Fortinet Fortiddos User manual

FortiDDoS v3.2

Installation Guide

April 1, 2013

28-320-183686-20130401

are registered trademarks of Fortinet, Inc., and other Fortinet names herein may also be

trademarks of Fortinet. All other product or company names may be trademarks of their

respective owners. Performance metrics contained herein were attained in internal lab

tests under ideal conditions, and performance may vary. Network variables, different

network environments and other conditions may affect performance results. Nothing

herein represents any binding commitment by Fortinet, and Fortinet disclaims all

warranties, whether express or implied, except to the extent Fortinet enters a binding

written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly

warrants that the identified product will perform according to the performance metrics

herein. For absolute clarity, any such warranty will be limited to performance in the same

ideal conditions as in Fortinet’s internal lab tests. Fortinet disclaims in full any guarantees.

Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication

without notice, and the most current version of the publication shall be applicable.

Technical Documentation docs.fortinet.com

Knowledge Base kb.fortinet.com

Customer Service & Support support.fortinet.com

Training Services training.fortinet.com

FortiGuard www.fortiguard.com

Document Feedback [email protected]

FortiDDoS v3.2 Installation Guide

28-320-183686-20130401 3

http://docs.fortinet.com/ • Feedback

Table of Contents

Introduction .............................................................................................. 5

Scope of this document ................................................................................... 5

Introduction....................................................................................................... 5

Package contents ............................................................................................. 5

Simple deployment overview............................................................................ 6

Physical interfaces.................................................................................................. 6

Simple deployment................................................................................................. 7

Basic web hosting deployment .............................................................................. 8

Managed hosting deployment with high availability............................................... 9

Installation & Initial Configuration........................................................ 10

Installing the physical system ......................................................................... 10

Connecting the power cord.................................................................................. 10

Connecting the management ports...................................................................... 10

Setting up network properties ........................................................................ 10

Configuring interface settings......................................................................... 11

Checking system status ................................................................................. 12

Configuring the operating mode..................................................................... 14

Serial mode........................................................................................................... 14

Configuring additional modes .............................................................................. 14

Configuring prevention or detection mode for a set of VIDs in a specific direction .. 15

Configuring bypass mode .................................................................................... 15

Configuring emergency bypass mode.................................................................. 16

Configuring link down synchronization or link state propagation ........................ 16

Assigning Virtual Identifiers (VIDs) to protect systems ................................... 16

Configuring VIDs................................................................................................... 17

Performing a sanity test.................................................................................. 18

Steps for performing a ping test........................................................................... 18

Monitoring events ........................................................................................... 20

Showing traffic................................................................................................ 20

Showing event reports.......................................................................................... 21

Table of Contents

FortiDDoS v3.2 Installation Guide

28-320-183686-20130401 4

http://docs.fortinet.com/ • Feedback

Configuration Options ........................................................................... 22

Using bypass switches for fail-over................................................................ 22

Using an optical bypass switch with heartbeat .................................................... 23

Using copper 10/100/1000 bypass switch with heartbeat................................... 23

Using traffic diversion in service provider environment.................................. 24

Traffic diversion .................................................................................................... 24

Traffic diversion using a single divert-from and inject-to router and a switch ..... 26

Using load balancing to support higher bandwidth in service provider

environment .................................................................................................... 29

Load balancing ..................................................................................................... 29

Using FortiGuard IP Reputation Service......................................................... 36

Configuring FortiGuard IP Reputation Service ..................................................... 36

FortiDDoS v3.2 Installation Guide

28-320-183686-20130401 5

http://docs.fortinet.com/ • Feedback

Introduction

Scope of this document

This document gives the details in installing and configuring FortiDDoS devices.

This document covers:

•Package contents

•Simple deployment overview

•Installing the physical system

•Setting up network properties

•Configuring interface settings

•Checking system status

•Configuring the operating mode

•Assigning Virtual Identifiers (VIDs) to protect systems

•Performing a sanity test

•Monitoring events

•Showing traffic

•Using bypass switches for fail-over

•Using traffic diversion in service provider environment

•Using load balancing to support higher bandwidth in service provider environment

•Using FortiGuard IP Reputation Service

Introduction

This document explains the tasks required to initially install a FortiDDoS device in a

network. We assume that you have already read the FortiDDoS Fundamentals Guide,

and are familiar with the fundamental concepts related to FortiDDoS devices. This

document explains package contents, system overview, selecting a mode of

operation, the physical installation, how to change the IP address for the management

port, and how to assign Virtual Identifiers to protect specific systems. It also shows you

how to perform a ping test, and an overview of how to monitor events and traffic.

Package contents

Before you begin, please be sure the following items are in the package. If the package

is not complete, contact your supplier.

•FortiDDoS device

•Power cord

•Documentation CD

•Brackets to mount the chasis on a rack

Introduction Simple deployment overview

FortiDDoS v3.2 Installation Guide

28-320-183686-20130401 6

http://docs.fortinet.com/ • Feedback

Simple deployment overview

The simple configuration and location of interfaces on the FortiDDoS devices are

described below.

Physical

interfaces

Refer to Figure 1 on page 7 for physical interfaces on FortiDDoS devices.

Traffic Processing (TP) Boards

FDD-100A contains one Traffic Processing Board.

FDD-200A contains two Traffic Processing Boards.

FDD-300A contains three Traffic Processing Boards.

Data ports on each TP Board

There are two pairs of Ethernet ports located on the back panel of the FortiDDoS

device. There are copper and SFP ports. At a given time, you can use either copper or

fiber for a link.

For the FDD-100A, ports are marked LAN 1, WAN 1, LAN 2 and WAN 2.

The FDD-200A has additional ports that are marked LAN 3, WAN 3, LAN 4 and WAN 4.

The FDD-300A has additional ports that are marked LAN 5, WAN 5, LAN 6 and WAN 6.

USB keyboard port

Use of the keyboard port is optional and is to be used during diagnostics on the

console.

Serial Interface through USB port

A serial console can be connected using a USB to serial adapter. The console can be

used for Command Line Interface (CLI) access for advanced usage.

Monitor port

Use of monitor port is optional and is to be used during diagnostics on the console.

This is a DVI port. If you have VGA monitor connector, you will need a DVI to VGA

adapter for connecting your monitor.

Ethernet port for management interface

The management of FortiDDoS devices is normally done over IP over Ethernet. The

Gigabit Ethernet Port can be connected to a private or public network. The device

Web-based Manager can then be accessed over SSL using the connection. For

diagnostics, the CLI can be accessed over secure shell (ssh) over the same network.

Note: Please retain the carton, including the original packing materials in case there is a need to

return the product.

Introduction Simple deployment overview

FortiDDoS v3.2 Installation Guide

28-320-183686-20130401 7

http://docs.fortinet.com/ • Feedback

Figure 1: Back panel of a FortiDDoS 100A device with copper and fiber interfaces and the management Interfaces

Simple

deployment

The FortiDDoS device is designed to protect a system or a network of systems from

rate-based attacks and anomaly attacks. If multiple systems or workgroups are

protected by a FortiDDoS device, a switch will be required between the FortiDDoS

appliance and the protected systems.

Figure 2: A simple network prior to installation of a FortiDDoS device

In a simple network shown in Figure 2, a system is connected to an Ethernet local area

network.

In the simplest configuration, you can install a FortiDDoS unit as an inline device, as

shown in Figure 3.

Figure 3: Network with a FortiDDoS device protecting a single system

The appliance is stateful and bidirectional, so a concept of ‘direction’ must be

introduced to differentiate between inbound and outbound traffic.

As shown in Figure 4 below, in a typical installation, the Ethernet segment connected

to the protected systems is connected to LAN 1. The Ethernet segment connected to

the rest of the network (typically the Internet) is connected to WAN 1.

Introduction Simple deployment overview

FortiDDoS v3.2 Installation Guide

28-320-183686-20130401 8

http://docs.fortinet.com/ • Feedback

Figure 4: Recommended directionality of FortiDDoS devices

Basic web

hosting

deployment

More complex setups can protect multiple systems. In a basic web hosting

deployment a FortiDDoS device can protect systems in multiple customer cages as

shown in Figure 5. You can either use a single VID system or a multiple VID system.

Please refer to the FortiDDoS Fundamentals Guide for concepts related to VID and the

FortiDDoS Web-Based Manager Guide for the actual configuration of VIDs.

Figure 5: Basic web hosting deployment of FortiDDoS devices

Introduction Simple deployment overview

FortiDDoS v3.2 Installation Guide

28-320-183686-20130401 9

http://docs.fortinet.com/ • Feedback

Managed hosting

deployment with

high availability

Figure 6 shows another setup protecting multiple systems in a data center

environment.

In this case two FortiDDoS devices independently protect the routers and the

subsequent networks from DoS and DDoS attacks.

Figure 6: Managed hosting deployment with high availability

FortiDDoS v3.2 Installation Guide

28-320-183686-20130401 10

http://docs.fortinet.com/ • Feedback

Installation & Initial Configuration

There are nine main steps to install and configure FortiDDoS devices. They are:

1Installing the physical system

2Setting up network properties

3Configuring interface settings

4Checking system status

5Configuring the operating mode

6Assigning Virtual Identifiers (VIDs) to protect systems.

7Performing a sanity test

8Monitoring events

9Showing traffic

Installing the physical system

Follow these steps to install the system:

Connecting the

power cord

1Take the FortiDDoS device out of the box and make sure the power switch is off.

2Connect one end of the power cord to an appropriate 110/220 outlet and the other

end to the appliance itself.

Connecting the

management

ports

To manage the FortiDDoS device via a web browser:

1Connect the 10/100 ethernet port to a workgroup switch/router or use a crossover

Ethernet cable to a computer with an HTML web browser. The IP address of the

management port is preset to 192.168.1.1.

2You must first access the FortiDDoS device using this IP address, but you may

change it by clicking Manage > Global > Device Configuration > IP Address after

you connect.

Setting up network properties

To set the network properties:

1From a workstation or PC, access the graphical user interface on the FortiDDoS

device over the management Ethernet by using the default address

https://192.168.1.1 as the URL.

Caution: The appliance must be switched off for at least 30 seconds before restarting.

Note: You must use https when entering the address. The system will not respond to access

requests using http (without the ‘s’).

Table of contents

Popular Protection Device manuals by other brands

Merlin Gerin

Merlin Gerin Sepam series 20 Quick start quide

OUTSTEEL

OUTSTEEL VENITIAN installation instructions

Kemo Electronic

Kemo Electronic M148-24 instructions

Endress+Hauser

Endress+Hauser HAW569 quick start guide

SK ClickClick user manual

Ultrasonic

Ultrasonic SonicPRO installation manual

nxt

nxt BIA-nXt-DPC 1-22 Installation and operation manual

TFortis

TFortis SG-Switch operating manual

BERNINI DESIGN

BERNINI DESIGN Be172 instruction manual

Rayleigh Instruments

Rayleigh Instruments RI-ENERGYSET-3P-ESS-50-100 manual

E.K.T.

E.K.T. ke-DP01 quick start guide

Sola HD

Sola HD STV100K Series instruction manual

socomec

socomec COUNTIS AMd operating instructions

Siemens

Siemens SIPROTEC 7SD80 manual

cias

cias MICRO-RAY installation manual

Sungrow

Sungrow PVS-16MH user manual

Reer

Reer 32010 instruction manual

STI

STI STI-7560AC Mounting instructions

Fortinet FortiDDoS User manual

Popular Protection Device manuals by other brands