Detections
Analytics
FNFG-FW-000110 - The FortiGate firewall must employ filters that prevent or limit the effects of all types of commonly known denial-of-service (DoS) attacks, including flooding, packet sweeps, and unauthorized port scanning.
Information
Not configuring a key boundary security protection device such as the firewall against commonly known attacks is an immediate threat to the protected enclave because they are easily implemented by those with little skill. Directions for the attack are obtainable on the internet and in hacker groups. Without filtering enabled for these attacks, the firewall will allow these attacks beyond the protected boundary.Configure the perimeter and internal boundary firewall to guard against the three general methods of well-known DoS attacks: flooding attacks, protocol sweeping attacks, and unauthorized port scanning.
Flood attacks occur when the host receives too much traffic to buffer and slows down or crashes. Popular flood attacks include ICMP flood and SYN flood. A TCP flood attack of SYN packets initiating connection requests can overwhelm the device until it can no longer process legitimate connection requests, resulting in DoS. An ICMP flood can overload the device with so many echo requests (ping requests) that it expends all its resources responding and can no longer process valid network traffic, also resulting in DoS. An attacker might use session table floods and SYN-ACK-ACK proxy floods to fill up the session table of a host.
In an IP address sweep attack, an attacker sends ICMP echo requests (pings) to multiple destination addresses. If a target host replies, the reply reveals the target's IP address to the attacker. In a TCP sweep attack, an attacker sends TCP SYN packets to the target device as part of the TCP handshake. If the device responds to those packets, the attacker gets an indication that a port in the target device is open, which makes the port vulnerable to attack. In a UDP sweep attack, an attacker sends UDP packets to the target device. If the device responds to those packets, the attacker gets an indication that a port in the target device is open, which makes the port vulnerable to attack.
In a port scanning attack, an unauthorized application is used to scan the host devices for available services and open ports for subsequent use in an attack. This type of scanning can be used as a DoS attack when the probing packets are sent excessively.
NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.
Solution
Log in to the FortiGate GUI with Super-Admin privilege.1. Click Policy and Objects.
2. Click IPv4 DoS Policy or IPv6 DoS Policy.
3. Click +Create New.
4. Configure DoS policies that include Incoming Interface, Source Address, Destination Address, and Services.
5. Configure Action and Threshold for L3 and L4 anomalies per site policies.
6. Click OK.
See Also
https://dl.dod.cyber.mil/wp-content/uploads/stigs/zip/U_FN_FortiGate_Firewall_Y22M10_STIG.zip
Item Details
Audit Name: DISA Fortigate Firewall STIG v1r3
Category: SYSTEM AND COMMUNICATIONS PROTECTION
References: 800-53|SC-5, CAT|I, CCI|CCI-002385, Rule-ID|SV-234151r852961_rule, STIG-ID|FNFG-FW-000110, Vuln-ID|V-234151
Plugin: FortiGate
Control ID: e7a61d3ee920c3b9e88c5af8d5fc6bac0c0a14aac3dc41c9c6a4ee19fb4578b3