Enabling IPS scanning

Enabling IPS scanning involves two separate features of FortiOS 5.6:

• The security policy allows certain network traffic based on the sender, receiver, interface, traffic type, and time of day. Firewall policies can also be used to deny traffic, but those policies do not apply to IPS scanning.
• The IPS sensor contains filters, signature entries, or both. These specify which signatures are included in the IPS sensor.

When IPS is enabled and an IPS sensor is selected in a security policy, and all network traffic matching the policy will be checked for the signatures in the IPS sensor.

General configuration steps

For best results in configuring IPS scanning, follow the procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

1. Create an IPS sensor.
2. Add signatures and /or filters. These can be: l Pattern based l Rate based l Customized
3. Select a security policy or create a new one.
4. In the security policy, turn on IPS, and choose the IPS sensor from the list.

All the network traffic controlled by this security policy will be processed according to the settings in the policy. These settings include the IPS sensor you specify in the policy.

Creating an IPS sensor

You need to create an IPS sensor before specific signatures or filters can be chosen. The signatures can be added to a new sensor before it is saved. However, it is good practice to keep in mind that the sensor and its included filters are separate things, and that they are created separately.

To create a new IPS sensor

1. Go to Security Profiles > Intrusion Prevention.
2. Select the Create New icon in the top of the Edit IPS Sensor window.
3. Enter the name of the new IPS sensor.

Enabling IPS scanning

4. Optionally, enter a comment. The comment will appear in the IPS sensor list.
5. Select OK.

A newly created sensor is empty and contains no filters or signatures. You need to add one or more filters or signatures before the sensor will be of any use.

Adding an IPS filter to a sensor

While individual signatures can be added to a sensor, a filter allows you to add multiple signatures to a sensor by specifying the characteristics of the signatures to be added.

To create a new pattern based signature and filter

1. Go to Security Profiles > Intrusion Prevention.
2. Select the IPS sensor to which you want to add the filter using the drop-down list in the top row of the Edit IPS Sensor window or by going to the list window.
3. Under IPS Filters, select Add Filter.
4. Configure the filter that you require. Signatures matching all of the characteristics you specify in the filter will be included in the filter. Once finished, select Use Filters.

Application refers to the application affected by the attack and filter options include over 25 applications.

OS refers to the Operating System affected by the attack. The options include BSD, Linux, MacOS, Other, Solaris, and Windows.

Protocol refers to the protocol that is the vector for the attack; filter options include over 35 protocols, including

“other.”

Severity refers to the level of threat posed by the attack. The options include Critical, High, Medium, Low, and Info.

Target refers to the type of device targeted by the attack. The options include client and server.

5. Once you have selected the filters you wish to add, right-click the filters and choose an action for when a signature is triggered:

Action	Description
Pass	Select Pass to allow traffic to continue to its destination. Note: to see what the default for a signature is, go to the IPS Signatures page and enable the column Action, then find the row with the signature name in it.
Monitor	Select Monitor to allow traffic to continue to its destination and log the activity. The log will appear under Log & Report but will only be visible in the GUI in the event of an intrusion.
Block	Select Block to drop traffic matching any the signatures included in the filter.
Reset	Select Reset to reset the session whenever the signature is triggered. In the CLI this action is referred to as Reject.

Enabling IPS scanning

Action	Description
Default	Select Default to use the default action of the signature.
Quarantine	The quarantine based on the attacker’s IP Address – Traffic from the Attacker’s IP address is refused until the expiration time from the trigger is reached. You may set the Quarantine Duration to any number of Days, Hours, or Minutes.
Packet Logging	Select to enable packet logging for the filter. When you enable packet logging on a filter, the unit saves a copy of the packets that match any signatures included in the filter. The packets can be analyzed later. For more information about packet filtering, see “Configuring packet logging options”.

6. Select Apply.

The filter is created and added to the filter list.

Adding rate based signatures

These are a subset of the signatures that are found in the database that are normally set to monitor. This group of signatures is for vulnerabilities that are normally only considered a serious threat when the targeted connections come in multiples, a little like DoS attacks.

Adding a rate based signature is straight forward. Select the enable button in the Rate Based Signature table that corresponds with the desired signature.

Customized signatures

Customized signatures must be created before they can be added to the sensor. To get more details on customized signatures check the Custom Application & IPS Signatures chapter.