Fortinet FortiDDoS Installation Manual
  1. Manuals
  2. Brands
  3. Fortinet Manuals
  4. Protection Device
  5. FortiDDoS
  6. Installation manual
Fortinet FortiDDoS Installation Manual

Fortinet FortiDDoS Installation Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
FortiDDoS v3.2
Installation Guide

Advertisement

Table of Contents
loading

Summary of Contents for Fortinet FortiDDoS

  • Page 1 FortiDDoS v3.2 Installation Guide...
  • Page 2 , FortiGate , and FortiGuard are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance metrics contained herein were attained in internal lab tests under ideal conditions, and performance may vary.

  • Page 3: Table Of Contents

    Assigning Virtual Identifiers (VIDs) to protect systems ........16 Configuring VIDs....................17 Performing a sanity test .................. 18 Steps for performing a ping test................18 Monitoring events ................... 20 Showing traffic ....................20 Showing event reports..................21 FortiDDoS v3.2 Installation Guide 28-320-183686-20130401 http://docs.fortinet.com/ • Feedback...
  • Page 4 Traffic diversion using a single divert-from and inject-to router and a switch ..26 Using load balancing to support higher bandwidth in service provider environment ....................29 Load balancing ..................... 29 Using FortiGuard IP Reputation Service............36 Configuring FortiGuard IP Reputation Service ............. 36 FortiDDoS v3.2 Installation Guide 28-320-183686-20130401 http://docs.fortinet.com/ • Feedback...

  • Page 5: Introduction

    • Using FortiGuard IP Reputation Service • Introduction This document explains the tasks required to initially install a FortiDDoS device in a network. We assume that you have already read the FortiDDoS Fundamentals Guide, and are familiar with the fundamental concepts related to FortiDDoS devices. This...

  • Page 6: Simple Deployment Overview

    FDD-300A contains three Traffic Processing Boards. Data ports on each TP Board There are two pairs of Ethernet ports located on the back panel of the FortiDDoS device. There are copper and SFP ports. At a given time, you can use either copper or fiber for a link.

  • Page 7: Simple Deployment

    Introduction Simple deployment overview Figure 1: Back panel of a FortiDDoS 100A device with copper and fiber interfaces and the management Interfaces Simple The FortiDDoS device is designed to protect a system or a network of systems from rate-based attacks and anomaly attacks. If multiple systems or workgroups are...

  • Page 8: Basic Web Hosting Deployment

    Simple deployment overview Figure 4: Recommended directionality of FortiDDoS devices Basic web More complex setups can protect multiple systems. In a basic web hosting deployment a FortiDDoS device can protect systems in multiple customer cages as hosting shown in Figure 5.

  • Page 9: Managed Hosting Deployment With High Availability

    In this case two FortiDDoS devices independently protect the routers and the subsequent networks from DoS and DDoS attacks. Figure 6: Managed hosting deployment with high availability FortiDDoS v3.2 Installation Guide 28-320-183686-20130401 http://docs.fortinet.com/...

  • Page 10: Installation & Initial Configuration

    Follow these steps to install the system: Connecting the 1 Take the FortiDDoS device out of the box and make sure the power switch is off. power cord 2 Connect one end of the power cord to an appropriate 110/220 outlet and the other end to the appliance itself.

  • Page 11: Configuring Interface Settings

    E-mail summaries of events. E-mail cannot be sent until valid addresses are configured for these fields. 4 The host name is used to logically name the FortiDDoS system for easy reference. Following table contains the default IP addresses and name assignments of your FortiDDoS device.

  • Page 12: Checking System Status

    This can be configured under the Configure > Current VID > Event Notification menu. For the FortiDDoS device to send a mail message, it must be able to contact a Domain Name Server (DNS) to resolve the domain name of the email addresses. The status page will indicate whether the system is able to reach a DNS server.
  • Page 13 Installation & Initial Configuration Checking system status Figure 8: Status page for FortiDDoS devices with copper connections - Part 1 Figure 9: Status page for FortiDDoS devices with copper connections - Part 2 FortiDDoS v3.2 Installation Guide 28-320-183686-20130401 http://docs.fortinet.com/ •...

  • Page 14: Configuring The Operating Mode

    Data passes through the FortiDDoS device as it travels to and from the protected system(s) and the rest of the network. After a sufficient learning period of 2-14 days, the FortiDDoS device should be placed inline (in Prevention mode).

  • Page 15: Configuring Prevention Or Detection Mode For A Set Of Vids In A Specific Direction

    3 Default Mode: Connect LAN 2 to internal network and WAN 2 to the second Internet link. This mode is useful in case you want to connect 1 FortiDDoS device in an asymmetric network or a network having two Internet links. Traffic from 2 links is combined internally in the device.

  • Page 16: Configuring Emergency Bypass Mode

    In Bypass Mode section, select one of the above bypass modes. Click Save. Configuring At certain times, to eliminate the possibility of malfunction of the FortiDDoS device, emergency you may want to bypass the device logic while keeping the device inline. To achieve such a functionality, you can keep the appliance in Emergency Bypass Mode.

  • Page 17: Configuring Vids

    Figure 12: Network with FortiDDoS protecting multiple VIDs Note: It is recommended that you use a single network switch between the FortiDDoS device and protected systems. The goal is to avoid inserting any potential source of attack traffic that does not pass through the device.

  • Page 18: Performing A Sanity Test

    Web-based Manager Administration Guide. Performing a sanity test The following steps can serve as a simple demonstration of how FortiDDoS devices block traffic. To run the demo, the network configuration should be in serial prevention mode as shown in Figure 13.
  • Page 19 As soon as the rate per second rises above the threshold, (somewhere in the first 11 packets) the FortiDDoS device blocks all ICMP packets for the 10 second threshold. After the blocking period, ICMP packets are again allowed until the threshold is reached.

  • Page 20: Monitoring Events

    Refer to the DDoS Fundamentals Guide for further details. Showing traffic The FortiDDoS user interface provides several granular traffic graphs. You can see the traffic through each VID independently. The detailed description of these graphs is available in the FortiDDoS Web-based Manager Guide.

  • Page 21: Showing Event Reports

    Installation & Initial Configuration Showing traffic Showing event the FortiDDoS device user interface provides several granular event reports to reports summarize the past attack events. You can see the reports for each VID independently. The detailed description of these reports is available in the...

  • Page 22: Configuration Options

    Bypass switches are useful for fail-over purpose. They can be used for the occassional maintenance required for FortiDDoS devices. Passive bypass switches are useful in case of power failure. If both the FortiDDoS device and the failover switch share the same power, external connectivity can still be maintained.

  • Page 23: Using An Optical Bypass Switch With Heartbeat

    If the optical bypass switch does not receive the heartbeat back, it automatically switches network traffic to bypass the unresponsive FortiDDoS device - even if the device is still receiving power. The optical bypass continues to send the heartbeat and restores the traffic through the FortiDDoS device as soon as the link is restored.

  • Page 24: Using Traffic Diversion In Service Provider Environment

    1 Connect the INT 1 port to the Server side. 2 Connect the EXT 1 port to the Internet side. 3 Connect the INT 2 port to the Server Port of the FortiDDoS device. 4 Connect the EXT 2 port to the Internet Port of the FortiDDoS device.
  • Page 25 Configuration Options Using traffic diversion in service provider environment The FortiDDoS device is a layer-2 bridge and therefore does not have either a MAC address or an IP address in the data path (path of the packets.). To allow such diversions, you must therefore connect the device to interfaces on the routers or switches that have a routeable IP address.

  • Page 26: Traffic Diversion Using A Single Divert-From And Inject-To Router And A Switch

    Based Routing (PBR) available in most routers. This allows routing based on source address of the packets and interface to be routed via an address. Figure 19: Traffic diversion using a single divert-from and inject-to router and a FortiDDoS unit FortiDDoS v3.2 Installation Guide 28-320-183686-20130401 http://docs.fortinet.com/...
  • Page 27 192.168.100.51 255.255.255.0 ip classless ip route 207.117.1.0 255.255.255.0 10.1.0.250 ip access-list extended zone-A permit ip any 207.117.0.0 0.0.0.255 route-map FDD-X00A-PBR permit 100 match ip address zone-A set ip next-hop 10.200.0.254 FortiDDoS v3.2 Installation Guide 28-320-183686-20130401 http://docs.fortinet.com/ • Feedback...
  • Page 28 2 interface GigabitEthernet1/0/11 switchport access vlan 5 interface GigabitEthernet1/0/12 switchport access vlan 4 interface Vlan1 no ip address interface Vlan3 ip address 192.168.100.50 255.255.255.0 interface Vlan4 ip address 10.100.0.250 255.255.255.0 interface Vlan5 FortiDDoS v3.2 Installation Guide 28-320-183686-20130401 http://docs.fortinet.com/ • Feedback...

  • Page 29: Using Load Balancing To Support Higher Bandwidth In Service Provider Environment

    Balancer configuration. Load Balancing utilizes all the appliances concurrently, providing overall improved performance, scalability and availability. The FortiDDoS device is a layer-2 bridge and therefore does not have either a MAC address or an IP address in the data path (path of the packets.). For transparent bridges, the Load Balancer receives a packet, makes a load balancing decision, and forwards the packet to a FortiDDoS device.
  • Page 30 IP address source and destination pairs flows through the same FortiDDoS unit. • Performs health checks on all paths through the FortiDDoS devices. If any path is not operational, the load balancer diverts traffic away from that path, maintaining connectivity across the FortiDDoS devices.
  • Page 31 21, traffic flows through the FortiDDoS devices and the devices filter the traffic in both directions. FortiDDoS devices do not have IP addresses on VLANs. Instead, you configure alias IP addresses on each switch interface to which the FortiDDoS device connects. The Load Balancing Switches use the alias IP addresses to direct traffic to the correct FortiDDoS device.
  • Page 32 Configuration Options Using load balancing to support higher bandwidth in service provider environment Figure 21: Using VLANs and FortiDDoS devices in sandwich topology Switch Configuration for load balancing (clientSide-84.82) #show run !Current Configuration: !System Description "FortiSwitch-248B-DPS 48x1G & 4x10G" !System Software Version "5.2.0.2.4"...
  • Page 33 10 exit interface 0/2 no cdp run exit interface 0/3 no cdp run exit interface 0/4 no cdp run exit interface 0/5 no cdp run exit interface 0/6 no cdp run exit FortiDDoS v3.2 Installation Guide 28-320-183686-20130401 http://docs.fortinet.com/ • Feedback...
  • Page 34 0/17 no cdp run switchport allowed vlan add 10 switchport native vlan 10 exit interface 0/18 no cdp run switchport allowed vlan add 11 switchport native vlan 11 exit FortiDDoS v3.2 Installation Guide 28-320-183686-20130401 http://docs.fortinet.com/ • Feedback...
  • Page 35 1/4 staticcapability switchport allowed vlan add 11 switchport tagging 11 lacp collector max-delay 0 exit router rip exit router ospf exit exit (clientSide-84.82) # (clientSide-84.82) #show load-balance Hash Mode: src-dst-ip-ipport FortiDDoS v3.2 Installation Guide 28-320-183686-20130401 http://docs.fortinet.com/ • Feedback...

  • Page 36: Using Fortiguard Ip Reputation Service

    • Automatically downloads • Includes analysis tools to better understand origin of attack using Geo IP location Configuring After purchasing the service and registering your FortiDDoS serial number with FortiGuard IP FortiGuard, refer to the FortiDDoS Web-based Manager Reference Guide to configure access control lists using IP reputation and schedule IP reputation list updates.

Table of Contents