Technical Note : Pre-IPS Anomaly in hardware (NP2, NP4), also called fp_anomaly

cgustave · ‎06-04-2012

Purpose

Presents pre-ips anomaly feature available on NP2 and NP4 accelerators.

NP2 and NP4 are 2 types of network accelerators. They may be either on the FortiGate board or within an interface module.

Example for NP2:

on board: FortiGate310B, FortiGate 620B...
on interface module: ASM-FB4, ADM-FB8

Example for NP4:

on board: FortiGate1240B, FortiGate3140B, FortiGate3950B...
on interface module: ADM-XD4, RTM-XD2, FMC-XD2...

Scope

FortiGate with Network Processor (build-in or with module)

Diagram

Expectations, Requirements

Benefits

Efficient hardware accelerated protection against the following well known attacks:

icmp land (icmpland)
ip land (ipland)
ip with loose source record route option (iplsrr)
ip with record route (iprr)
ip with security option (ipsecurity)
ip with strict source source record option (ipssrr)
ip with stream option (ipstream)
ip with timestamp option (iptimestamp)
ip with unknown option (ipunknown_option)
ip with unknown protocol (ipunknown_prot)
tcp land (tcpland)
udp land (udplan)
tcp WinNuke attack (winnuke)

Expectations

fp_anomly are only defined on the physical interface, vlan interfaces all inherit from the physical port ( so protection on vlan sub-interfaces is possible)

attack can either be 'blocked and logged' (configuration keyword 'drop_') or justed 'logged' (configuration keyword 'pass_')

Limitations for NP4

on 4.3 code release: Available only on ADM-XD4, RTM-XD2 and FortiGate 1240B. Missing on 3950B, 3140B, 3040B, 600C, 1000C, 5001B, FMC-XD2. Bug #169706. Fixed in 5.0 code release

if fp_anomaly is configured on one port of an NP4, it would affect all other ports of the same NP4. Bug #171649. Hardware limitation, will not be fixed.

Configuration

fp_anomaly can only be configured through CLI.

config system interface
edit "port5"
set vdom "root"
set ip 10.96.0.191 255.255.252.0
set allowaccess ping https ssh http telnet
set type physical
set fp-anomaly drop_winnuke drop_tcpland drop_udpland drop_icmpland drop_ipland drop_iprr drop_ipssrr drop_iplsrr drop_ipstream drop_ipsecurity drop_iptimestamp drop_ipunknown_option
next

edit "port5_vlan93"
set vdom "root"
set ip 10.93.0.191 255.255.252.0
set allowaccess ping https ssh snmp http telnet
set interface "port5"
set vlanid 93
next
end
Refer also to the FortiGate CLI Guide.

Verification

Example of attack log detected by fp_anomaly:

Raw log output sample:

2012-06-04 16:57:46 log_id=0420018432 type=ips subtype=anomaly pri=alert severity=critical carrier_ep="N/A" profilegroup="N/A" profiletype="N/A" profile="N/A" src=172.31.227.254 dst=172.31.227.254 src_int="N/A" dst_int="N/A" policyid=N/A identidx=N/A serial=0 status=dropped proto=6 service=smtp vd="root" count=303 attack_name=TCP.Land src_port=2832 dst_port=25 attack_id=100663404 sensor="N/A" ref=http://www.fortinet.com/ids/VID100663404 user="N/A" group="N/A" msg="anomaly: TCP.Land, repeats 303 times"

Notes:

attack log is triggered when an attack is seen

a log update is triggered every 30 seconds if the attacks remains

possible to count the packet rate of the attack from the "repeat" field (in this example 303/30 = 10.1 packets/sec)

the log does not mention the port where the attack was detected

ips sensor show "N/A" because it is not defined in IPS profile