FortiDDoS admin Guide

FD 4.2.1, 4.1.2 CVE Updates

DDOS ATTACK MITIGATION

FortiDDoS™ 4.2.1 Release Notes

FortiDDoS™ 4.2.1 Release Notes for B Series Models June 16, 2016 Revision 3 Copyright© 2016 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features, or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.

Technical Documentation Knowledge Base Forums Customer Service & Support Training FortiGuard Threat Research & Response License Agreement Document Feedback

http://docs.fortinet.com http://kb.fortinet.com https://support.fortinet.com/forums https://support.fortinet.com http://training.fortinet.com http://www.fortiguard.com http://www.fortinet.com/doc/legal/EULA.pdf Email: [email protected]

Table of contents Introduction ........................................................................................................ 4 What’s new ........................................................................................................ 5 Hardware support .............................................................................................. 6 Image checksums .............................................................................................. 7 Upgrading .......................................................................................................... 8 Supported upgrade paths.......................................................................................... 8 Section 1: Upgrading from 4.1.5 and later with the web UI ........................................ 8 Section 2: Upgrading from 4.1.5 and later with the CLI ........................................... 10 Section 3: Upgrading from 4.1.x to 4.1.5 ................................................................. 14 Section 4: Upgrading from 4.0.x to 4.1.5 ................................................................. 16

Downgrading .................................................................................................... 20 Supported downgrade paths ................................................................................... 20 Downgrading from 4.1.9 and later ........................................................................... 20

Resolved issues ............................................................................................... 22 Known issues ................................................................................................... 23

Fortinet

3

FortiDDoS™ 4.2.1 Release Notes

Introduction This document provides a list of new/changed features, upgrade instructions and caveats, resolved issues, and known issues for FortiDDoS 4.2.1, build 0304. The TP2ASIC version is: 4201006a Date: Mar 31, 2016. FortiDDoS is a network behavior anomaly (NBA) prevention system that detects and blocks network attacks that are characterized by excessive use of network resources. These attacks are known as distributed denial of service (DDoS) attacks. For additional documentation, please visit: http://docs.fortinet.com/fortiddos

Fortinet

4

FortiDDoS™ 4.2.1 Release Notes

What’s new Bug fixes only.

Fortinet

5

FortiDDoS™ 4.2.1 Release Notes

Hardware support This release supports the following hardware models:  FortiDDoS 200B  FortiDDoS 400B  FortiDDoS 600B  FortiDDoS 800B  FortiDDoS 900B  FortiDDoS 1000B  FortiDDoS 1000B-DC  FortiDDoS 1200B  FortiDDoS 2000B  FortiDDoS 2000B-USG FortiDDoS A series models are not supported.

Fortinet

6

FortiDDoS™ 4.2.1 Release Notes

Image checksums To verify the integrity of the firmware file, use a checksum tool to compute the firmware file’s MD5 checksum. Compare it with the checksum indicated by Fortinet. If the checksums match, the file is intact. MD5 checksums for software releases are available from Fortinet Customer Service & Support: https://support.fortinet.com Figure 1: Customer Service & Support image checksum tool

After logging in to the web site, in the menus at the top of the page, click Download, and then click Firmware Image Checksums. Alternatively, near the bottom of the page, click the Firmware Image Checksums button. (The button appears only if one or more of your devices have a current support contract.) In the Image File Name field, enter the firmware image file name including its extension, then click Get Checksum Code.

Fortinet

7

FortiDDoS™ 4.2.1 Release Notes

Upgrading Use the following instructions to upgrade to 4.2.1. Note 1: In all cases, after upgrading, clear you browser cache so that new and changed functionality displays correctly. Note 2: FortiDDoS 4.2.x adds additional parameter monitoring and Thresholds for DNS Features. In order to activate these Thresholds, FortiDDoS needs to operate for several hours to several days. Then you need to run Traffic Statistics Reports and System Recommendations to create Thresholds. It is recommended that DNS servers be placed in a separate SPP to facilitate this.

Supported upgrade paths From 4.1.5 or later

Upgrade directly using the web UI or CLI. Follow the procedure in Section 1 or Section 2 below.

From 4.1.4 or earlier

1. Upgrade to 4.1.5. You must use BIOS option G to copy the 4.1.5 image from a TFTP server. Follow the procedure in Section 3 below. 2. Then, upgrade to 4.2.1 using the web UI or CLI. Follow the procedure in Section 1 or Section 2 below.

From 4.0.x

1. Upgrade to 4.1.5. You must use two BIOS options: Option F to format the boot device and then option G to copy the 4.1.5 image from a TFTP server. Follow the procedure in Section 4 below. 2. Then upgrade to 4.2.1 using the web UI or CLI. Follow the procedure in Section 1 or Section 2 below.

Section 1: Upgrading from 4.1.5 and later with the web UI You can use the web UI to upgrade from 4.1.5 and later. The following figure shows the user interface for managing firmware. For this upgrade, you must use Partition 2.

Before you begin: Fortinet

8

FortiDDoS™ 4.2.1 Release Notes

 Direct upgrade is supported only from 4.1.5 and later. If you have not already done so, upgrade to 4.1.5 using the procedures provided.  Download the firmware file from the Fortinet Technical Support website: https://support.fortinet.com/  Back up your configuration before beginning this procedure. If you later revert to an earlier firmware version, the active configuration is deleted, and you will want to restore the configuration that worked well with the earlier version.  Make a note of configurations that are disabled in your active configuration. Configurations that are not enabled are not preserved in the upgrade to 4.2.1. For example, if a custom HTTP service port, log remote port, or event log port have been configured and then disabled in an earlier version, the port information is not preserved in the upgrade to 4.2.1.  Make a note of threshold configurations that have been manually set (thresholds that are not named "sys_reco...."). Do this for all SPPs. Improvements have been made to the system recommended thresholds. After you upgrade, you will regenerate system recommended thresholds, and you must re-enter your manual threshold settings.  You must have super user permission (user admin) to upgrade firmware. To install firmware: 1. Go to System > Maintenance > Backup & Restore. 2. Under Firmware Upgrade/Downgrade, in the row for Partition 2, click Upload and Reboot to display the upload file controls. 3. Use the upload file controls to select the firmware image file. 4. Click OK to upload the file, install the firmware, and restart the system. The reboot takes a few minutes but there is no progress indicator. 5. Clear your browser cache to avoid potential issues that can be caused by caching.

Note: Release 4.1.8 included improvements to system recommended thresholds. If you already upgraded to 4.1.8, you do not need to reset your baseline thresholds. If your upgrade path is from a release prior to 4.1.8, take the following additional steps after the upgrade to 4.2.1 has completed and the system has restarted: 1. For each SPP, immediately go to Protection Profiles > Traffic Statistics > Generate and generate statistics for the longest known period with no major attack traffic (8-hours, 1-day, 1week (recommended), 1-month). 2. Go to Protection Profiles > Thresholds > System Recommendation and set the thresholds based on the generated statistics. 3. Go to Protection Profiles > Thresholds > Thresholds and re-enter the manual threshold settings you want to continue using from your previous configuration.

Fortinet

9

FortiDDoS™ 4.2.1 Release Notes

Section 2: Upgrading from 4.1.5 and later with the CLI You can use the CLI to upgrade from 4.1.5 and later. Before you begin:  Direct upgrade is supported only from 4.1.5 and later. If you have not already done so, upgrade to 4.1.5 using the procedures provided.  You must be able to use TFTP to transfer the firmware file to the FortiDDoS system. If you do not have a TFTP server, download and install one, like tftpd (Windows, Mac OS X, or Linux), on a server located on the same subnet as the FortiDDoS system.  Download the firmware file from the Fortinet Technical Support website: https://support.fortinet.com/  Copy the file to a location you can access from the FortiDDoS appliance using TFTP.  Back up your configuration before beginning this procedure. If you later revert to an earlier firmware version, the active configuration is deleted, and you will want to restore the configuration that worked well with the earlier version.  Make a note of configurations that are disabled in your active configuration. Configurations that are not enabled are not preserved in the upgrade to 4.2.1. For example, if a custom HTTP service port, log remote port, or event log port have been configured and then disabled in an earlier version, the port information is not preserved in the upgrade to 4.2.1.  Make a note of threshold configurations that have been manually set (thresholds that are not named "sys_reco...."). Do this for all SPPs. Improvements have been made to the system recommended thresholds. After you upgrade, you will regenerate system recommended thresholds, and you must re-enter your manual threshold settings.  You must have super user permission (user admin) to upgrade firmware. To install firmware: 1. Connect your management computer to the FortiDDoS console port using an RJ-45-to-DB-9 serial cable or a null-modem cable. Use the following terminal settings: Speed (Baud Rate): 9600 Data Bits: 8 Stop Bits: 1 Parity: None 2. Initiate a connection to the CLI and log in as the user admin. 3. Use an Ethernet cable to connect FortiDDoS mgmt1 to the TFTP server directly, or connect it to the same subnet as the TFTP server. 4. If necessary, start the TFTP server. 5. Enter the following command to transfer the firmware image to the FortiDDoS system: execute restore image tftp where is the name of the firmware image file and is the IP address of the TFTP server. For example, if the firmware image file name is image.out and the IP address of the TFTP server is 192.168.1.168, enter: execute restore image tftp image.out 192.168.1.168 The following message appears: This operation will replace the current firmware version! Do you want to continue? (y/n) 6. Type y. The system gets the image from the TFTP server, installs the firmware, and restarts. The reboot takes a few minutes but there is no progress indicator. Fortinet

10

FortiDDoS™ 4.2.1 Release Notes

Connect to tftp server 192.168.1.168 ... Please wait... ##################################################################### #### Get image from tftp server OK. Verifying the integrity of the firmware image. FI900BXXXXXXXXX # The system begins to upgrade ... Firmware upgrade in progress ... New image: FI900B-4.02.01-FW- build0304,160427 Done. 2 The system is going down NOW !! Please stand by while rebooting the system. FortiDDoS-900B (15:31-08.24.2015) Ver:05000001 Serial number:FI900BXXXXXXXXX RAM activation CPU(00:000206d7 bfebfbff): MP initialization CPU(01:000206d7 bfebfbff): MP initialization CPU(02:000206d7 bfebfbff): MP initialization CPU(03:000206d7 bfebfbff): MP initialization CPU(04:000206d7 bfebfbff): MP initialization CPU(05:000206d7 bfebfbff): MP initialization CPU(06:000206d7 bfebfbff): MP initialization CPU(07:000206d7 bfebfbff): MP initialization CPU(08:000206d7 bfebfbff): MP initialization CPU(09:000206d7 bfebfbff): MP initialization CPU(0a:000206d7 bfebfbff): MP initialization CPU(0b:000206d7 bfebfbff): MP initialization Total RAM: 32768MB Enabling cache...Done. Scanning PCI bus...Done. Allocating PCI resources...Done. Enabling PCI resources...Done. Zeroing IRQ settings...Done. Verifying PIRQ tables...Done. Boot up, boot device capacity: 15272MB. Press any key to display configuration menu... ...... Reading boot image 2791175 bytes. Initializing FortiDDoS...▒

System is started. FortiASIC-TP.0: update started. Reconfigure process takes a few minutes FortiASIC-TP.1: 0% Complete FortiASIC-TP.0: 0% Complete FortiASIC-TP.2: 10% Complete Fortinet

11

FortiDDoS™ 4.2.1 Release Notes

FortiASIC-TP.1: 10% Complete FortiASIC-TP.0: 10% Complete FortiASIC-TP.2: 20% Complete FortiASIC-TP.1: 20% Complete FortiASIC-TP.0: 20% Complete FortiASIC-TP.2: 30% Complete FortiASIC-TP.1: 30% Complete FortiASIC-TP.0: 30% Complete FortiASIC-TP.2: 40% Complete FortiASIC-TP.1: 40% Complete FortiASIC-TP.0: 40% Complete FortiASIC-TP.2: 50% Complete FortiASIC-TP.1: 50% Complete FortiASIC-TP.0: 50% Complete FortiASIC-TP.2: 60% Complete FortiASIC-TP.1: 60% Complete FortiASIC-TP.0: 60% Complete FortiASIC-TP.2: 70% Complete FortiASIC-TP.1: 70% Complete FortiASIC-TP.0: 70% Complete FortiASIC-TP.2: 80% Complete FortiASIC-TP.1: 80% Complete FortiASIC-TP.0: 80% Complete FortiASIC-TP.2: 90% Complete FortiASIC-TP.1: 90% Complete FortiASIC-TP.0: 90% Complete FortiASIC-TP.2: download complete. FortiASIC-TP.2: update success (253.225136 s). FortiASIC-TP.2: chip reconfigure, try again FortiASIC-TP.1: download complete. FortiASIC-TP.1: update success (254.154819 s). FortiASIC-TP.1: chip reconfigure, try again FortiASIC-TP.2: chip reconfigure... success. FortiASIC-TP.1: chip reconfigure... success. FortiASIC-TP.0: download complete. FortiASIC-TP.0: update success (257.634973 s). FortiASIC-TP.0: chip reconfigure, try again FortiASIC-TP.0: chip reconfigure... success. FortiASIC-TP.0: update finished FortiASIC-TP.1: update finished FortiASIC-TP.2: update finished rebooting FortiDDoS-900B (15:31-08.24.2015) Ver:05000001 Serial number:FI900BXXXXXXXXX RAM activation CPU(00:000206d7 bfebfbff): MP initialization CPU(01:000206d7 bfebfbff): MP initialization CPU(02:000206d7 bfebfbff): MP initialization CPU(03:000206d7 bfebfbff): MP initialization CPU(04:000206d7 bfebfbff): MP initialization CPU(05:000206d7 bfebfbff): MP initialization CPU(06:000206d7 bfebfbff): MP initialization CPU(07:000206d7 bfebfbff): MP initialization CPU(08:000206d7 bfebfbff): MP initialization CPU(09:000206d7 bfebfbff): MP initialization CPU(0a:000206d7 bfebfbff): MP initialization CPU(0b:000206d7 bfebfbff): MP initialization Total RAM: 32768MB Fortinet

12

FortiDDoS™ 4.2.1 Release Notes

Enabling cache...Done. Scanning PCI bus...Done. Allocating PCI resources...Done. Enabling PCI resources...Done. Zeroing IRQ settings...Done. Verifying PIRQ tables...Done. Boot up, boot device capacity: 15272MB. Press any key to display configuration menu... ...... Reading boot image 2791175 bytes. Initializing FortiDDoS...▒

System is started.

To verify that the firmware was successfully installed, login and use the get system status command: FI900BXXXXXXXXX login: admin Password: Welcome! FI900BXXXXXXXXX # get sy st Version: FortiDDoS-900B v4.2.1,build0304,160427 TP2ASIC Version: 410a0065 Date: Dec 30, 2015 IP Reputation DB: Not enabled Serial-Number: FI900B3915000043 BIOS version: 05000002 Log disk: Capacity 62 GB, Used 204 MB ( 0.32%), Free 62 GB RRD disk: Capacity 369 GB, Used 163 GB (44.20%), Free 206 GB Hostname: 137-900B HA configured mode: active-passive HA effective mode: Master Distribution: International License Type: Uptime: 0 days 2 hours 28 minutes Last reboot: Wed Apr 13 10:52:01 PDT 2016 System time: Wed Apr 13 13:20:57 PDT 2016 Note: Release 4.1.8 included improvements to system recommended thresholds. If you already upgraded to 4.1.8, you do not need to reset your baseline thresholds. If your upgrade path is from a release prior to 4.1.8, take the following additional steps after the upgrade to 4.2.1 has completed and the system has restarted: 1. For each SPP, immediately go to Protection Profiles > Traffic Statistics > Generate and generate statistics for the longest known period with no major attack traffic (8-hours, 1-day, 1week (recommended), 1-month). 2. Go to Protection Profiles > Thresholds > System Recommendation and set the thresholds based on the generated statistics. 3. Go to Protection Profiles > Thresholds > Thresholds and re-enter the manual threshold settings you want to continue using from your previous configuration. Fortinet

13

FortiDDoS™ 4.2.1 Release Notes

Section 3: Upgrading from 4.1.x to 4.1.5 You must be on version 4.1.5 or later to upgrade to 4.2.1. Use the following steps to upgrade from earlier versions of 4.1.x to 4.1.5. Steps for upgrading from 4.0.x version are provided below. Upgrade from FortiDDoS 3.x is not supported. Important: This upgrade removes the existing configuration files from the system. If you want to avoid re-configuring the system, follow the instructions in step 1 carefully. These instructions save and modify the configuration file so that you can restore it later. This upgrade process preserves your traffic history. 1. Optional. If you want to maintain your configuration across the firmware upgrade: a. Use System > Maintenance > Backup & Restore to save your current configuration and then save the backup file as a .txt file. For example: FDD-FI400BXXXXXXXXX-2015-05-15.txt b. Open the configuration file in a text editor and make the configuration changes that are required for this upgrade: i. In the first line of the configuration, change FI-4.01.00 to FI4.01.05, where is the model number of the appliance that you are upgrading. For example, change the following first line: # config-version=FI-2KB-4.01.00-FW-build0141-140404 content:6-0-0 to # config-version=FI-2KB-4.01.05-FW-build0151-141230 content:6-0-0 2. Upgrade the firmware: a. Download the new firmware image. Contact the Advanced Technology SEs or Customer Support to get this firmware. It is not on the FortiCare download site. b. Copy the file to a location you can access from the FortiDDOS appliance using TFTP. c. Connect to the FortiDDOS appliance console. d. Reboot the system and, when prompted, press any key to display the BIOS configuration menu. e. Select option G so that the system can get the new firmware image from the TFTP server and load it when it reboots. The following example shows the CLI sequence: FI800BXXXXXXXXX # exe reboot This operation will reboot the system ! Do you want to continue? (y/n) y System is rebooting... The system is going down NOW !! Please stand by while rebooting the system. FortiDDoS-800B (19:35-09.19.2013) Ver:04000005 Serial number:FI800BXXXXXXXXXX RAM activation CPU(00:000306a9 bfebfbff): MP initialization CPU(01:000306a9 bfebfbff): MP initialization CPU(02:000306a9 bfebfbff): MP initialization Fortinet

14

FortiDDoS™ 4.2.1 Release Notes

CPU(03:000306a9 bfebfbff): MP initialization CPU(04:000306a9 bfebfbff): MP initialization CPU(05:000306a9 bfebfbff): MP initialization CPU(06:000306a9 bfebfbff): MP initialization CPU(07:000306a9 bfebfbff): MP initialization Total RAM: 8192MB Enabling cache...Done. Scanning PCI bus...Done. Allocating PCI resources...Done. Enabling PCI resources...Done. Zeroing IRQ settings...Done. Verifying PIRQ tables...Done. Boot up, boot device capacity: 15272MB. Press any key to display configuration menu... ... [G]: Get firmware image from TFTP server. [F]: Format boot device. [B]: Boot with backup firmware and set as default. [I]: Configuration and information. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. Enter Selection [G]: Please connect TFTP server to Ethernet port "MGMT". Enter TFTP server address [192.168.1.168]: 192.168.1.168 Enter local address [192.168.1.188]: 192.168.1.188 Enter firmware image file name [image.out]: FDD_800B-v400-build0151FORTINET.out MAC:085B0E9F061C ##################################################################### #### Total 76694566 bytes data downloaded. Verifying the integrity of the firmware image.

Total 204800kB unzipped. Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?d Programming the boot device now. ..................................................................... ..................................................................... ........................................................... Reading boot image 2791231 bytes. Initializing FortiDDoS...▒

System is started. 3. Set the management port IP address and gateway IP address using the console. Fortinet

15

FortiDDoS™ 4.2.1 Release Notes

4. If you saved and edited the configuration file, restore it using the CLI or web UI. 5. If you did not save a configuration file, you must reconfigure the user accounts and system options.

Section 4: Upgrading from 4.0.x to 4.1.5 You must be on version 4.1.5 or later to upgrade to 4.2.1. Use the following steps to upgrade from 4.0.x to 4.1.5. Upgrade from FortiDDoS 3.x is not supported. Important: This upgrade removes the existing configuration files from the system. If you want to avoid re-configuring the system, follow the instructions in step 1 carefully. These instructions save and modify the configuration file so that you can restore it later. This upgrade process preserves your traffic history. 1. Optional. If you want to maintain your configuration across the firmware upgrade: a. Document and then delete any ICMP Type/Code service items and any SPP ACLs that use them. The syntax for this type of service has changed. You must re-enter these services after you upgrade. b. Use System > Maintenance > Backup & Restore to save your current configuration and then save the backup file as a .txt file. For example: FDD-FI400BXXXXXXXXX-2015-05-15.txt c. Open the configuration file in a text editor and make the configuration changes that are required for this upgrade: i. In the first line of the configuration, change FI-4.00.01 or FI4.00.00 to FI-4.01.05, where is the model number of the appliance that you are upgrading. For example, change the following first line: #config-version=FI400B-4.00.01-FW-build0141-140527 content:6-0-0 to #config-version=FI400B-4.01.05-FW-build0151-141230 content:6-0-0 ii. If you have configured IPv6 dual stack features, locate the section in the .txt file that is similar to the following lines: config ddos global setting set ip-v6-dual-stack enable set ip-v6-prefix 96 end Replace the IPv6 prefix settings with the new IPv6 prefix settings. For example, the following lines add settings for an IPv6 network: config ddos global setting set ip-v6-prefix-length 64 set ipv6-prefix 4001:0:0:1:: end iii. If you have configured IPv6 service protection profile (SPP) policies, locate the section in the .txt file that is similar to the following lines: Fortinet

16

FortiDDoS™ 4.2.1 Release Notes

config ddos global spp-policy edit subnet1 set subnet-id 1 set ipv6 4001:0:0:1::/65 set spp SPP-0 next end Replace the IPv6 policies with the new IPv6 policies. For example, the following lines add an SPP policy for SPP-0: config ddos global spp-policy edit subnet1 set subnet-id 1 set ip-version IPv6 set ipv6 4001:0:0:1::/65 set spp SPP-0 next end Note: When you restore a backup from 4.1.x, IPv4 SPP policies are preserved. 2. Upgrade the firmware: a. Download the new firmware image. Contact the Advanced Technology SEs or Customer Support to get this firmware. It is not on the FortiCare download site. b. Copy the file to a location you can access from the FortiDDOS appliance using TFTP. c. Connect to the FortiDDOS appliance console. d. Reboot the system and, when prompted, press any key to display the BIOS configuration menu. e. Select option F to format the boot device. f. When formatting is complete, select option G so that the system can get the new firmware image from the TFTP server and load it when it reboots. The following example shows the CLI sequence: FI800BXXXXXXXXX # exe reboot This operation will reboot the system ! Do you want to continue? (y/n) y System is rebooting... The system is going down NOW !! Please stand by while rebooting the system. FortiDDoS-800B (19:35-09.19.2013) Ver:04000005 Serial number:FI800BXXXXXXXXXX RAM activation CPU(00:000306a9 bfebfbff): MP initialization CPU(01:000306a9 bfebfbff): MP initialization CPU(02:000306a9 bfebfbff): MP initialization CPU(03:000306a9 bfebfbff): MP initialization CPU(04:000306a9 bfebfbff): MP initialization CPU(05:000306a9 bfebfbff): MP initialization CPU(06:000306a9 bfebfbff): MP initialization CPU(07:000306a9 bfebfbff): MP initialization Total RAM: 8192MB Enabling cache...Done. Scanning PCI bus...Done. Allocating PCI resources...Done. Fortinet

17

FortiDDoS™ 4.2.1 Release Notes

Enabling PCI resources...Done. Zeroing IRQ settings...Done. Verifying PIRQ tables...Done. Boot up, boot device capacity: 15272MB. Press any key to display configuration menu... ... [G]: Get firmware image from TFTP server. [F]: Format boot device. [B]: Boot with backup firmware and set as default. [I]: Configuration and information. [Q]: Quit menu and continue to boot with default firmware. [H]: Display this list of options. Enter Selection [F]: It will erase data in boot device. Continue? [yes/no]: yes Formatting . . . . . . .Done. ... ... [G]: [F]: [B]: [I]: [Q]: [H]:

Get firmware image from TFTP server. Format boot device. Boot with backup firmware and set as default. Configuration and information. Quit menu and continue to boot with default firmware. Display this list of options.

Enter Selection [G]: Please connect TFTP server to Ethernet port "MGMT". Enter TFTP server address [192.168.1.168]: 192.168.1.168 Enter local address [192.168.1.188]: 192.168.1.188 Enter firmware image file name [image.out]: FDD_800B-v400-build0151FORTINET.out MAC:085B0E9F061C ##################################################################### #### Total 76694566 bytes data downloaded. Verifying the integrity of the firmware image.

Total 204800kB unzipped. Save as Default firmware/Backup firmware/Run image without saving:[D/B/R]?d Programming the boot device now. ..................................................................... ..................................................................... ........................................................... Reading boot image 2791231 bytes. Initializing FortiDDoS...▒ Fortinet

18

FortiDDoS™ 4.2.1 Release Notes

System is started. 3. Set the management port IP address and gateway IP address using the console. 4. If you saved and edited the configuration file, restore it using the CLI or web UI. 5. Re-enter any ICMP Type/Code services and SPP ACLs that you deleted in the earlier step. Important: In FortiDDoS 4.2.x, the system recommended thresholds are determined differently from previous firmware versions. After you upgrade to 4.2.x, Fortinet recommends that you regenerate traffic statistics and then review and reset the thresholds using Protection Profiles > Thresholds > System Recommendation.

Fortinet

19

FortiDDoS™ 4.2.1 Release Notes

Downgrading Use the following instructions to downgrade, if necessary, from 4.2.1 or other Releases.

Supported downgrade paths

200B 400B 600B 800B 900B 1000B 1200B

4.2.1 304 Y Y Y Y Y Y Y

4.2.0 302 Y Y Y Y Y Y Y

2000B

Y

Y

4.1.12 4.1.11 4.1.10 4.1.9 176 174 171 166 Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y

Y

Y

Y

4.1.8 163 Y Y Y Y Y Y N

4.1.7 ->

Not Recommended

Model

Y

Downgrading from 4.1.9 and later You can use the web UI, CLI or BIOS to downgrade from 4.1.9 and later Releases. You can downgrade directly to the Release you want to use. To downgrade firmware: 1. Take a backup of your configuration. Downgrade will delete the current configuration and will set everything to factory defaults. Use GUI or For CLI: 137-900B # execute backup config tftp 137.conf 172.30.153.105 Connect to tftp server 172.30.153.105 ... Please wait... # Send config file to tftp server OK. 2. Load new build via GUI/ CLI or BIOS For CLI: 137-900B # execute restore image tftp FDD_900B-v400-build0163-FORTINET.out 172.30.153.105 This operation will replace the current firmware version! Do you want to continue? (y/n)y Connect to tftp server 172.30.153.105 ... Please wait... Fortinet

20

FortiDDoS™ 4.2.1 Release Notes

######################################################################## Get image from tftp server OK. Verifying the integrity of the firmware image.This operation will downgrade the current firmware version! You will lose your existing configuration Do you want to continue? (y/n)y 137-900B # 3. The system will reboot and reprogram the FPGA. This takes about 10-15 min based on what appliance you are using. WARNING: Reboot or power fail during this process will result in unusable product, requiring RMA. 4. Once the system is up, assign the IP address and restore the saved configuration. System will reboot and apply the config. The system should be ready to use.

Fortinet

21

FortiDDoS™ 4.2.1 Release Notes

Resolved issues The following list of issues does not include every bug corrected with this release. For inquires about a particular bug, please contact Fortinet Customer Service & Support. Table 2: Resolved issues Bug ID

Description

292504 299008 354664 356164

Improve event log message when hostname changed. Configuration changes should include a "Success" or "Failed" indication in the event log. glibc updated to fix getaddrinfo() stack-based buffer overflow vulnerability On attempting to add 2nd remote log server to same SPP, error message should be displayed. Rarely, changing Local Address Anti-Spoofing addresses may not work. Upgrade OpenSSL version to 1.0.1s (CVE-2016-0800, CVE-2016-0703, CVE-2016-0704, CVE2016-0701 and others prior to 1 March 2016) Adding IPv6 ACL entries could result in command timeout and failure to add the entries.

356532 356714 307938 363327 363332 363476 365207 365329 365662 369106 369279 369537 370216 366653 366888 366454 367019 366887

Fortinet

After a Protocol flood, the corresponding Protocol graph might not show normal packet rates. UDP drops seen in Attack Log/Monitor graphs/Executive Summary are not seen in Attack Graphs > Top Attacked UDP Ports GUI menu items sometimes only show partial orange highlighting Device shows "not registered" after RMA entitlements transfer on FortiCare. SYN drop counters may double-count under some conditions DNS Query Graph failed to show TCP Queries Network Interface page error dialog box had extra wording FDD-1200B does not show any data ports on the Dashboard portlet HTTP Partial requests may still be blocked when Global Settings > Slow Connection feature is disabled. SPP Settings > Source Tracking > Source and Layer 7 Multipliers are modified in GUI to show the correct multiplied relationship between the two thresholds

22

FortiDDoS™ 4.2.1 Release Notes

Known issues The following list of issues for this release is not complete. For inquires about a particular bug, please contact Fortinet Customer Service & Support. Table 3: Known issues Bug ID

Description

246209

Upgrade from 4.0.x to 4.1.5 cannot be performed with the web UI. Upgrade from 4.1.5 can be performed with the Web UI. The link status reported in the web UI is the detected link state. This is working as designed. The link status shown in the show system interface and get system interface configuration commands is the configured status. This is also working as designed. To display the detected link state with the CLI, use the following command: FI-2K# diagnose hardware get deviceinfo data-port

260686

port1 port2 port3

275873 277768 365454 366044 355068 356749 356404 356036 310258 370857

down down down

10G FD 10G FD 10G FD

SW SW SW

No No No

Forward Forward Forward

TX RX TX RX TX RX

None None None

F F F

XGMII 16356 XGMII 16356 XGMII 16356

Layer 7 SIP thresholds and graphs are not working correctly and have been removed. Triple-tagged VLAN packets will bypass in Detection or Prevention mode. Tripletagged VLAN packets are unlikely to be seen in deployments outside the firewall. While system inspects VLAN and QinQ traffic, any system generated packets (RSTs, SYNACKs, etc.) are sent without tagging. Under rare conditions, the fragment graph may stop displaying after an attack. With a very large data, save as pdf sometimes doesn't work Under highly variable traffic load the Port Statistics graph may understate the pps rates. Deleting large numbers of ACLs from GUI may not work. When adding or removing an HTTP service port, the GUI and CLI (correct) rate may not match. Under some conditions, system will not send RSTs to server under L7 DNS TCP floods. For DNS mitigation, when Outbound is in Prevention Mode, Outbound Source Thresholds are low and Inbound Sources are sending both UDP and TCP Queries, Queries can be blocked when below Inbound Source Thresholds. Set Outbound Thresholds high or set Outbound to Detection Mode.

s

Fortinet

23

FortiDDoS™ 4.2.1 Release Notes

Fortinet

24

FortiDDoS™ 4.2.1 Release Notes