Black hole routing to the rescue - Fortigate OS 4 surprise

Thu 09 April 2009 in Fortigate

#Fortigate

Many times there is more than one solution to the problem, and the most obvious is not the best one. I reminded myself this when came to my care Fortigate 60 unit that was periodically blocking traffic, you know this not-saying-much system alert "..has reached connection limit" and then no traffic goes from LAN to WAN. Clearly being a resource starvation issue by users you may never know for sure what causes this . The only way to pinpoint the misbehaving component is by elimination - disabling one by one until problem disappears. So for this particular Fortigate it was URL-filtering used to block access to Facebook.com. Unfortunately once this disabled users in LAN would cause starvation of the bandwidth by accessing (or rather not leaving) this website. An internal fair use policy issue ? - yes of course, but the only way to implement the policy was by force in this case. So if not URL-filtering (being the obvious solution) then black-hole routing would be the better one I thought - but in this FG OS 3 i didnt find such option, and as upgrade to Fortios 4 wasnt an option I blackholed Facebook.com IP range (thanks to Facebook for the convenience of continuous IP range ) in the WAN facing Cisco router.
In the Fortigate FortiOS 4 and newer you can configure blackhole routing with no hassle:

FG100 # config router static
FG100 (static) # edit 5
FG100 (5) # set blackhole ?
disable    disable setting
enable     enable setting
FG100 (5) # set blackhole enable
FG100 (5) # set dst 69.63.176.0/20
FG100 (5) # end

Verify:

FG100 # show router static  
config router static  
    edit 5
        set blackhole enable
        set dst 69.63.176.0 255.255.240.0
    next
end

From station in LAN:
# ping 69.63.184.142

PING 69.63.184.142 (69.63.184.142) 56(84) bytes of data.  
From 10.99.99.254 icmp_seq=1 Destination Net Unreachable  
From 10.99.99.254 icmp_seq=2 Destination Net Unreachable

Facebook IP range:
whois 69.63.176.140

[Querying whois.arin.net]
[whois.arin.net]
OrgName:    Facebook, Inc.
OrgID:      THEFA-3
Address:    156 University Ave, 3rd floor
City:       Palo Alto
StateProv:  CA
PostalCode: 94301
Country:    US
NetRange:   69.63.176.0 - 69.63.191.255
CIDR:       69.63.176.0/20

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.