Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
andrewbailey
Contributor II

Fortigate 60E 6.0.2- NTP Pool (IPS and DDoS Projection)

Hello all,

 

I hope I'm posting in the right area of the forum and that someone may be able to offer some advice!

 

I've added an NTP server into the NTP Pool and the resulting NTP querries are being forward to my public static IP address, forward to the NTP server via my Fortigate 60E running 6.0.2 (It's on the end of an 80/20 VDSL line if that makes any difference).

 

I've got DoS protection on the WAN interface and have added an IPS filter with all current NTP signatures.

 

However, I'm still seeing:-

 

[ul]
  • Moderate levels of DoS attacks (effectively blocking ocassional NTP Pool monitoring requests, reducing the NTP Pool score and hence amount of time the server is available in the pool).
  • Many many triggers of the "NTP.Zero.Transmit.Timestamp" IPS signature.[/ul]

     

    I was hoping to refine the DoS protection setttings but I don't seem to be able to get this to work. I have a main "WAN" DoS interface profile which protects against general attacks. It seems to be working well.

     

    However, I thought I would add a more "refined" DoS profile specifically for incoming NTP. But the signature I have created does not seem to be triggered at all. 

     

    It should be possible to have more than one DoS profile on an interface shouldn't it? The new NTP service specific profile has been moved to the top of the list but never seems to get triggered

     

    The DoS attacks are blocking ocassional monitoring sessions from the NTP pool- which reduces the NTP server score effectively removing it from the NTP pool. Ideally I'd like to have a service specific NTP profile which is triggered at far lower rates than my standard profile (since NTP shouldn't require more than a few packets per second from any IP address I guess).

     

    For the "NTP.Zero.Transmit.Timestamp" IPS signature I get hundreds of these flagged per day. I'm not sure if I should leave it enabled even given the volume of hits it triggers. It seems to be low a risk but at the moment I've set it to block. Can I change the "criticality" of that particular signature so it doesn't cause so many alerts? Any other ideas?

     

    Laslty, how stable is FortiOS in terms of packet handling times? I guess for an NTP server any variation in packet handling time could be a problem. Anyone have any idea on that particular topic?

     

    Thanks again for you help and support.

     

    Kind Regards,

     

     

    Andy.

     

     

     

     

     

     

     

     

     

     

     

  • 1 Solution
    Paul_S
    Contributor

    Policies with no security profiles should produce consistent packet processing time.

    For policies with security profiles, processing time should also be consistent and quick, but will be dependent on the CPU usage.

     

    you may need to post some screenshots to show us what you have setup now. You should be able to have more than one DoS policy. I have two on my fortigate.

     

     

    FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

    View solution in original post

    FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
    2 REPLIES 2
    Paul_S
    Contributor

    Policies with no security profiles should produce consistent packet processing time.

    For policies with security profiles, processing time should also be consistent and quick, but will be dependent on the CPU usage.

     

    you may need to post some screenshots to show us what you have setup now. You should be able to have more than one DoS policy. I have two on my fortigate.

     

     

    FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x                   [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5  |  Fortimail 5.3.11 Network+, Security+

    FG200D 5.6.5 (HA) - primary [size="1"]FWF50B' s 4.3.x, FG60D's 5.2.x, FG60E's 5.4.x [Did my post help you? Please rate my post.][/size] FAZ-VM 5.6.5 | Fortimail 5.3.11 Network+, Security+
    andrewbailey

    Paul,

     

    Thanks for your help. That's basically inline with what I thought/ expected too. The 60E isn't that heavily taxed- it seems to stroll along at about 60-70% CPU usage even with the external NTP connetions hitting it.

     

    I'm more concerned about the DoS policies at the moment. As you suggested I expected to be able to have more than one, and to be able to order them and make them specific as you would do for a "regular" policy. I'll have a look in more detail but so far the new one I have created doesn't seem to be hit. Everything (including the incoming NTP sessions) is hitting the original WAN DoS policy.

     

    I'll investigate and post some screenshots (and maybe raise a ticket) if I can't make sense of it.

     

    Thanks for your help,

     

     

    Andy.

     

     

    Labels
    Top Kudoed Authors