing
19 DCN-MEAS DCN Measurement Subsystems
20 HMP Host Monitoring
21 PRM Packet Radio Measurement
22 XNS-IDP XEROX NS IDP
23 TRUNK-1 Trunk-1
24 TRUNK-2 Trunk-2

 

# Protocol Protocol’s Full Name
25 LEAF-1 Leaf-1
26 LEAF-2 Leaf-2
27 RDP Reliable Data Protocol
28 IRTP Internet Reliable Transaction
29 ISO-TP4 ISO Transport Protocol Class 4
30 NETBLT Bulk Data Transfer Protocol
31 MFE-NSP MFE Network Services Protocol
32 MERIT-INP MERIT Internodal Protocol
33 DCCP Datagram Congestion Control Protocol
34 3PC Third Party Connect Protocol
35 IDPR Inter-Domain Policy Routing Protocol
36 XTP XTP
37 DDP Datagram Delivery Protocol
38 IDPR-CMTP IDPR Control Message Transport Proto
39 TP++ TP++ Transport Protocol
40 IL IL Transport Protocol
41 IPv6 IPv6 encapsulation
42 IPv6 SDRPSource Demand Routing Protocol
43 IPv6-Route Routing Header for IPv6
44 IPv6-Frag Fragment Header for IPv6
45 IDRP Inter-Domain Routing Protocol
46 RSVP Reservation Protocol
47 GRE General Routing Encapsulation
48 DSR Dynamic Source Routing Protocol

 

# Protocol Protocol’s Full Name
49 BNA BNA
50 ESP Encap Security Payload
51 AH Authentication Header
52 I-NLSP Integrated Net Layer Security TUBA
53 SWIPE IP with Encryption
54 NARP NBMA Address Resolution Protocol
55 MOBILE IP Mobility
56 TLSP Transport Layer Security Protocol using Kryptonet key management
57 SKIP SKIP
58 IPv6-ICMP ICMP for IPv6
59 IPv6-NoNxt No Next Header for IPv6
60 IPv6-Opts Destination Options for IPv6
61   any host internal protocol
62 CFTP CFTP
63   any local network
64 SAT-EXPAK SATNET and Backroom EXPAK
65 KRYPTOLAN Kryptolan
66 RVD MIT Remote Virtual Disk Protocol
67 IPPC Internet Pluribus Packet Core
68   any distributed file system
69 SAT-MON SATNET Monitoring
70 VISA VISA Protocol
71 IPCV Internet Packet Core Utility
72 CPNX Computer Protocol Network Executive

 

# Protocol Protocol’s Full Name
73 CPHB Computer Protocol Heart Beat
74 WSN Wang Span Network
75 PVP Packet Video Protocol
76 BR-SAT-MON Backroom SATNET Monitoring
77 SUN-ND SUN ND PROTOCOL-Temporary
78 WB-MON WIDEBAND Monitoring
79 WB-EXPAK WIDEBAND EXPAK
80 ISO-IP ISO Internet Protocol
81 VMTP VMTP
82 SECURE-VMTP SECURE-VMTP
83 VINES VINES
84 TTP TTP
84 IPTM Protocol Internet Protocol Traffic
85 NSFNET-IGP NSFNET-IGP
86 DGP Dissimilar Gateway Protocol
87 TCF TCF
88 EIGRP EIGRP
89 OSPFIGP OSPFIGP
90 Sprite-RPC Sprite RPC Protocol
91 LARP Locus Address Resolution Protocol
92 MTP Multicast Transport Protocol
93 AX.25 AX.25 Frames
94 IPIP IP-within-IP Encapsulation Protocol
95 MICP Mobile Internetworking Control Pro.

 

# Protocol Protocol’s Full Name
96 SCC-SP Semaphore Communications Sec. Pro.
97 ETHERIP Ethernet-within-IP Encapsulation
98 ENCAP Encapsulation Header
99   any private encryption scheme
100 GMTP GMTP
101 IFMP Ipsilon Flow Management Protocol
102 PNNI PNNI over IP
103 PIM Protocol Independent Multicast
104 ARIS ARIS
105 SCPS SCPS
106 QNX QNX
107 A/N Active Networks
108 IPComp IP Payload Compression Protocol
109 SNP Sitara Networks Protocol
110 Compaq-Peer Compaq Peer Protocol
111 IPX-in-IP IPX in IP
112 VRRP Virtual Router Redundancy Protocol
113 PGM PGM Reliable Transport Protocol
114   any 0-hop protocol
115 L2TP Layer Two Tunneling Protocol
116 DDX D-II Data Exchange (DDX)
117 IATP Interactive Agent Transfer Protocol
118 STP Schedule Transfer Protocol
119 SRP SpectraLink Radio Protocol

 

# Protocol Protocol’s Full Name
120 UTI UTI
121 SMP Simple Message Protocol
122 SM SM
123 PTP Performance Transparency Protocol
124 ISIS over IPv4  
125 FIRE  
126 CRTP Combat Radio Transport Protocol
127 CRUDP Combat Radio User Datagram
128 SSCOPMCE  
129 IPLT  
130 SPS Secure Packet Shield
131 PIPE Private IP Encapsulation within IP
132 SCTP Stream Control Transmission Protocol
133 FC Fibre Channel
134 RSVP-E2EIGNORE  
135 Mobility Header  
136 UDPLite  
137 MPLS-in-IP  
138 manet  
139 HIP  
140 Shim6  
141 WESP  
142 ROHC  
143 − 252 Unassigned Unassigned

 

VPN policies

# Protocol Protocol’s Full Name
253   Use for experimentation and testing
254   Use for experimentation and testing
255 Reserved  

Further information can be found by researching RFC 5237.

Protocol types

Protocol types

One of the fundamental aspects of a service is the type of protocol that use used to define it. When a service is defined one of the following categories of protocol needs to be determined: l TCP/UDP/SCTP l ICMP l ICMPv6 l IP

Depending on which of these protocol categories is choose another set of specifications will can also be defined.

Protocol Type Related specifications
TCP/UDP/SCTP This is the most commonly used service protocol category. Once this category has been selected the other available options to choose are an address, either IP or

FQDN, and the protocol and port number. The protocol will be TCP, UDP or SCTP.

ICMP or ICMP6 When ICMP or ICMP6 is chosen the available options are the ICMP Type and its code.
IP When IP is the chosen protocol type the addition option is the Protocol Number.

TCP/UDP/SCTP

TCP

Transmission Control Protocol (TCP) is one of the core or fundamental protocols of the Internet. It is part of the Transport Layer of the OSI Model. It is designed to provide reliable delivery of data from a program on one device on the network or Internet to another program on another device on the network or Internet. TCP achieves its reliability because it is a connection based protocol. TCP is stream-oriented. It transports streams of data reliably and in order.

TCP establishes a prior connection link between the hosts before sending data. This is often referred to as the handshake. Once the link is established the protocol uses checks to verify that the data transmitted. If an error check fails the data is retransmitted. This makes sure that the data is getting to the destination error free and in the correct order so that it can be put back together into a form that is identical to the way they were sent.

TCP is configured more for reliability than for speed and because of this TCP will likely be slower than a connectionless protocol such as UDP. This is why TCP is generally not used for real time applications such as voice communication or online gaming. Some of the applications that use TCP are:

l World Wide Web (HTTP and HTTPS) l Email (SMTP, POP3, IMAP4) l Remote administration (RDP) l File transfer (FTP)

UDP

User Datagram Protocol (UDP) like TCP is one of the core protocols of the Internet and part of the Transport Layer of the OSI Model. UDP is designed more for speed than reliability and is generally used for different applications than TCP. UDP sends messages, referred to as datagrams across the network or Internet to other hosts without establishing a prior communication link. In other words, there is no handshake.

UDP is an unreliable service as the datagrams can arrive out of order, duplicated or go missing without any mechanism to verify them. UDP works on the assumption that any error checking is done by the application or is not necessary for the function of the application. This way it avoids the overhead that is required to verify the integrity of the data.

This lack of overhead improves the speed of the data transfer and is why UDP is often used by applications that are time sensitive in nature. UDP’s stateless nature is also great for applications that answer a large number of small queries from a large number of clients.

Common uses for UDP are:

l Domain Name Resolution (DNS) l Time (NTP) l Streaming media (RTSP, RTP and RTCP) l Telephone of the Internet (VoIP) l File Transfer (TFTP) l Logging (SNMP) l Online games (GTP and OGP)

SCTP

Stream Control Transmission Protocol (SCTP) is part of the Transport Layer of the OSI Model just like TCP and UDP and provides some of the features of both of those protocols. It is message or datagram orientated like UDP but it also ensures reliable sequential transport of data with congestion control like TCP.

SCTP provides the following services:

  • Acknowledged error-free non-duplicated transfer of user data l Data fragmentation to conform to discovered path MTU size l Sequenced delivery of user messages within multiple streams, with an option for order-of-arrival delivery of individual user messages
  • Optional bundling of multiple user messages into a single SCTP packet l Network-level fault tolerance through supporting of multi-homing at either or both ends of an association l Congestion avoidance behavior and resistance to flooding and masquerade attacks

SCTP uses multi-streaming to transport its messages which means that there can be several independent streams of messages traveling in parallel between the points of the transmission. The data is sent out in larger chunks of data than is used by TCP just like UDP but the messages include a sequence number within each message in the same way that TCP does so that the data can be reassembled at the other end of the transmission in the correct sequence without the data having to arrive in the correct sequence.

SCTP is effective as the transport protocol for applications that require monitoring and session-loss detection. For such applications, the SCTP path and session failure detection mechanisms actively monitor the connectivity of the session. SCTP differs from TCP in having multi-homing capabilities at either or both ends and several streams within a connection, typically referred to as an association. A TCP stream represents a sequence of bytes; an SCTP stream represents a sequence of messages.

Some common applications of SCTP include supporting transmission of the following protocols over IP networks:

  • SCTP is important in 3G and 4G/LTE networks (for example, HomeNodeB = FemtoCells) l SS7 over IP (for example, for 3G mobile networks) l SCTP is also defined and used for SIP over SCTP and H.248 over SCTP l Transport of Public Switched Telephone Network (PSTN) signaling messages over IP networks.

SCTP is a much newer protocol. It was defined by the IETF Signaling Transport (SIGTRAN) working group in 2000. It was introduced by RFC 3286 and more fully define by RFC 4960.

The FortiGate firewall can apply security policies to SCTP sessions in the same way as TCP and UDP sessions. You can create security policies that accept or deny SCTP traffic by setting the service to “ALL”. FortiOS does not include pre-defined SCTP services. To configure security policies for traffic with specific SCTP source or destination ports you must create custom firewall services for SCTP.

FortiGate units route SCTP traffic in the same way as TCP and UDP traffic. You can configure policy routes specifically for routing SCTP traffic by setting the protocol number to 132. SCTP policy routes can route SCTP traffic according to the destination port of the traffic if you add a port range to the policy route.

You can configure a FortiGate unit to perform stateful inspection of different types of SCTP traffic by creating custom SCTP services and defining the port numbers or port ranges used by those services. FortiGate units support SCTP over IPv4. The FortiGate unit performs the following checks on SCTP packets:

  • Source and Destination Port and Verification Tag. l Chunk Type, Chunk Flags and Chunk Length l Verify that association exists l Sequence of Chunk Types (INIT, INIT ACK, etc) l Timer checking l Four way handshake checking l Heartbeat mechanism l Protection against INIT/ACK flood DoS attacks, and long-INIT flooding
  • Protection against association hijacking

FortiOS also supports SCTP sessions over IPsec VPN tunnels, as well as full traffic and event logging for SCTP sessions.

Protocol port values

The source and destination ports for TCP/UDP/SCTP services are important to get correct. If they are reversed the service will not work. The destination port(s) are the on ones that refer to the ports that the computer will be listening on. These are the port numbers that most people are familiar with when they associate a port number to a protocol. In most cases the source port will be one that is randomly assigned by the computer that is not being already used by another service.

Most people associate HTTP with port 80. This means that a web-server will be listening on port 80 for any http requests being sent to the computer. The computer that is sending the request can use any port that is not already assigned to another service or communication session. There are 65,535 ports that it can randomly assign, but because the ports from 1 to 1024 are normally used for listening for incoming communications it is usually not in that range. It is unless there is a specific instance when you know that a communication will be coming from a predefined source port it is best practice to set the source port range from 1 to 65,535.

ICMP

The Internet Control Message Protocol (ICMP) is a protocol layered onto the Internet Protocol Suite to provide error reporting flow control and first-hop gateway redirection. It is normally used by the operating systems of networked computers to send connectivity status query, response and error messages. It is assigned protocol number 1. There is a separate version of the protocol for both IPv4 and for IPv6. It is not designed to be absolutely reliable like TCP.

ICMP is not typically used for transporting data or for end-user network applications with the exception of some diagnostic utilities such as ping and traceroute.

ICMP messages are sent in several situations, for example:

l when a datagram cannot reach its destination, l time exceeded messages l redirect messages l when the gateway does not have the buffering capacity to forward a datagram l when the gateway can direct the host to send traffic on a shorter route.

Some of the specific ICMP message types are: l ICMP_ECHO l ICMP_TIMESTAMP l ICMP_INFO_REQUEST l ICMP_ADDRESS

For ICMP error messages, only those reporting an error for an existing session can pass through the firewall. The security policy will allow traffic to be routed, forwarded or denied. If allowed, the ICMP packets will start a new session. Only ICMP error messages of a corresponding security policy is available will be sent back to the source. Otherwise, the packet is dropped. That is, only ICMP packets for a corresponding security policy can traverse the FortiGate unit.

ICMP types and codes

ICMP has a number of messages that are identified by the “Type” field. Some of these types have assigned “Code” fields as well. The table below shows the different types of ICMP Types with their associated codes if there are any.

ICMP types and codes

Type Number Type Name Optional Code(s)
0 Echo Reply  
1 Unassigned
2 Unassigned
3 Destination Unreachable 0            Net Unreachable

1            Host Unreachable

2            Protocol Unreachable

3            Port Unreachable

4            Fragmentation Needed and Don’t Fragment was Set

5            Source Route Failed

6            Destination Network Unknown

7            Destination Host Unknown

8            Source Host Isolated

9            Communication with Destination Network is Administratively Prohibited

10         Communication with Destination Host is Administratively Prohibited

11         Destination Network Unreachable for Type of Service

12         Destination Host Unreachable for Type of Service

13         Communication Administratively Prohibited

14         Host Precedence Violation

15         Precedence cutoff in effect

4 Source Quench  

 

Type Number Type Name Optional Code(s)
5 Redirect 0 Redirect Datagram for the Network (or subnet)

1 Redirect Datagram for the Host

2 Redirect Datagram for the Type of Service and Network

3 Redirect Datagram for the Type of Service and Host

6 Alternate Host Address  
7 Unassigned  
8 Echo  
9 Router

Advertisement

 
10 Router Selection  
11 Time Exceeded 0 Time to Live exceeded in Transit

1 Fragment Reassembly Time Exceeded

12 Parameter Problem 0 Pointer indicates the error

1 Missing a Required Option

2 Bad Length

13 Timestamp  
14 Timestand Reply  
15 Information Request  
16 Information Reply  
17 Address Mask Request  
18 Address Mask Reply  
19 Reserved (for Security)  
Type Number Type Name Optional Code(s)
20 – 29 Reserved (for

Robustness

Experiment)

 
30 Traceroute  
31 Datagram

Conversion Error

 
32 Mobile Host Redirect  
33 IPv6 Where-AreYou  
34 IPv6 I-Am-Here  
35 Mobile Registration  
36 Mobile Registration Reply  
37 Domain Name

Request

 
38 Domain Name

Reply

 
39 SKIP  
40 Photuris  
41 – 255 Reserved  
log-invalid-packet

The log-invalid-packet CLI setting is one that is intended to log invalid ICMP packets. The exact definition being:

If the FortiGate unit receives an ICMP error packet that contains an embedded IP(A,B)|TCP (C,D) header, then if FortiOS can locate the A:C -> B:D session it checks to make sure that the sequence number in the TCP header is within the range recorded in the session. If the sequence number is not in range then the ICMP packet is dropped.

When this field is enabled, the FortiGate also log messages that are not ICMP error packets.

Types of logs covered by log-invalid-packet

  • Invalid ICMP l If ICMP error message verification (see “check-reset-range”) is enabled
  • Invalid DNS packets l DNS packets that contain requests for non-existing domains
  • iprope check failed l reverse path check fail l denied and broadcast traffic l no session matched

Some other examples of messages that are not errors that will be logged, based on RFC792: Type 3 messages correspond to “Destination Unreachable Message” l Type 3, Code 1 = host unreachable l Type 3, Code 3 = port unreachable

Type 11 messages correspond to “Time Exceeded Message” l Type 11, Code 0 = time to live exceeded in transit

ICMPv6

Internet Control Message Protocol version 6 (ICMPv6) is the new implementation of the Internet Control Message Protocol (ICMP) that is part of Internet Protocol version 6 (IPv6). The ICMPv6 protocol is defined in RFC 4443.

ICMPv6 is a multipurpose protocol. It performs such things as:

  • error reporting in packet processing l diagnostic functions l Neighbor Discovery process l IPv6 multicast membership reporting

It also designed as a framework to use extensions for use with future implementations and changes.

Examples of extensions that have already been written for ICMPv6:

  • Neighbor Discovery Protocol (NDP) – a node discovery protocol in IPv6 which replaces and enhances functions of ARP.
  • Secure Neighbor Discovery Protocol (SEND) – an extension of NDP with extra security. l Multicast Router Discovery (MRD) – allows discovery of multicast routers.

ICMPv6 messages use IPv6 packets for transportation and can include IPv6 extension headers. ICMPv6 includes some of the functionality that in IPv4 was distributed among protocols such as ICMPv4, ARP (Address Resolution Protocol), and IGMP (Internet Group Membership Protocol version 3).

ICMPv6 has simplified the communication process by eliminating obsolete messages.

ICMPv6 messages are subdivided into two classes: error messages and information messages.

Error Messages are divided into four categories:

  1. Destination Unreachable
  2. Time Exceeded
  3. Packet Too Big
  4. Parameter Problems

Information messages are divided into three groups:

  1. Diagnostic messages
  2. Neighbor Discovery messages
  3. Messages for the management of multicast groups.
ICMPv6 types and codes

ICMPv6 has a number of messages that are identified by the “Type” field. Some of these types have assigned “Code” fields as well. The table below shows the different types of ICMP Types with their associated codes if there are any.

Type codes 0 − 127 are error messages and type codes 128 − 255 are for information messages.

ICMPv6 types and codes

Type Number Type Name Code
0 Reserved 0 – no route to destination

1 – communication with destination administratively prohibited

2 – beyond scope of source address

3 – address unreachable

4 – port unreachable

5 – source address failed ingress/egress policy

6 – reject route to destination

7 – Error in Source Routing Header

1 Destination Unreachable  
2 Packet Too Big  
3 Time Exceeded 0 – hop limit exceeded in transit

1 – fragment reassembly time exceeded

4 Parameter Problem 0 – erroneous header field encountered

1 – unrecognized Next Header type encountered

2 – unrecognized IPv6 option encountered

 

Type Number Type Name Code
100 Private

Experimentation

 
101 Private

Experimentation

 
102 – 126 Unassigned  
127 Reserved for expansion if ICMPv6 error messages  
128 Echo Request  
129 Echo Replay  
130 Multicast Listener Query  
131 Multicast Listener Report  
132 Multicast Listener

Done

 
133 Router Solicitation  
134 Router

Advertisement

 
135 Neighbor Solicitation  
136 Neighbor

Advertisement

 
137 Redirect Message  
138 Router

Renumbering

0 – Router Renumbering Command

1 – Router Renumbering Result

255 – Sequence Number Reset

 

Type Number Type Name Code
139 ICMP Node

Information Query

0             – The Data field contains an IPv6 address which is the Subject of this Query.

1             – The Data field contains a name which is the Subject of this Query, or is empty, as in the case of a NOOP.

2             – The Data field contains an IPv4 address which is the Subject of this Query.

140 ICMP Node

Information

Response

0             – A successful reply. The Reply Data field may or may not be empty.

1             – The Responder refuses to supply the answer. The Reply Data field will be empty.

2             – The Qtype of the Query is unknown to the Responder. The Reply Data field will be empty.

141 Inverse Neighbor

Discovery

Solicitation

Message

 
142 Inverse Neighbor

Discovery

Advertisement

Message

 
143 Version 2 Multicast Listener Report  
144 Home Agent

Address Discovery

Request Message

 
145 Home Agent

Address Discovery

Reply Message

 
146 Mobile Prefix

Solicitation

 
147 Mobile Prefix Advertisement  
148 Certification Path

Solicitation

Message

 

 

Type Number Type Name Code
149 Certification Path

Advertisement

Message

 
150 ICMP messages

utilized by experimental mobility protocols such as Seamoby

 
151 Multicast Router Advertisement  
152 Multicast Router

Solicitation

 
153 Multicast Router Termination  
154 FMIPv6 Messages  
155 RPL Control Message  
156 ILNPv6 Locator Update Message  
157 Duplicate Address Request  
158 Duplicate Address Confirmation  
159 − 199 Unassigned  
200 Private experimentation  
201 Private experimentation  
255 Reserved for expansion of ICMPv6

informational messages

 

IP

Internet Protocol (IP) is the primary part of the Network Layer of the OSI Model that is responsible for routing traffic across network boundaries. It is the protocol that is responsible for addressing. IPv4 is probable the version that most people are familiar with and it has been around since 1974. IPv6 is its current successor and due to a shortage of available IPv4 addresses compared to the explosive increase in the number of devices that use IP addresses, IPv6 is rapidly increasing in use.

When IP is chosen as the protocol type the available option to further specify the protocol is the protocol number.

This is used to narrow down which protocol within the Internet Protocol Suite and provide a more granular control.