Fortinet IPS - Manual

FortiGate IPS User Guide Version 3.0 MR7 8 01-30007-0080-20080916 Customer service and technical support Introduction Fortinet Knowledge Center Additional Fortinet technical documentation is available from the Fortinet Knowledge Center. The knowledge center contains troubleshooting and how-to articl...

IPS overview and general configuration The FortiGate IPS FortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 9 IPS overview and general configuration This section contains the following topics: • The FortiGate IPS • Network performance • Monitoring the network and dealing with attacks • U...

FortiGate IPS User Guide Version 3.0 MR7 10 01-30007-0080-20080916 Network performance IPS overview and general configuration To create an IPS sensor, go to Intrusion Protection > IPS Sensor . See “IPS sensors” on page 39 for details. To access the protection profile IPS sensor selection, go to F...

IPS overview and general configuration Monitoring the network and dealing with attacks FortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 11 Controlling sessions Use this command to ignore sessions after a set amount of traffic has passed. The default is 204800 bytes. config ips global s...

FortiGate IPS User Guide Version 3.0 MR7 12 01-30007-0080-20080916 Monitoring the network and dealing with attacks IPS overview and general configuration 5 Select and configure authentication if required and enter the email addresses that will receive the alert email. 6 Enter the time interval to wa...

IPS overview and general configuration Monitoring the network and dealing with attacks FortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 13 Anomaly The following log message is generated when an attack anomaly is detected: The FortiGuard Center The FortiGuard Center combines the knowled...

FortiGate IPS User Guide Version 3.0 MR7 14 01-30007-0080-20080916 Using IPS sensors in a protection profile IPS overview and general configuration Using IPS sensors in a protection profile IPS can be combined with other FortiGate features – antivirus, spam filtering, web filtering, and web category...

IPS overview and general configuration Using IPS sensors in a protection profile FortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 15 Adding protection profiles to user groups When creating a user group, select a protection profile that applies to that group. Then, when configuring a fi...

Predefined signatures IPS predefined signatures FortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 17 Predefined signatures This section describes: • IPS predefined signatures • Viewing the predefined signature list IPS predefined signatures Predefined signatures are arranged in alphabet...

Custom signatures IPS custom signatures FortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 21 Custom signatures Custom signatures provide the power and flexibility to customize the FortiGate Intrusion Protection system for diverse network environments. The FortiGate predefined signatures...

FortiGate IPS User Guide Version 3.0 MR7 22 01-30007-0080-20080916 Custom signature configuration Custom signatures Custom signature configuration Add custom signatures using the web-based manager or the CLI. For more information about custom signature syntax, see “Creating custom signatures” on pag...

Custom signatures Creating custom signatures FortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 23 Creating custom signatures Custom signatures are added separately to each VDOM. In each VDOM, there can be a maximum of 255 custom signatures. A custom signature definition is limited to a ...

FortiGate IPS User Guide Version 3.0 MR7 24 01-30007-0080-20080916 Creating custom signatures Custom signatures Custom signature syntax Table 2: Information keywords Keyword and value Description --attack_id <id_int>; This optional value is used to identify the signature. It cannot be the same...

Custom signatures Creating custom signatures FortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 33 Example custom signatures Custom signature fields and syntax are fully described in this chapter, though using them to build a custom signature can be complex. It’s best to start with a sim...

Custom signatures Creating custom signatures FortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 35 Example 2: signature to block the SMTP ‘vrfy’ command The SMTP vrfy command can be used to verify the existence of a single email address, or it can be used to list all of the valid email a...

Protocol decoders Protocol decoders FortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 37 Protocol decoders This section describes: • Protocol decoders • Upgrading the IPS protocol decoder list • Viewing the protocol decoder list Protocol decoders The FortiGate IPS uses protocol decoders...

FortiGate IPS User Guide Version 3.0 MR7 38 01-30007-0080-20080916 Viewing the protocol decoder list Protocol decoders Viewing the protocol decoder list To view the decoder list, go to Intrusion Protection > Signature > Protocol Decoder . Figure 6: The protocol decoder list Protocols The proto...

IPS sensors Viewing the IPS sensor list FortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 39 IPS sensors You can group signatures into IPS sensors for easy selection in protection profiles. You can define signatures for specific types of traffic in separate IPS sensors, and then select ...

FortiGate IPS User Guide Version 3.0 MR7 40 01-30007-0080-20080916 Configuring IPS sensors IPS sensors Adding an IPS sensor An IPS sensor must be created before it can be configured by adding filters and overrides. To create an IPS sensor, go to Intrusion Protection > IPS Sensor and select Create...

FortiGate IPS User Guide Version 3.0 MR7 42 01-30007-0080-20080916 Configuring IPS sensors IPS sensors IPS sensor overrides: Configuring filters To configure a filter, go to Intrusion Protection > IPS Sensor . Select the Edit icon of the IPS sensor containing the filter you want to edit. When the...

IPS sensors Configuring IPS sensors FortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 43 The signatures included in the filter are only those matching every attribute specified. When created, a new filter has every attribute set to “all” which causes every signature to be included in th...

DoS sensors FortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 45 DoS sensors The FortiGate IPS uses a traffic anomaly detection feature to identify network traffic that does not fit known or common traffic patterns and behavior. For example, one type of flooding is the denial of service...

FortiGate IPS User Guide Version 3.0 MR7 46 01-30007-0080-20080916 Viewing the DoS sensor list DoS sensors Viewing the DoS sensor list To view the anomaly list, go to Intrusion Protection > DoS Sensor . Figure 12: The DoS sensor list Configuring DoS sensors Because an improperly configured DoS se...

FortiGate IPS User Guide Version 3.0 MR7 48 01-30007-0080-20080916 Understanding the anomalies DoS sensors Protected addresses: Each entry in the protected address table includes a source and destination IP address as well as a destination port. The DoS sensor will be applied to traffic matching the...

SYN flood attacks What is a SYN flood attack? FortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 51 SYN flood attacks This section describes: • What is a SYN flood attack? • How SYN floods work • The FortiGate IPS Response to SYN flood attacks • Configuring SYN flood protection • Suggest...

FortiGate IPS User Guide Version 3.0 MR7 52 01-30007-0080-20080916 The FortiGate IPS Response to SYN flood attacks SYN flood attacks After the handshaking process is complete the connection is open and data exchange can begin between the originator and the receiver, in this case the web browser and ...

FortiGate IPS User Guide Version 3.0 MR7 54 01-30007-0080-20080916 Configuring SYN flood protection SYN flood attacks Configuring SYN flood protection To configure the SYN flood protection 1 Go to Intrusion Protection > DoS Sensor . 2 Select Create New. 3 Configure the options for tcp_syn_flood. ...

ICMP sweep attacks What is an ICMP sweep? FortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 55 ICMP sweep attacks This section describes: • What is an ICMP sweep? • How ICMP sweep attacks work • The FortiGate IPS response to ICMP sweep attacks • Configuring ICMP sweep protection • Sugge...

FortiGate IPS User Guide Version 3.0 MR7 56 01-30007-0080-20080916 The FortiGate IPS response to ICMP sweep attacks ICMP sweep attacks Predefined ICMP signatures Table 11 describes all the ICMP-related predefined signatures and the default settings for each. Note: The predefined signature descriptio...

ICMP sweep attacks The FortiGate IPS response to ICMP sweep attacks FortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 57 ICMP sweep anomalies The FortiGate unit also detects ICMP sweeps that do not have a predefined signature to block them. The FortiGate IPS monitors traffic to ensure t...

FortiGate IPS User Guide Version 3.0 MR7 58 01-30007-0080-20080916 Configuring ICMP sweep protection ICMP sweep attacks Configuring ICMP sweep protection To configure the ICMP sweep anomaly protection settings 1 Go to Intrusion Protection > DoS Sensor . 2 Select Create New. 3 Configure the option...

Index FortiGate Version 3.0 MR7 IPS User Guide01-30007-0080-20080916 59 Index A alert email configuring 11 anomalies log messages 13 anomaly destination session limit 48 flooding 48 scan 48 source session limit 48 attack log messages 12 anomalies 13 signature 12 C comments, documentation 8Create New...