background image

FortiDDoS and FortiDDoS CM 5.3.0

Release Notes

Summary of Contents for FortiDDoS 1000B

Page 1: ...FortiDDoS and FortiDDoS CM 5 3 0 Release Notes ...

Page 2: ...tp cookbook fortinet com how to work with fortinet support FORTIGATE COOKBOOK http cookbook fortinet com FORTINET TRAINING SERVICES http www fortinet com training FORTIGUARD CENTER http www fortiguard com END USER LICENSE AGREEMENT http www fortinet com doc legal EULA pdf FEEDBACK Email techdocs fortinet com Tuesday February 4 2020 FortiDDoS FortiDDoS CM 5 3 0 Release Notes Revision 1 ...

Page 3: ...on 2 Upgrading via CLI 16 Section 3 Upgrading via BIOS 18 Sample console log 20 Downgrading 23 Factory reset 25 Resolved issues 26 Common Vulnerabilities 27 Known issues 28 FortiDDoS CM 31 Introduction to FortiDDoS CM 32 Special Notes for CM 33 What s new in FortiDDoS CM 34 FortiDDoS CM hardware support 35 Installing FortiDDoS CM 36 Upgrading FortiDDoS CM 37 Downgrading FortiDDoS CM 39 Resolved is...

Page 4: ...Change Log Change Log Date Change Description 01 07 2020 Initial version of FortiDDoS 5 3 0 Release notes 4 FortiDDoS 5 3 0 Release Notes Fortinet Technologies Inc ...

Page 5: ... that are characterized by excessive use of network resources These attacks are known as Distributed Denial of Service DDoS attacks For additional documentation please visit http docs fortinet com fortiddos Introduction to FortiDDoS Central Manager FortiDDoS CM This document provides a list of new features and known issues for FortiDDoS CMVM 5 3 0 build 0204 FortiDDoS CM is designed to manage mult...

Page 6: ...rove DNS Response Flood mitigation with asymmetric traffic and or where encrypted DNS is present Thresholds can be added as follows DNS Response Code No Error Threshold applied to DNS R Code 0 good Responses DNS Response Code Error Threshold applied to all DNS R Codes from 1 15 error Responses Note these thresholds are not automatically learned and are not adaptive They require manual setting by o...

Page 7: ...pport fortinet com Customer Service Support image checksum tool After logging in to the web site in the menus at the top of the page click Download and then click Firmware Image Checksums Alternatively near the bottom of the page click the Firmware Image Checksums button The button appears only if one or more of your devices have a current support contract In the Image File Name field enter the fi...

Page 8: ...e on HA cluster Upgrading Section 1 Upgrading using GUI Section 2 Upgrading via CLI Section 3 Upgrading via BIOS Sample console log Downgrading Factory reset Resolved issues Common Vulnerabilities Known issues For topics specific to FortiDDoS Central Manager see FortiDDoS CM 8 FortiDDoS 5 3 0 Release Notes Fortinet Technologies Inc ...

Page 9: ...500E l FortiDDoS 2000E l FortiDDoS 200B l FortiDDoS 400B l FortiDDoS 600B l FortiDDoS 800B l FortiDDoS 900B l FortiDDoS 1000B l FortiDDoS 1000B DC l FortiDDoS 1200B l FortiDDoS 2000B l FortiDDoS 2000B USG NOTE FortiDDoS A series models are not supported FortiDDoS 5 3 0 Release Notes Fortinet Technologies Inc 9 ...

Page 10: ... both systems in Standalone mode is important for this procedure 7 On the Slave system follow the upgrade procedure as instructed in the Release Note upgrading section This assumes that the traffic is currently on the Master system 8 Once the Slave system is upgraded leave the Slave in Standalone Mode and move traffic to the Slave 9 On the Master system follow the upgrade procedure as instructed i...

Page 11: ...ocedure 2 4 1 5 to 4 2 2 GUI CLI BIOS 1 Upgrade to 4 2 3 2 Upgrade to 5 3 0 Follow Step 3 3 4 2 3 to 5 2 0 GUI CLI BIOS 1 Upgrade directly to 5 3 0 Refer to sections 1 2 or 3 for detailed upgrade procedure Supported upgrade paths For E series Use the following instructions to upgrade to FortiDDoS 5 3 0 Steps Current Release Upgrade method Upgrade path 1 5 0 0 to 5 2 0 GUI CLI BIOS 1 Upgrade direct...

Page 12: ... the CLI Console window to connect and see the command prompt l Enter f cat var log upgrade_info txt l Check that the X Y Z number you see looks like the current Release of the system from the Dashboard page This file is needed to properly upgrade your system Example FI200B3914000071 f cat var log upgrade_info txt 4 7 0FI200B3914000071 l Back up your configuration before beginning this procedure l...

Page 13: ...esholds set to look for false positives and tune if needed Check for the volume of Anomalies It should be a few per 5 minute reporting cycle If there are many remove DNS Anomalies and contact Fortinet Support l If you upgraded from any Release betwen 4 2 0 and 5 0 0 For every other SPP about one week after the upgrade run Traffic Statistics and set System Recommended Thresholds This will create Th...

Page 14: ... Click OK to upload the file install the firmware and restart the system Always use Partition 2 for upgrades even if Partition 2 is showing a newer Release than Partition 1 From 4 2 3 partition choices will not be shown WARNING The upgrade takes several as long as 15 minutes longer for larger systems and the system will reboot once or twice depending on the Release During this time there is no pro...

Page 15: ...onsole SSH or Console access the command line and follow these steps a Enter diagnose debug rrd_cmd_check The console will display the percentage checked messages which may scroll off the screen depending on your access method Allow this to complete The system will return one of the following messages on success failure l RRD commands check successful The upgrade was successful Proceed with other ...

Page 16: ...lowing command to transfer the firmware image to the FortiDDoS system execute restore image tftp filename_str tftp_ipv4 where l filename_str is the name of the firmware image file l tftp_ipv4 is the IP address of the TFTP server For example if the firmware image file name is FDD_200B v5 3 0 build0204 FORTINET out and the IP address of the TFTP server is 172 30 153 105 enter FI900B3915000043 execut...

Page 17: ... to factory for repair Ideally leave the system for 20 minutes If the system has NOT recovered in that time contact Fortinet Support To verify that the firmware was successfully installed login and run get system status confirming the version information is correct Version FortiDDoS 200B v5 3 0 build0204 190912 TP2ASIC Version 5300098 Date Apr 22 2019 IP Reputation DB Not enabled Domain Reputation...

Page 18: ... 4 Reboot the system and when prompted press any key to display the BIOS configuration menu 5 Select option G so that the system can get the new firmware image from the TFTP server and load it when it reboots The following example shows the CLI sequence FI 1KBXXXXXXXXX execute reboot This operation will reboot the system Do you want to continue y n y System is rebooting The system is going down NO...

Page 19: ...ing the integrity of the firmware image Total 204800kB unzipped Save as Default firmware Backup firmware Run image without saving D B R d Press d Programming the boot device now Reading boot image 2791231 bytes Initializing FortiDDoS System is started 16 Set the management port IP address and gateway IP address using the console 17 If you saved and edited the configuration file restore it using th...

Page 20: ...200B 5 3 0 FW build0204 180612 Done 2 The system is going down NOW Please stand by while rebooting the system FortiDDoS 200B 20 41 06 12 2018 Ver 04000001 Serial number FI200B3914000081 RAM activation CPU 00 000306a9 bfebfbff MP initialization CPU 01 000306a9 bfebfbff MP initialization CPU 02 000306a9 bfebfbff MP initialization CPU 03 000306a9 bfebfbff MP initialization CPU 04 000306a9 bfebfbff MP...

Page 21: ...tiASIC TP 0 Checking update image on FPGA FortiASIC TP 0 Checking update image on FPGA OK GBL_RUPD_RECONFIG_STAT 0x3 FortiASIC TP 0 UPDATE FPGA OK WAIT FOR REBOOT FortiASIC TP 0 update finished FortiDDoS 200B 20 41 06 12 2018 Ver 04000001 Serial number FI200B3914000081 RAM activation CPU 00 000306a9 bfebfbff MP initialization CPU 01 000306a9 bfebfbff MP initialization CPU 02 000306a9 bfebfbff MP i...

Page 22: ...p boot device capacity 15272MB Press any key to display configuration menu Reading boot image 3713003 bytes Initializing FortiDDoS ufffd System is started FI200B3914000081 login 22 FortiDDoS 5 3 0 Release Notes Fortinet Technologies Inc ...

Page 23: ... the Management 1 port This will need to be set via CLI We do not recommend downgrading to releases earlier than 4 2 3 Downgrading from 5 3 0 and earlier versions You can use the web UI CLI or BIOS to downgrade from 5 3 0 and earlier releases You can downgrade directly to the release you want to use To downgrade firmware 1 Take a backup of your configuration Downgrade will delete the current confi...

Page 24: ... 900B 3 The system will reboot and reprogram the FPGA This takes about 10 15 min based on what appliance you are using WARNING Reboot or power fail during this process may result in unusable product requiring RMA 4 Once the system is up assign the IP address and restore the saved configuration System will reboot and apply the configuration The system should be ready to use 24 FortiDDoS 5 3 0 Relea...

Page 25: ...e a system to factory defaults with no customer configuration or traffic data do the following from CLI l execute formatlogdisk removes all traffic data l execute factoryreset removes all configurations FortiDDoS 5 3 0 Release Notes Fortinet Technologies Inc 25 ...

Page 26: ... new code in TP2 and TP3 SPUs can randomly result in a graceful recovery condition on an SPU The condition is logged and shown on the Dashboard Traffic Processor Status panel The result is a system bypass of the card default or a spontaneous reboot of the system to clear the processor depending on the settings In Global Settings Settings Settings Reboot On Graceful Recovery When the SPU is in grac...

Page 27: ... Vulnerabilities For inquires about a particular bug please contact Fortinet Customer Service Support Mantis Id Description 602295 FortiDDoS is no longer vulnerable to CVE 2004 1653 FortiDDoS 5 3 0 Release Notes Fortinet Technologies Inc 27 ...

Page 28: ...03 The default all route IPv6 address 0 does not result in IPv6 blocking when entered in a Global ACL 400781 During very heavy attacks the Executive Summary DDoS Attack Log graph page may become unresponsive So far this has only been observed in the lab 404557 The system allows duplicate IP addresses or IP subnet masks between Global and SPP Address Config Global ACLs will take precedence 404713 I...

Page 29: ...testing Port Statistics and SPP Statistics graphs may not match exactly due to data collection timing 4 4 0 and 4 5 0 release improves this and we do not think this will affect real world information 464136 If you delete any report while generating a large number of reports the GUI may lose contact with the system and get locked Reloading the page and re login may be necessary 467210 During system...

Page 30: ...440064 When Global ACL list exceeds 8192 entries the GUI may not react to additional feature settings for the ACL item 531378 Rarely under heavy traffic lab conditions Sources may not age properly from the Source tables resulting in Hash and or Memory drops 531208 On HA pairs managed by FDD Central Manager FDD CM the Slave system will reboot in certain cases after doing system a configuration rest...

Page 31: ...oS CM Special Notes for CM What s new in FortiDDoS CM FortiDDoS CM hardware support Installing FortiDDoS CM Upgrading FortiDDoS CM Downgrading FortiDDoS CM Resolved issues in FortiDDoS CM Common Vulnerabilities Known issues in FortiDDoS CM For topics specific to FortiDDoS see FortiDDoS FortiDDoS 5 3 0 Release Notes Fortinet Technologies Inc 31 ...

Page 32: ... by FortiDDoS CM must be the same model FDD 1200B and FDD 2000B are treated as the same model and use same 5 3 0 firmware Managing groups of different models can be accomplished with separate FortiDDoS CM configurations which can be saved and reloaded as required to switch between groups of appliances This release does not support the following l Centralized graphical views or reporting All graphs...

Page 33: ... Some appliances my then have unused SPPs l All SPP Policies subnets must be identical and assigned to the same SPPs Some subnets may not be used in some appliances but they will appear in the SPP Policy List in all appliances Before attempting to configure FortiDDoS CM with several FortiDDoS Appliances contact Fortinet Support or your local CSE for assistance FortiDDoS 5 3 0 Release Notes Fortine...

Page 34: ... FortiDDoS CM supports all new features from FortiDDoS with the exception of Log Report Diagnostics ACL Search which must be done via a direct login to each appliance FortiDDoS CM supports all new features from FortiDDoS For more details refer to FortiDDoS CM Online Help 34 FortiDDoS 5 3 0 Release Notes Fortinet Technologies Inc ...

Page 35: ...ng hardware models l FortiDDoS 200B l FortiDDoS 400B l FortiDDoS 800B l FortiDDoS 1000B l FortiDDoS 1000B DC l FortiDDoS 1200B l FortiDDoS 2000B l FortiDDoS 2000B USG l FortiDDoS 1500E l FortiDDoS 2000E NOTE FortiDDoS A series and 600B 900B models are not supported FortiDDoS 5 3 0 Release Notes Fortinet Technologies Inc 35 ...

Page 36: ...ortiDDoS CM Installing FortiDDoS CM Installing FortiDDoS CM Refer to FortiDDoS Central Manager VM Installation Guide here for deploying a new VM 36 FortiDDoS 5 3 0 Release Notes Fortinet Technologies Inc ...

Page 37: ...version 3 Use the upload file controls to select the firmware image file out file 4 Click Upload to start the firmware upgrade WARNING While upgrading to 5 3 0 the VM may reboot twice 5 Clear your browser cache to avoid potential issues that can be caused by caching During upgrade the VM console will show upgrade progress information 6 Login and from Dashboard confirm that the firmware version is ...

Page 38: ...rom the VM s management network 3 Make sure TFTP server is running 4 Enter the following command to transfer the firmware image to the FortiDDoS CM system execute restore image tftp filename_str tftp_ipv4 WARNING While upgrading to 5 3 0 the VM may reboot twice 5 During upgrade the VM console will show upgrade progress information 6 Once the system is up login and verify the firmware version using...

Page 39: ...no default IP assigned to the Port 1 This will need to be set via VM console after the downgrade is complete Downgrading using GUI To downgrade using GUI 1 Go to CM dashboard 2 In system information widget use the Update link next to Firmware version 3 Use the upload file controls to select the firmware image file out file 4 Click Upload to start the firmware downgrade 5 Clear your browser cache t...

Page 40: ...nt network 3 Make sure TFTP server is running 4 Enter the following command to transfer the firmware image to the FortiDDoS CM system execute restore image tftp filename_str tftp_ipv4 5 During downgrade the VM console will show progress information 6 Login on the console and assign the IP address default gateway and DNS 7 Verify the firmware version using get system status 40 FortiDDoS 5 3 0 Relea...

Page 41: ...in FortiDDoS CM Common Vulnerabilities For inquires about a particular bug please contact Fortinet Customer Service Support Mantis Id Description 602295 FortiDDoS is no longer vulnerable to CVE 2004 1653 FortiDDoS 5 3 0 Release Notes Fortinet Technologies Inc 41 ...

Page 42: ...rvice Support Mantis Id Description 531208 On HA pairs managed by FDD Central Manager FDD CM the Slave system will reboot in certain cases after doing a system configuration restore from FDD CM to the Master 593464 Log Report Diagnostics ACL Search is not available via the FDD Central Management GUI You must login directly to each FortiDDoS to perform the search 42 FortiDDoS 5 3 0 Release Notes Fo...

Page 43: ...Known issues in FortiDDoS CM FortiDDoS CM FortiDDoS 5 3 0 Release Notes Fortinet Technologies Inc 43 ...

Page 44: ...tinet enters a binding written contract signed by Fortinet s General Counsel with a purchaser that expressly warrants that the identified product will perform according to certain expressly identified performance metrics and in such event only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet For absolute clarity any such warranty w...

Reviews: