FortiOS 6 – Intrusion prevention

Leave a reply

Enabling IPS packet logging

Packet logging saves the network packets containing the traffic matching an IPS signature to the attack log. The FortiGate unit will save the logged packets to wherever the logs are configured to be stored, whether memory, internal hard drive, a FortiAnalyzer unit, or the FortiGuard Analysis and Management Service.

You can enable packet logging in the filters. Use caution in enabling packet logging in a filter. Filters configured with few restrictions can contain thousands of signatures, potentially resulting in a flood of saved packets. This would take up a great deal of space, require time to sort through, and consume considerable system resources to process. Packet logging is designed as a focused diagnostic tool and is best used with a narrow scope.

 

Although logging to multiple FortiAnalyzer units is supported, packet logs are not sent to the secondary and tertiary FortiAnalyzer units. Only the primary unit receives packet logs.

To enable packet logging for a filter

  1. Create a filter in an IPS sensor.
  2. After creating the filter, right-click the filter, and select Enable in the Packet Logging column of the filter table.
  3. Select the IPS sensor in the security policy that allows the network traffic the FortiGate unit will examine for the signature.

For information on viewing and saving logged packets, see Configuring packet logging options below.

IPS logging changes

IPS operations severely affected by disk logging are moved out of the quick scanning path, including logging, SNMP trap generation, quarantine, etc.

Scanning processes are dedicated to nothing but scanning, which results in more evenly distributed CPU usage. Slow (IPS) operations are taken care of in a dedicated process, which usually stays idle.

Setting packet-log-history to a value larger than 1 can affect the performance of the FortiGate unit because network traffic must be buffered. The performance penalty depends on the model, the setting, and the traffic load.

Other IPS examples

Configuring basic Intrusion Prevention

Small offices, whether they are small companies, home offices, or satellite offices, often have very simple needs. This example details how to enable IPS on a FortiGate unit located in a satellite office. The satellite office contains only Windows clients.

Creating an IPS sensor

Most IPS settings are configured in an IPS sensor. IPS sensors are selected in firewall policies. This way, you can create multiple IPS sensors, and tailor them to the traffic controlled by the security policy in which they are selected. In this example, you will create one IPS sensor.

To create an IPS sensor— GUI

  1. Go to Security Profiles > Intrusion Prevention.
  2. Select the Create New icon in the top of the Edit IPS Sensor window.
  3. In the Name field, enter basic_ips.
  4. In the Comments field, enter IPS for Windows clients.
  5. Select OK.
  6. Select the Create New drop-down to add a new component to the sensor and for the Sensor Type choose Filter
  7. In the Filter Options choose the following:
  8. For Severity: select all of the options
  9. For Target: select Client
  10. For OS: select Windows
  11. For the Action leave as the default.
  12. Select OK to save the filter.
  13. Select OK to save the IPS sensor.

To create an IPS sensor — CLI

config ips sensor edit basic_ips set comment “IPS for Windows clients” config entries edit 1 set location client set os windows

end

end

end

end

Selecting the IPS sensor in a security policy

An IPS sensor directs the FortiGate unit to scan network traffic only when it is selected in a security policy. When an IPS sensor is selected in a security policy, its settings are applied to all the traffic the security policy handles.

To select the IPS sensor in a security policy — GUI

  1. Go to Policy & Objects > IPv4 Policy.
  2. Select a policy.
  3. Select the Edit
  4. Enable the IPS option under Security Profiles.
  5. Select the preferred IPS sensor from the dropdown menu.
  6. Select OK to save the security policy.

To select the IPS sensor in a security policy — CLI

config firewall policy edit 1 set utm-status enable set ips-sensor basic_ips

end

The IPS sensor in this example is basic_ips. All traffic handled by the security policy you modified will be scanned for attacks against Windows clients. A small office may have only one security policy configured. If you have multiple policies, consider enabling IPS scanning for all of them.

Pages: 1 2 3 4 5 6 7
This entry was posted in Administration Guides, FortiOS 6 and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.