FortiGate, v4.5.2 and earlier.
# config firewall DoS-policy
edit 1
set interface "fortinet-mkz"
set srcaddr "all"
set dstaddr "all"
set service "ALL"
config anomaly
edit "icmp_flood"
set status enable
set log enable
set action block
set threshold 10
next
edit "icmp_sweep"
set status enable
set log enable
set threshold 50
next
ping 10.0.66.125 <-- Normal Ping
PING 10.0.66.125 (10.0.66.125) 56(84) bytes of data.
64 bytes from 10.0.66.125: icmp_seq=1 ttl=57 time=3.98 ms
64 bytes from 10.0.66.125: icmp_seq=2 ttl=57 time=9.47 ms
64 bytes from 10.0.66.125: icmp_seq=3 ttl=57 time=5.61 ms
# diagnose sniffer packet any 'host 10.0.66.125' 4
interfaces=[any]
filters=[host 10.0.66.125]
1.430369 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
1.430468 wan1 out 192.168.157.102 -> 10.0.66.125: icmp: echo request
1.433480 wan1 in 10.0.66.125 -> 192.168.157.102: icmp: echo reply
1.433508 fortinet-mkz out 10.0.66.125 -> 192.168.100.2: icmp: echo reply
# diagnose ips anomaly list <-- IPS don’t detects the attack
list nids meter:
id=icmp_flood ip=10.0.2.1 dos_id=1 exp=925 pps=1 freq=1
total # of nids meters: 1.
ping -f 10.0.66.125 <-- Flood Ping- The IPS detects the attack, blocks it and flags it as anomalous:
PING 10.0.66.125 (10.0.66.125) 56(84) bytes of data.
..........................................................................................................................................^C
--- 10.0.66.125 ping statistics ---
313 packets transmitted, 10 received, 96% packet loss, time 3818ms
rtt min/avg/max/mdev = 3.397/5.248/8.711/1.726 ms, ipg/ewma 12.239/5.291 ms
# diagnose ips anomaly list
list nids meter:
id=icmp_flood ip=10.0.2.1 dos_id=1 exp=967 pps=0 freq=1
id=icmp_flood ip=10.0.66.125 dos_id=1 exp=999 pps=26 freq=82 <-- IPS flags this traffic as anomalous and stops it
id=icmp_sweep ip=192.168.100.2 dos_id=1 exp=867 pps=1 freq=1
total # of nids meters: 3.
# diagnose sniffer packet any 'host 10.0.66.125' 4
interfaces=[any]
filters=[host 10.0.66.125]
16.690731 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.691085 wan1 out 192.168.157.102 -> 10.0.66.125: icmp: echo request
16.693971 wan1 in 10.0.66.125 -> 192.168.157.102: icmp: echo reply
16.694024 fortinet-mkz out 10.0.66.125 -> 192.168.100.2: icmp: echo reply
16.697226 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.697316 wan1 out 192.168.157.102 -> 10.0.66.125: icmp: echo request
16.701217 wan1 in 10.0.66.125 -> 192.168.157.102: icmp: echo reply
16.701254 fortinet-mkz out 10.0.66.125 -> 192.168.100.2: icmp: echo reply
16.704971 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.705044 wan1 out 192.168.157.102 -> 10.0.66.125: icmp: echo request
16.708836 wan1 in 10.0.66.125 -> 192.168.157.102: icmp: echo reply
16.708863 fortinet-mkz out 10.0.66.125 -> 192.168.100.2: icmp: echo reply
16.710846 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.710935 wan1 out 192.168.157.102 -> 10.0.66.125: icmp: echo request
16.712585 wan1 in 10.0.66.125 -> 192.168.157.102: icmp: echo reply
16.712616 fortinet-mkz out 10.0.66.125 -> 192.168.100.2: icmp: echo reply
16.713966 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.714039 wan1 out 192.168.157.102 -> 10.0.66.125: icmp: echo request
16.716082 wan1 in 10.0.66.125 -> 192.168.157.102: icmp: echo reply
16.716099 fortinet-mkz out 10.0.66.125 -> 192.168.100.2: icmp: echo reply
16.717341 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.717423 wan1 out 192.168.157.102 -> 10.0.66.125: icmp: echo request
16.719580 wan1 in 10.0.66.125 -> 192.168.157.102: icmp: echo reply
16.719600 fortinet-mkz out 10.0.66.125 -> 192.168.100.2: icmp: echo reply
16.720837 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.720912 wan1 out 192.168.157.102 -> 10.0.66.125: icmp: echo request
16.723827 wan1 in 10.0.66.125 -> 192.168.157.102: icmp: echo reply
16.723849 fortinet-mkz out 10.0.66.125 -> 192.168.100.2: icmp: echo reply
16.725961 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.726044 wan1 out 192.168.157.102 -> 10.0.66.125: icmp: echo request
16.728232 wan1 in 10.0.66.125 -> 192.168.157.102: icmp: echo reply
16.728252 fortinet-mkz out 10.0.66.125 -> 192.168.100.2: icmp: echo reply
16.734709 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.734793 wan1 out 192.168.157.102 -> 10.0.66.125: icmp: echo request
16.738069 wan1 in 10.0.66.125 -> 192.168.157.102: icmp: echo reply
16.738091 fortinet-mkz out 10.0.66.125 -> 192.168.100.2: icmp: echo reply
16.739328 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.739412 wan1 out 192.168.157.102 -> 10.0.66.125: icmp: echo request
16.741817 wan1 in 10.0.66.125 -> 192.168.157.102: icmp: echo reply
16.741839 fortinet-mkz out 10.0.66.125 -> 192.168.100.2: icmp: echo reply
16.743700 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request <-- Attack will still be received by the interface
16.766189 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.778306 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.795423 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.804292 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.815537 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.826152 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.838150 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.850268 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.862386 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.874254 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.886121 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.898122 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.909857 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.922225 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.935345 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.946212 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.958081 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.970199 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
16.981941 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
17.232540 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
17.232581 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
17.232676 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
17.232800 fortinet-mkz in 192.168.100.2 -> 10.0.66.125: icmp: echo request
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.