Fortinet FortiDDoS VM08
DDoS Attack Mitigation Appliances

FortiDDoS VM08

Fortinet Products

FortiDDoS VM08 Virtual Appliance

DDoS Protection System - virtual appliance for all supported platforms. Supports up to 8 x vCPU cores, 8 x NIC Ports, 2 x MGMT Ports.

#FDD-VM08
List Price: ~~$110,000.00~~
Our Price: ~~$81,867.50~~
Call For Lowest Price!

Click here to jump to more pricing!

Overview:

Distributed Denial of Service (DDoS) attacks remain a top threat to IT security and have evolved in almost every way to do what they do best: shut down access to your vital online services.

Unlike intrusion and malware attacks, DDoS attackers have learned that they don’t need to attack only end-point servers to shut you down. They attack any IP address that routes to your network: unused IP addresses, Inter-router-link public IP addresses, or Firewall/Proxy/WiFi Gateway public IP addresses.

Cloud-based CDN and DNS-based cloud mitigation cannot protect you from these attacks. What is the impact to your business if your users cannot reach cloud services because your firewall or demarc router public IP is being DDoSed? Your CDN-based web servers may be up but your business is down!

Sophisticated multi-vector and multi-layer DDoS attacks use direct and reflected packets where the spoofed, randomized source IP addresses are impossible to ACL. These attacks are increasingly common as Mirai-style code has morphed into many variants and has been commercialized by providers of “stresser” sites. Anyone can call down large attacks for a few dollars.

To combat these attacks, you need a solution that dynamically protects a large attack surface.

A Different and Better Approach to DDoS Attack Mitigation

FortiDDoS massively parallel machine-learning architecture delivers the most advanced and lowest-latency DDoS attack mitigation on the market today, without the performance compromises normally associated with CPU-based systems. FortiDDoS inspects 100% of both inbound and outbound Layer 3, 4, and 7 packets, to the smallest packet sizes, resulting in the fastest and most accurate detection and mitigation in the industry.

In place of pre-defined or subscription-based signatures to identify attack patterns, FortiDDoS uses autonomous machine learning to build an adaptive baseline of normal activity from hundreds-of-thousands of parameters and then monitors traffic patterns against those baselines. Should an attack begin, FortiDDoS sees the deviation and immediately takes action to mitigate it, often from the first packet.

Highlights:

100% packet inspection for Layer 3, 4, and 7 DDoS attack identification and mitigation, simultaneously monitoring hundreds of thousands of parameters — a massivelyparallel computing architecture
100% Machine Learning DDoS detection
Completely invisible to attackers with no IP and no MAC addresses in the data path. FortiDDoS is not a routing or terminating Layer 3 device.
Continuous threat evaluation to minimize false positive detections
Advanced DNS and NTP DDoS mitigation on selected models
MSSP Portal for customer resale on selected models
Central Manager for selected models
Hybrid On-premise/Cloud mitigation available with Open Signaling

100% Machine Learning Detection	FortiDDoS doesn’t rely on signature files that need to be updated with the latest threats so you’re protected from both known and unknown “zero-day” attacks. No “threat-protection” subscriptions required. Saves OPEX.
Massively Parallel Architecture	Parallel architecture provides 100% packet inspection with bidirectional detection and mitigation of Layer 3, 4, and 7 DDoS attacks even at the smallest packets sizes. Get the performance you pay for.
Continuous Attack Evaluation	Minimizes the risk of “false positive” detection by reevaluating the attack to ensure that “good” traffic isn’t disrupted. Less management time needed.
Advanced DNS Protection	FortiDDoS provides 100% inspection of all DNS Query and Response traffic up to 12 million QPS, for protection from a broad range of DNS-based volumetric, application and anomaly attacks. DNS Reflection floods are stopped from the FIRST packet.
Advanced NTP Protection	FortiDDoS provides 100% inspection of all NTP Query and Response traffic up to 6 million QPS. NTP Reflection floods are stopped from the FIRST packet.
Continuous Learning	With continuous background learning and minimal configuration, FortiDDoS will automatically build normal traffic and resources behavior profiles saving you time and IT management resources.
Autonomous Mitigation	No operator intervention required for any type or size of attack.
Hybrid On-premise/Cloud Support	Open, documented API allows integration with third-party cloud DDoS mitigation providers for flexible deployment options and protection from large-scale DDoS attacks.
Fortinet Security Fabric Integration	Single-pane visibility of attack mitigation and network performance reduces management and improves response time (on selected models).
RESTful API	FortiDDoS can be integrated into almost any environment through its RESTful API.
Central Manager	FortiDDoS-CM (for B-/E-Series) is available for users with multiple geographically dispersed FortiDDoS units. One management screen for all devices with single sign-on.

Features:

Packet Inspection Technology

100% Packet Inspection
Full IPv4/IPv6 Support to single IP addresses
Machine learning for Predictive, Heuristic, Adaptive Analysis
Deep Packet Inspection
TCP State knowledge to instantly mitigate out-of-state attacks
DNS Query Monitoring to instantly mitigate DNS Reflected attacks
NTP Monitoring to instantly mitigate NTP reflection attacks (E/F)
Complete invisibility with no MAC nor IP addresses in the data path
Massively parallel processing for multiple simultaneous attack vectors

Behavioral Threshold Management

Machine-learning thresholds for millions of L3-L7 parameters
Automatic adaptive thresholds estimation for critical L3, L4 and L7 parameters

100% Anomaly Inspection

L3/L4/L7 HTTP Headers
DNS Header and Payload
TCP State and Transition Anomalies
NTP Header and Payload (E/F)

Layer 3 Attack Mitigation

Protocol Floods (all 256 monitored)
Fragment Floods (TCP/UDP/Other Protocols)
Source Floods (up to 24M monitored)
FortiGuard IP Reputation Subscription
Full L3-L7 IP-inside-GRE Inspection

Layer 4 Attack Mitigation

TCP Ports (all 65k)
UDP Ports (all 65k)
TCP / UDP Service Ports (>10,000)
ICMP Type/Codes (all 65k)
SYN, SYN/Destination with line-speed validation, SYN/Source
First-packet TCP State flood mitigation
Slow Connections
L4 Aggressive Connection Aging

HTTP Attack Mitigation

HTTP URL, Referer, Cookie, Host, User Agent
HTTP METHOD Floods (all 8 METHODS +Total Methods/Source)
Protocol Anomalies (F)
SSL Renegotiation
L7 Aggressive Aging
Cypher Anomalies (F)
GET/POST Client Validation (F)

Attack Mitigation

First-packet DNS (B/E/F) and NTP (E/F) Response Flood mitigation (DQRM/NRM)
DNS / NTP Header/payload/state anomalies
DNS Query / MX / ALL / ZT / fragment / per-Source Floods
DNS Response Code Flood mitigation
NTP Request / Response / Response-per-Destination Floods
DNS Query Source validation, Unexpected Query, Legitimate Query
DNS Query TTL validation
DNS Response cache under flood
DNS Domain Reputation Subscription
DNS Resource Record ACLs
NTP Amplified Reflected Mode 7(monlist) and Mode 6 (varlist) Response Flood First-packet mitigation

Access Control Lists

FortiDDoS is the ONLY product in the industry that supports large ACLs in hardware with no performance degradation. While most DDoS attacks use spoofed Source IPs, your existing Indicators of Compromise IP and Domain lists can be uploaded to FortiDDoS to offload other infrastructure

IP Reputation – Fortinet FortiGuard subscription
IP/subnet Blacklist/Whitelist
Bulk IPv4 Blacklist Customer Upload (>1million addresses)
Geolocation
Enhanced BCP38 Source Address Validation/Local Address Anti-Spoofing (>2000 subnets)
Protocol, UDP, TCP and other Protocol Fragments, DNS Fragment, L4 Port, ICMP Type/Code
HTTP Methods, URLs, Hosts, Referrers, User Agents
DNS Domain Reputation – Fortinet FortiGuard subscription (>250k Malicious Domains)
DNS Bulk Domain Blacklist Customer Upload (>500k Domains)
DNS Resource Record ACLs (256 RRs)
Packet Length, v4/v6, Protocol, TCP/UDP Port, ICMP Type-Code, TCP/UDP/Other fragment ACL
Flowspec ACL script generatio

Comprehensive Built-In Reporting

Filterable/Exportable Attack Log
Summary Graphs and Logs for:
Top Attacks / Top Attackers
Top ACL Drops
Top Attacked Subnets and IP Addresses
Top Attacked Protocols
Top Attacked TCP and UDP Ports
Top Attacked ICMP Types/Codes
Top Attacked URLs, HTTP Hosts, Referers, Cookies, User-Agents
Top Attacked DNS Servers
Top Attacked DNS Anomalies
Physical Port, SPP, SPP Policy (subnet) and SPP Policy Group statistics: Mbps/pps and Drops graphing
Custom, on-demand, on-schedule and/or on-Attack-Threshold reports in multiple formats
Millions of built-in reporting graphs for real-time and forensic analysis

Centralized Event Reporting

SNMP v2/v3 MIB and Traps
Email Alerts and Reports
Open RESTful API
Syslog support for FortiAnalyzer, FortiSIEM and third-party servers
FortiDDoS Central Manager centralized attack log and executive summary

Audit Trails

Login Audit Trail
Configuration Audit Trail

Management

Full TLS 1.3 Management GUI
Full CLI
Open RESTful API
RADIUS, LDAP, and TACACS+ Authentication including 2FA and Proxy
Multi-Tenant MSSP Portal
Central Manager for multiple FortiDDoS
Open Cloud Mitigation Signaling

FortiDDoS Features

Highlights:

Powerful Parallel Architecture = Flexible, Autonomous Defenses

FortiDDoS protects you from known and “zero-day” attacks without creating local or downloading subscription signatures for mitigation. Other vendors try to conserve CPU real-time by inspecting a relatively small number of parameters at a low sample rate, unless and until an explicit signature is created. FortiDDoS’ massively parallel architecture samples 100% of even the smallest packets, for over 230,000 parameters for each Protection Profile. This method allows FortiDDoS to operate completely autonomously, finding some attacks on the FIRST packet and all attacks within two seconds — broader and faster mitigation than any other vendor or method. There is no need to adjust settings, read pcaps, or add regex-style manual signatures or ACLs in the middle of attacks. While attacks are being mitigated, FortiDDoS continues to monitor all other parameters to instantly react to added or changed vectors.

The Resurgence of Botnets

Easily-compromised IoT devices have allowed Botnet attacks to rise again and massive IoT growth assures us they are here to stay. While individual devices have little power, large groups can generate record traffic. Attackers want to hide the real source IP addresses of botted devices so UDP, SYN, TCP Out-of-State (FIN/ACK/RST), DNS and Protocol direct and reflected floods using spoofed source IP addresses are back in vogue. Attackers can launch an unprecedented variety of simultaneous attack vectors. Small-packet floods stress routers, firewalls, and many DDoS appliances, preventing full inspection with unexpected results. FortiDDoS’ 100% inspected small-packet rate is class-leading.

DNS-Based Attacks

Botnet-driven DNS attacks are popular because they can target any type of infrastructure or they can co-opt your DNS servers to attack others with reflected DDoS attacks. FortiDDoS is the only DDoS mitigation platform that inspects 100% of all DNS traffic in both directions, to protect against all types of DDoS attacks directed at, or from DNS servers. It validates over 30 different parameters on every DNS packet at up to 12 M Queries/second. Its built-in cache can offload the local server during floods. FortiDDoS’s innovative DQRM feature stops inbound Reflected DNS attacks from the very first packet. FortiDDoS also supports FortiGuard’s Domain Reputation Service for ISPs to protect clients from known malicious domains.

Security Fabric

FortiDDoS complements Fortinet’s full suite of Security Fabric products, each of which uses purpose-built hardware with dedicated engineering and support resources to provide best-in-class focused protection. FortiDDoS B-/E- Series display system performance and mitigation activities in real-time on a FortiOS Security Fabric Dashboard, providing a single-pane-of-glass view of DDoS threats and mitigations along with other Security Fabric products and partners.

Hybrid On-premise/Cloud DDoS Mitigation

While FortiDDoS can mitigate any DDoS attack to the limit of the incoming bandwidth, large attacks can saturate incoming links, forcing ISP routers to drop good traffic. FortiDDoS’s open and documented Attack Signaling API allows our Security Fabric partners to provide you a choice of best-in-class hybrid CPE/cloud DDoS mitigation when attacks threaten to congest upstream resources. FortiDDoS inspects incoming GRE clean traffic from cloud DDoS providers to ensure continuity of logging and reporting, and complete threat mitigation. FortiDDoS on-premise appliances can also provide your ISP with Flowspec scripts to support diversion and multiparameter blocking of attack traffic.

Always-On Inline vs. Out-of-Path Mitigation

Many hosting providers, MSSPs and ISPs are moving away from out-of-path detection, diversion and scrubbing as too limited and too slow for important infrastructure. Netflow-based detection and mitigation monitor a limited number of parameters for a few different attack types. FortiDDoS mitigates more than 150 attack events, many with “depth” (all 65,000 TCP and UDP ports are monitored and mitigated, for example). 100% packet inspection and leading packet performance ensure mitigation from single-packet anomalies to link-filling small-packet, fragmented UDP floods.

Studies are showing that 75% of DDoS attacks last less than 15 minutes. Customers are also seeing multi-vector attacks, attacks that sequentially change vectors and pulsed attacks that start and stop frequently. FortiDDoS begins mitigating in less than 2 seconds and its massively-parallel detection and mitigation ensures multi-vector, sequential and pulsed attacks are seen and stopped.

All FortiDDoS models offer High Availability and select models offer Optical Bypass (to 100GE) to ensure network continuity in the event of system failures. When attacks threaten link bandwidth, Flowspec scripts can be generated to configure upstream router ACLs.

FortiDDoS also offers a wide range of static and dynamic ACLs to offload other infrastructure. For example, FortiDDoS supports BCP- 38 (select models) and FortiGuard Domain Reputation blocks IoT and end-user communications to botnet controllers and malicious domains. FortiDDoS ACLs operate at line-rate with no impact on performance even with millions of blocklisted IP addresses.

Selected FortiDDoS models offer multi-tenant real-time graphing and attack reporting for resale to customers.

Specifications:

	FortiDDOS VM04	FortiDDOS VM08	FortiDDOS VM16
Hardware Specifications
Hypervisor Support	VMware ESX/ESXi 6.x / 7.x with hardware-assisted virtualization (VT) enabled in the BIOS	VMware ESX/ESXi 6.x / 7.x with hardware-assisted virtualization (VT) enabled in the BIOS	VMware ESX/ESXi 6.x / 7.x with hardware-assisted virtualization (VT) enabled in the BIOS
Throughput^1,3	3 Gbps	6 Gbps	9 Gbps
Mitigation^2,3	2.3 Gbps/2.1 Mpps	2.3 Gbps/2.1 Mpps	2.3 Gbps/2.1 Mpps
Service Protection Profiles	4	8	16
vCPU Support	4	8	16
Memory Support	16 GB	16 GB	32 GB
Network Interface Support	8 (4 bridged link pairs)	8 (4 bridged link pairs)	8 (4 bridged link pairs)
Storage Support	Requires at least 200 GB	Requires at least 200 GB	Requires at least 200 GB

¹1.7KB HTTP Response

²Rate for 100% inspection of 64Byte packets

³Actual peformance will vary depending on underlying hardware. Performance results were observed using a bare-metal appliance with Intel(R) Xeon(R) W-3245 CPU @ 3.20GHz running VMware ESXI 7.0.0 and SR-IOV

Documentation:

Download the FortiDDOS VM08 (.PDF)

Pricing Notes:

Hardware plus FortiCare Premium and FortiADC Network Security Bundle
Hardware Unit, Advanced Hardware Replacement (NBD), Firmware and General Upgrades, FortiCare Premium Ticket Handling, Antivirus, IP Reputation and GeoIP and Intrusion Prevention Service
Hardware plus FortiCare Premium and FortiADC Application Security Bundle
Hardware Unit, Advanced Hardware Replacement (NBD), Firmware and General Upgrades, FortiCare Premium Ticket Handling, Antivirus, IP Reputation and GeoIP, Intrusion Prevention Service, WAF Security, Credential Stuffing Defense, Sandbox Cloud and Data Loss Prevention Service
Hardware plus FortiCare Premium and FortiADC AI Security Bundle
Hardware Unit, Advanced Hardware Replacement (NBD), Firmware and General Upgrades, FortiCare Premium Ticket Handling, Antivirus, IP Reputation and GeoIP, Intrusion Prevention Service, WAF Security, Credential Stuffing Defense, Sandbox Cloud, Data Loss Prevention, Threat Analytics and Advanced Bot Protection Service
Network Security - IP Reputation and Geo-IP, AV, IPS, and FortiCare Premium
Advanced Hardware Replacement (NBD), Firmware and General Upgrades, FortiCare Premium Ticket Handling, Antivirus, IP Reputation and GeoIP and Intrusion Prevention Service
Application Security - Network Security Bundle Plus WAF Security Service, FortiADC Cloud Sandbox, Credential Stuffing Defense, FortiGuard Data Loss Prevention Service, and FortiCare Premium
Advanced Hardware Replacement (NBD), Firmware and General Upgrades, FortiCare Premium Ticket Handling, Antivirus, IP Reputation and GeoIP, Intrusion Prevention Service, WAF Security, Credential Stuffing Defense, Sandbox Cloud and Data Loss Prevention Service
AI Security - Application Security Bundle Plus Threat Analytics, FortiGuard Advanced Bot Protection, and FortiCare Premium
Advanced Hardware Replacement (NBD), Firmware and General Upgrades, FortiCare Premium Ticket Handling, Antivirus, IP Reputation and GeoIP, Intrusion Prevention Service, WAF Security, Credential Stuffing Defense, Sandbox Cloud, Data Loss Prevention, Threat Analytics and Advanced Bot Protection Service
FortiCare Premium Support
FortiCare Premium Ticket Handling, Advanced Hardware Replacement (NBD), Firmware and General Upgrades
FortiDDoS FortiCare Premium Support
FortiCare Premium Ticket Handling, Advanced Hardware Replacement (NBD), Firmware and General Upgrades. This service level includes a FortiDDoS responsiveness SLA of 30 minutes for Priority 1 incidents.
Prices are for one year of Premium RMA support. Usual discounts can be applied.
Annual contracts only. No multi-year SKUs are available for these services.
Contact Fortinet Renewals team for upgrade quotations for existing FortiCare contracts.
Pricing and product availability subject to change without notice.

Fortinet Products

FortiDDoS VM08 Virtual Appliance

DDoS Protection System - virtual appliance for all supported platforms. Supports up to 8 x vCPU cores, 8 x NIC Ports, 2 x MGMT Ports.

#FDD-VM08
List Price: ~~$110,000.00~~
Our Price: ~~$81,867.50~~
Call For Lowest Price!

FortiDDoS VM08 FortiCare Premium Support

FortiDDoS-VM08 1 Year FortiCare Premium Support

#FC-10-FIM08-248-02-12
List Price: ~~$22,000.00~~
Our Price: ~~$18,892.50~~
Call For Lowest Price!

FortiDDoS-VM08 3 Year FortiCare Premium Support

#FC-10-FIM08-248-02-36
List Price: ~~$66,000.00~~
Our Price: ~~$56,677.50~~
Call For Lowest Price!

FortiDDoS-VM08 5 Year FortiCare Premium Support

#FC-10-FIM08-248-02-60
List Price: ~~$110,000.00~~
Our Price: ~~$94,462.50~~
Call For Lowest Price!

FortiDDoS VM08 Subscription Service

FortiDDoS-VM08 1 Year Domain Reputation Service

#FC-10-FIM08-191-02-12
List Price: ~~$22,000.00~~
Our Price: ~~$16,373.50~~
Call For Lowest Price!

FortiDDoS-VM08 IP Reputation Service

FortiDDoS-VM08 1 Year IP Reputation Service

#FC-10-FIM08-140-02-12
List Price: ~~$22,000.00~~
Our Price: ~~$16,373.50~~
Call For Lowest Price!

FortiDDoS-VM08 3 Year IP Reputation Service

#FC-10-FIM08-140-02-36
List Price: ~~$66,000.00~~
Our Price: ~~$57,142.80~~
Call For Lowest Price!

FortiDDoS-VM08 5 Year IP Reputation Service

#FC-10-FIM08-140-02-60
List Price: ~~$110,000.00~~
Our Price: ~~$95,238.00~~
Call For Lowest Price!

Fortinet FortiDDoS VM08 DDoS Attack Mitigation Appliances

Overview:

A Different and Better Approach to DDoS Attack Mitigation

Highlights:

Features:

Packet Inspection Technology

Behavioral Threshold Management

100% Anomaly Inspection

Layer 3 Attack Mitigation

Layer 4 Attack Mitigation

HTTP Attack Mitigation

Attack Mitigation

Access Control Lists

Comprehensive Built-In Reporting

Centralized Event Reporting

Audit Trails

Management

Highlights:

Powerful Parallel Architecture = Flexible, Autonomous Defenses

The Resurgence of Botnets

DNS-Based Attacks

Security Fabric

Hybrid On-premise/Cloud DDoS Mitigation

Always-On Inline vs. Out-of-Path Mitigation

Specifications:

Documentation:

Fortinet FortiDDoS VM08
DDoS Attack Mitigation Appliances