Fortinet UTM Features

Enable IPS packet logging

Packet logging saves the network packets containing the traffic matching an IPS signature to the attack log. The FortiGate unit will save the logged packets to wherever the logs are configured to be stored, whether memory, internal hard drive, a FortiAnalyzer unit, or the FortiGuard Analysis and Management Service.

You can enable packet logging in the filters. Use caution in enabling packet logging in a filter. Filters configured with few restrictions can contain thousands of signatures, potentially resulting in a flood of saved packets. This would take up a great deal of space, require time to sort through, and consume considerable system resources to process. Packet logging is designed as a focused diagnostic tool and is best used with a narrow scope.

To enable packet logging for a filter

  1. Create a filter in an IPS sensor. For more information, see “Creating an IPS filter” on page 58.
  2. Before saving the filter, select Enable All for Packet Logging.
  3. Select the IPS sensor in the security policy that allows the network traffic the FortiGate unit will examine for the signature.

For information on viewing and saving logged packets, see “Monitoring Security Profiles  activity” on page 169.

IPS examples

Configuring basic IPS protection

Small offices, whether they are small companies, home offices, or satellite offices, often have very simple needs. This example details how to enable IPS protection on a FortiGate unit located in a satellite office. The satellite office contains only Windows clients.

Creating an IPS sensor

Most IPS settings are configured in an IPS sensor. IPS sensors are selected in firewall policies. This way, you can create multiple IPS sensors, and tailor them to the traffic controlled by the security policy in which they are selected. In this example, you will create one IPS sensor.

To create an IPS sensor— web-based manager

  1. Go to Security Profiles > Intrusion Protection > IPS Sensors.
  2. Select the Create New icon in the top of the Edit IPS Sensor window.
  3. In the Name field, enter basic_ips.
  4. In the Comments field, enter IPS protection for Windows clients.
  5. Select OK.
  6. Select the Create New drop-down to add a new component to the sensor and for the Sensor Type choose Filter
  7. In the Filter Options choose the following:
    1. For Severity: select all of the options
    2. For Target: select Client
    3. For OS: select Windows
  8. For the Action leave as the default.
  9. Select OK to save the filter.

10.Select OK to save the IPS sensor.

To create an IPS sensor — CLI config ips sensor edit basic_ips set comment “IPS protection for Windows clients” config entries edit 1 set location client set os windows

end end

Selecting the IPS sensor in a security policy

An IPS sensor directs the FortiGate unit to scan network traffic only when it is selected in a security policy. When an IPS sensor is selected in a security policy, its settings are applied to all the traffic the security policy handles.

To select the IPS sensor in a security policy — web-based manager

  1. Go to Policy > Policy > Policy.
  2. Select a policy.
  3. Select the Edit
  4. Enable the IPS
  5. Select the basic_ips profile from the list.
  6. Select OK to save the security policy.

To select the IPS sensor in a security policy — CLI config firewall policy edit 1 set utm-status enable set ips-sensor basic_ips

end

All traffic handled by the security policy you modified will be scanned for attacks against Windows clients. A small office may have only one security policy configured. If you have multiple policies, consider enabling IPS scanning for all of them.

Using IPS to protect your web server

Many companies have web servers and they must be protected from attack. Since web servers must be accessible, protection is not as simple as blocking access. IPS is one tool your FortiGate unit has to allow you to protect your network.

In this example, we will configure IPS to protect a web server. As shown in Figur e 10 on  page 69, a FortiGate unit protects a web server and an internal network. The internal network will have its own policies and configuration but we will concentrate on the web server in this example.

The FortiGate unit is configured with:

  • a virtual IP to give the web server a unique address accessible from the Internet.
  • a security policy to allow access to the web server from the Internet using the virtual IP.

To protect the web server using intrusion protection, you need to create an IPS sensor, populate it with filters, then enable IPS scanning in the security policy.

To create an IPS sensor

  1. Go to Security Profiles > Intrusion Protection > IPS Sensors and select Create New.
  2. Enter web_server as the name of the new IPS sensor.
  3. Select OK.

The new IPS sensor is created but it has no filters, and therefore no signatures are included.

The web server operating system is Linux, so you need to create a filter for all Linux server signatures.

To create the Linux server filter

  1. Go to Security Profiles > Intrusion Protection > IPS Sensors and select the web_server IPS sensor and select the Edit
  2. Select Add Filter.
  3. Enter Linux Server as the name of the new filter.
  4. For Target, select Specify and choose server.
  5. In the Filter Options choose the following:
    1. For Severity: select all of the options
    2. For Target: select server
    3. For OS: select Linux
  6. Select OK.

 

The filter is saved and the IPS sensor page reappears. In the filter list, find the Linux Server filter and look at the value in the Count column. This shows how many signatures match the current filter settings. You can select the View Rules icon to see a listing of the included signatures.

To edit the security policy

  1. Go to Policy > Policy > Policy, select security policy that allows access to the web server, and select the Edit
  2. Enable IPS option and choose the web_server IPS sensor from the list.
  3. Select OK.

Since IPS is enabled and the web_server IPS sensor is specified in the security policy controlling the web server traffic, the IPS sensor examines the web server traffic for matches to the signatures it contains.

Create and test a packet logging IPS sensor

In this example, you create a new IPS sensor and include a filter that detects the EICAR test file and saves a packet log when it is found. This is an ideal first experience with packet logging because the EICAR test file can cause no harm, and it is freely available for testing purposes.

Create an IPS senor

  1. Go to Security Profiles > Intrusion Protection > IPS Sensors.
  2. Select Create New.
  3. Name the new IPS sensor EICAR_test.
  4. Select OK.

Create an entry

  1. Select the Create New drop down menu and for Sensor Type choose Specify Signatures.
  2. Rather than search through the signature list, use the name filter by selecting the search icon over the header of the Signature
  3. Enter EICAR in the Search field.
  4. Highlight the Virus.Test.File signature by clicking on it.
  5. Select Block All as the Action.
  6. Select Enable, Packet Logging.
  7. Select OK to save the IPS sensor.

You are returned to the IPS sensor list. The EICAR test sensor appears in the list.

Add the IPS sensor to the security policy allowing Internet access

  1. Go to Policy > Policy > Policy.
  2. Select the security policy that allows you to access the Internet.
  3. Select the Edit
  4. Enable Log Allowed Traffic.
  5. Enable the IPS
  6. Choose EICAR test from the available IPS sensors.
  7. Select OK.

With the IPS sensor configured and selected in the security policy, the FortiGate unit blocks any attempt to download the EICAR test file.

Test the IPS sensor

  1. Using your web browser, go to http://www.eicar.org/anti_virus_test_file.htm.
  2. Scroll to the bottom of the page and select com from the row labeled as using the standard HTTP protocol.
  3. The browser attempts to download the requested file and,
  • If the file is successfully downloaded, the custom signature configuration failed at some point. Check the custom signature, the IPS sensor, and the firewall profile.
  • If the download is blocked with a high security alert message explaining that you’re not permitted to download the file, the EICAR test file was blocked by the FortiGate unit antivirus scanner before the IPS sensor could examine it. Disable antivirus scanning and try to download the EICAR test file again.
  • If no file is downloaded and the browser eventually times out, the custom signature successfully detected the EICAR test file and blocked the download.

Viewing the packet log

  1. Go to Log&Report > Log & Archive Access > Security Log.
  2. Locate the log entry that recorded the blocking of the EICAR test file block. The Message field data will be tools: EICAR.AV.Test.File.Download.
  3. Select the View Packet Log icon in the Packet Log
  4. The packet log viewer is displayed.
This entry was posted in Fortinet, Fortinet GURU and tagged , , , , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

4 thoughts on “Fortinet UTM Features

  1. Cyrus Ramirez

    Would X.509 v3 certificates affect network connectivity should you attempt to use URLs instead of IP addresses for the commonName?

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.