manualshive.com logo in svg

Fortinet FortiDDoS, Installation Manual

The Fortinet FortiDDoS Installation Manual is a comprehensive, user-friendly guide designed to assist you in easily set up and configure your FortiDDoS appliance. This manual is available as a free download from our website, ensuring you have all the necessary information to optimize your network security effortlessly.

Share
Download
background image

Installation & Initial Configuration 

Configuring the operating mode

FortiDDoS v3.2 Installation Guide
28-320-183686-20130401

15

http://docs.fortinet.com/

 • 

Feedback

Figure 11: 

Ports

2 Asymmetric Pair - External

: Connect LAN 2 and WAN 2 to external ports that 

copy the traffic for the other link. The task of copying is entrusted to an external 
source. Traffic from 2 uplinks is combined in both the FortiDDoS device using 
copies available on the auxiliary ports. 

3 Default Mode

: Connect LAN 2 to internal network and WAN 2 to the second 

Internet link. This mode is useful in case you want to connect 1 FortiDDoS device in 
an asymmetric network or a network having two Internet links. Traffic from 2 links is 
combined internally in the device. However, at the egress port, the traffic 
corresponds to the corresponding link. E.g. WAN 1 receives traffic from LAN 1 and 
vice versa. Similarly LAN 2 receives traffic from WAN 2 and versa.

Configuring

prevention or

detection mode

for a set of VIDs

in a specific

direction

To set the Prevention/Detection Mode of a set of VIDs, click

 

Configure > Global > 

Operating Mode

. Please refer to 

Figure 11

 above.

In 

Prevention/Detection Mode section

click the VIDs you want in Prevention Mode and 

leave the VIDs unchecked if you want them in Detection Mode. You can choose the 
modes in Inbound or Outbound or both directions.

Click 

Save

.

Configuring

bypass mode

Bypass is relevant in case of appliance management path failure. It is assumed that the 
data path failures are handled separately - in some cases using an external bypass 
switch. 

In case of Management Path failure, the user can choose one of the following:

1

Extrinsic Bypass

2

Intrinsic Bypass

3

No Bypass

Choose Extrinsic Bypass in case you want the external bypass switch to be enabled - 
implies no prevention.

Choose Intrinsic Bypass in case you want the intrinsic bypass to be triggered - in case 
you do not have external bypass switches and also implies no prevention.

Summary of Contents for FortiDDoS

Page 1: ...FortiDDoS v3 2 Installation Guide ...

Page 2: ...ether express or implied except to the extent Fortinet enters a binding written contract signed by Fortinet s General Counsel with a purchaser that expressly warrants that the identified product will perform according to the performance metrics herein For absolute clarity any such warranty will be limited to performance in the same ideal conditions as in Fortinet s internal lab tests Fortinet disc...

Page 3: ... 10 Connecting the management ports 10 Setting up network properties 10 Configuring interface settings 11 Checking system status 12 Configuring the operating mode 14 Serial mode 14 Configuring additional modes 14 Configuring prevention or detection mode for a set of VIDs in a specific direction 15 Configuring bypass mode 15 Configuring emergency bypass mode 16 Configuring link down synchronization...

Page 4: ...eat 23 Using copper 10 100 1000 bypass switch with heartbeat 23 Using traffic diversion in service provider environment 24 Traffic diversion 24 Traffic diversion using a single divert from and inject to router and a switch 26 Using load balancing to support higher bandwidth in service provider environment 29 Load balancing 29 Using FortiGuard IP Reputation Service 36 Configuring FortiGuard IP Repu...

Page 5: ... service provider environment Using FortiGuard IP Reputation Service Introduction This document explains the tasks required to initially install a FortiDDoS device in a network We assume that you have already read the FortiDDoS Fundamentals Guide and are familiar with the fundamental concepts related to FortiDDoS devices This document explains package contents system overview selecting a mode of o...

Page 6: ...N 4 and WAN 4 The FDD 300A has additional ports that are marked LAN 5 WAN 5 LAN 6 and WAN 6 USB keyboard port Use of the keyboard port is optional and is to be used during diagnostics on the console Serial Interface through USB port A serial console can be connected using a USB to serial adapter The console can be used for Command Line Interface CLI access for advanced usage Monitor port Use of mo...

Page 7: ...ted systems Figure 2 A simple network prior to installation of a FortiDDoS device In a simple network shown in Figure 2 a system is connected to an Ethernet local area network In the simplest configuration you can install a FortiDDoS unit as an inline device as shown in Figure 3 Figure 3 Network with a FortiDDoS device protecting a single system The appliance is stateful and bidirectional so a con...

Page 8: ...tups can protect multiple systems In a basic web hosting deployment a FortiDDoS device can protect systems in multiple customer cages as shown in Figure 5 You can either use a single VID system or a multiple VID system Please refer to the FortiDDoS Fundamentals Guide for concepts related to VID and the FortiDDoS Web Based Manager Guide for the actual configuration of VIDs Figure 5 Basic web hostin...

Page 9: ...eedback Managed hosting deployment with high availability Figure 6 shows another setup protecting multiple systems in a data center environment In this case two FortiDDoS devices independently protect the routers and the subsequent networks from DoS and DDoS attacks Figure 6 Managed hosting deployment with high availability ...

Page 10: ...t and the other end to the appliance itself Connecting the management ports To manage the FortiDDoS device via a web browser 1 Connect the 10 100 ethernet port to a workgroup switch router or use a crossover Ethernet cable to a computer with an HTML web browser The IP address of the management port is preset to 192 168 1 1 2 You must first access the FortiDDoS device using this IP address but you ...

Page 11: ...ice are connected have to be described clearly to the device so that it can communicate with the networks without any errors You must know the network settings before installing FortiDDoS device The existing switches routers firewalls have their ports set to certain speed duplexity and flow control mode With those settings in mind you must set the values in the Configure Global Card 1 Interface Se...

Page 12: ...e pages will also tell you if the sendmail service is operational This service can be used in conjunction with the Event Monitor to notify you or other email recipients of system events This can be configured under the Configure Current VID Event Notification menu For the FortiDDoS device to send a mail message it must be able to contact a Domain Name Server DNS to resolve the domain name of the e...

Page 13: ...em status FortiDDoS v3 2 Installation Guide 28 320 183686 20130401 13 http docs fortinet com Feedback Figure 8 Status page for FortiDDoS devices with copper connections Part 1 Figure 9 Status page for FortiDDoS devices with copper connections Part 2 ...

Page 14: ...ge bypass switches for failover protection For other bypass switches available in the market please contact your Sales Engineer to check if it is qualified to work with FortiDDoS appliances Refer to Configuration Options on page 22 Direction Based VID Based Prevention Mode Prevention Mode for a set of chosen VIDs in a specific direction is the full function operating mode of the FortiDDoS device P...

Page 15: ...rly LAN 2 receives traffic from WAN 2 and versa Configuring prevention or detection mode for a set of VIDs in a specific direction To set the Prevention Detection Mode of a set of VIDs click Configure Global Operating Mode Please refer to Figure 11 above In Prevention Detection Mode section click the VIDs you want in Prevention Mode and leave the VIDs unchecked if you want them in Detection Mode Y...

Page 16: ...n a segment when one of the links goes down The device monitors the link state for a pair of ports which are protecting a segment These correspond to LAN 1 connected to LAN or WAN 1 connected to the Internet Similarly for Dual WAN Link mode these ports correspond to LAN 2 and WAN 2 If the link goes down on either port the partner port is disabled Link Down Synchronization once enabled propagates t...

Page 17: ...ose that you do not need Figure 12 Network with FortiDDoS protecting multiple VIDs Configuring VIDs To configure a VID 1 From the main menu click Configure Global VIDs 2 Simply enter the following information Subnet ID This ID is used to for subnet based reporting Administrator can generate attack event report for individual subnets You can enter up to 512 subnets Please refer to the datasheet of ...

Page 18: ...iled description of VID configuration please refer to the Web based Manager Administration Guide Performing a sanity test The following steps can serve as a simple demonstration of how FortiDDoS devices block traffic To run the demo the network configuration should be in serial prevention mode as shown in Figure 13 The protected server should respond to ICMP Echo ping packets and a connected syste...

Page 19: ... ping packet to the specified address every 0 1 seconds until 100 packets are sent This is the equivalent of 10 packets per second for 10 seconds Following is a screen capture from an actual ping flood test Notice that the first few pings are allowed to pass and receive a response As soon as the rate per second rises above the threshold somewhere in the first 11 packets the FortiDDoS device blocks...

Page 20: ...shows the properties of all events that have occurred for a selected period of time Event Monitor provides a comprehensive way to display network attacks so that users can investigate them intuitively Users can choose a particular date range or number of events to be displayed In addition FortiDDoS devices provide categorized event entries as well as VID and database choices so that users can see ...

Page 21: ...face provides several granular event reports to summarize the past attack events You can see the reports for each VID independently The detailed description of these reports is available in the FortiDDoS Web based Manager Guide Corresponding to the ping test activity will appear in the following reports Top Attacked Services and Top Attacked ICMP Type and Code Top Attacked Protocols Top Attacks ...

Page 22: ...still be maintained As shown in Figure 15 when the bypass switch is in disabled mode the in line traffic continues to flow through the FortiDDoS device This is the default mode Figure 15 Bypass Switch in Disabled Mode As shown in Figure 16 when the bypass switch is in bypass enabled mode all in line traffic is routed through the bypass switch In this mode the switch allows the FortiDDoS device to ...

Page 23: ...d restores the traffic through the FortiDDoS device as soon as the link is restored Configuring the optical bypass switch Refer to the FortiBridge QuickStart Guide and FortiGate Hardware Guide to set the following parameters Input timeout period Input retry count Connecting the optical bypass switch to the network 1 Connect the INT 1 port to the Server side 2 Connect the EXT 1 port to the Internet...

Page 24: ...al mode To ensure passage of the heartbeat packets FortiDDoS allows you to configure the MAC addresses of the bypass switch These MAC addresses are used by the bypass switch for the heartbeat packets FortiBridge appliance allows you to view the MAC addresses in the status page Every FortiDDoS link pair can be connected via a FortiBridge link pair E g LAN1 WAN1 can be bridged via a FortiBridge link...

Page 25: ...ivert from Router Router 1 is used to divert the traffic to the attacked destination This traffic passes through the FortiDDoS device The traffic is then forwarded to the Inject to Router Router 2 These two interfaces are in the same network 192 168 1 x and therefore an ARP request from Router 1 for 192 168 1 2 passes through the FortiDDoS device and reaches Router 2 and Router 2 can respond back ...

Page 26: ...rom the attacked destination This traffic passes through the FortiDDoS device through a switch The traffic is then forwarded to the Inject to interface on the same Router through the same switch A static route is added on the Router for addresses for the attacked customer network Having the longest matching prefix the rule matches first and therefore all traffic to attacked customer network is div...

Page 27: ...itEthernet1 0 5 interface GigabitEthernet1 0 6 interface GigabitEthernet1 0 7 interface GigabitEthernet1 0 8 interface GigabitEthernet1 0 9 interface GigabitEthernet1 0 10 switchport access vlan 2 interface GigabitEthernet1 0 11 ip address 10 100 0 250 255 255 255 0 no ip directed broadcast ip policy route map FDD X00A PBR interface GigabitEthernet1 0 12 interface Vlan2 ip address 10 1 0 251 255 2...

Page 28: ...ort trunk encapsulation dot1q interface GigabitEthernet1 0 3 switchport access vlan 3 interface GigabitEthernet1 0 4 switchport access vlan 3 switchport trunk encapsulation dot1q interface GigabitEthernet1 0 5 interface GigabitEthernet1 0 6 interface GigabitEthernet1 0 7 interface GigabitEthernet1 0 8 interface GigabitEthernet1 0 9 interface GigabitEthernet1 0 10 switchport access vlan 2 interface...

Page 29: ...t higher bandwidth in service provider environment Load balancing Many data center architectures require protecting network infrastructure and server farms With these requirements becoming more prevalent traffic requirements on some networks may exceed the capabilities of the FortiDDoS appliance Furthermore the FortiDDoS devices in such network topologies could potentially become a network bottlen...

Page 30: ...ss interfaces of the peer device behind the FortiDDoS device For this to work each FortiDDoS device must reside in a different VLAN and subnet and the physical ports connected to the FortiDDoS device must be on different VLANs as well In addition for each VLAN both load balancers must be in the same subnet Each load balancer interface and the FortiDDoS device connected to it reside in a separate V...

Page 31: ...rrect FortiDDoS device On the path to the intranet Load Balancing Switch 1 LBS1 balances traffic across VLANs 101 102 and 103 through the firewalls to Load Balancing Switch 2 On the path to the Internet Load Balancing Switch 2 LBS2 balances traffic across VLANs 201 202 and 203 through the FortiDDoS device to Load Balancing Switch 1 Each Load Balancing Switch uses the alias IP addresses configured ...

Page 32: ... 82 show run Current Configuration System Description FortiSwitch 248B DPS 48x1G 4x10G System Software Version 5 2 0 2 4 serviceport ip 192 168 22 98 255 255 255 0 0 0 0 0 vlan database vlan name 10 egress vlan name 11 ingress exit port channel egress 1 interface 0 1 channel group 1 1 exit interface 0 3 channel group 1 1 exit interface 0 5 channel group 1 1 exit interface 0 7 channel group 1 1 exi...

Page 33: ...face 0 4 channel group 1 2 exit interface 0 6 channel group 1 2 exit interface 0 8 channel group 1 2 exit interface 0 10 channel group 1 2 exit interface 0 12 channel group 1 2 exit interface 0 14 channel group 1 2 exit interface 0 16 channel group 1 2 exit mac addr table aging time 60000 interface 0 1 no cdp run switchport allowed vlan add 10 exit interface 0 2 no cdp run exit interface 0 3 no cd...

Page 34: ... no cdp run exit interface 0 9 no cdp run exit interface 0 10 no cdp run exit interface 0 11 no cdp run exit interface 0 12 no cdp run exit interface 0 13 no cdp run exit interface 0 14 no cdp run exit interface 0 15 no cdp run exit interface 0 16 no cdp run exit interface 0 17 no cdp run switchport allowed vlan add 10 switchport native vlan 10 exit interface 0 18 no cdp run switchport allowed vla...

Page 35: ...e 1 1 staticcapability switchport allowed vlan add 10 switchport native vlan 10 lacp collector max delay 0 exit interface 1 2 staticcapability switchport allowed vlan add 11 switchport native vlan 11 lacp collector max delay 0 exit interface 1 3 staticcapability switchport allowed vlan add 10 switchport tagging 10 lacp collector max delay 0 exit interface 1 4 staticcapability switchport allowed vl...

Page 36: ...ng non existent attacks takes up valuable resources If a malicious machine attacks a target in one location the rest of the global network needs to find out fast in order to pre empt the next wave FortiGuard IP Reputation Service provides the updates FortiGuard IP Reputation Service Protects against malicious sources associated with web attacks phishing activity web scanning scraping etc Blocks la...

Page 37: ......

Reviews:

No comments

Related manuals for FortiDDoS

Da-Lite Model B Instruction Book preview
Model B
Brand: Da-Lite Pages: 2
Connex Protec 28 Manual preview
Protec 28
Brand: Connex Pages: 3
WAPRO WASTOP FLOOR DRAIN Installation Instructions Manual preview
WASTOP FLOOR DRAIN
Brand: WAPRO Pages: 10
Philips 55P9271 Specifications preview
55P9271
Brand: Philips Pages: 2
Philips 51PP9363H Specifications preview
51PP9363H
Brand: Philips Pages: 2
Philips 51PP9200D Specifications preview
51PP9200D
Brand: Philips Pages: 2
Philips 51 IN DIGITAL WIDESCREEN HDTV MONITOR 51PW9363 Specifications preview
51 IN DIGITAL WIDESCREEN HDTV MONITOR 51PW9363
Brand: Philips Pages: 2
Philips 51 IN DIGITAL WIDESCREEN HDTV MONITOR 51PW9303 Specifications preview
51 IN DIGITAL WIDESCREEN HDTV MONITOR 51PW9303
Brand: Philips Pages: 2
Philips 50PP9202 Specifications preview
50PP9202
Brand: Philips Pages: 2
Philips 50PP8545/69 Specifications preview
50PP8545/69
Brand: Philips Pages: 2
Philips 50P8342 Specifications preview
50P8342
Brand: Philips Pages: 2
Philips 50P 8341 Specifications preview
50P 8341
Brand: Philips Pages: 2
Philips 51PP9303H Quick Use And Setup Manual preview
51PP9303H
Brand: Philips Pages: 8
Philips 51-HDTV MONITOR PROJECTION TV 51PP9363H-17B Function Manual preview
51-HDTV MONITOR PROJECTION TV 51PP9363H-17B
Brand: Philips Pages: 8
Philips 50-DLP-PROJECTION HDTV PIXEL PLUS 50PL9126D - Stands/Wall mount Assembly Instructions Manual preview
50-DLP-PROJECTION HDTV PIXEL PLUS 50PL9126D - Stands/Wall mount
Brand: Philips Pages: 8
Philips 50-DLP-PROJECTION HDTV PIXEL PLUS 50PL9126D - Stands/Wall mount User Manual preview
50-DLP-PROJECTION HDTV PIXEL PLUS 50PL9126D - Stands/Wall mount
Brand: Philips Pages: 42
Philips 50YP43 (Spanish) Manual preview
50YP43
Brand: Philips Pages: 53
Philips 55P9271 Instructions For Use Manual preview
55P9271
Brand: Philips Pages: 60

Brands by name

Popular brands

Load more brands