Tag Archives: fortigate Enable IPS scanning

Enable IPS scanning

Enable IPS scanning

Enabling IPS scanning involves two separate parts of the FortiGate unit:

  • The security policy allows certain network traffic based on the sender, receiver, interface, traffic type, and time of day. Firewall policies can also be used to deny traffic, but those policies do not apply to IPS scanning.
  • The IPS sensor contains filters, signature entries, or both. These specify which signatures are included in the IPS sensor.

When IPS is enabled, an IPS sensor is selected in a security policy, and all network traffic matching the policy will be checked for the signatures in the IPS sensor.

 

General configuration steps

For best results in configuring IPS scanning, follow the procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

1. Create an IPS sensor.

2. Add signatures and /or filters.

These can be:

  • Pattern based
  • Rate based
  • Customized

3. Select a security policy or create a new one.

4. In the security policy, turn on IPS, and choose the IPS sensor from the list.

All the network traffic controlled by this security policy will be processed according to the settings in the policy. These settings include the IPS sensor you specify in the policy.

 

Creating an IPS sensor

You need to create an IPS sensor before specific signatures or filters can be choosen. The signatures can be added to a new sensor before it is saved, but it is a good practice to keep in mind that the sensor and its included filters are separte things, and therefore their creation will be treated separately.

 

To create a new IPS sensor

1. Go to Security Profiles > Intrusion Protection.

2. Select the Create New icon in the top of the Edit IPS Sensor window.

3. Enter the name of the new IPS sensor.

4. Optionally, you may also enter a comment. The comment will appear in the IPS sensor list and serves to remind you of the details of the sensor.

5. Select OK.

A newly created sensor is empty and contains no filters or signatures. You need to add one or more filters or signatures before the sensor will be of any use.

 

Adding an IPS filter to a sensor

While individual signatures can be added to a sensor, a filter allows you to add multiple signatures to a sensor by specifying the characteristics of the signatures to be added.

 

To create a new Pattern Based Signature and Filter

1. Go to Security Profiles > Intrusion Protection.

2. Select the IPS sensor to which you want to add the filter using the drop-down list in the top row of the Edit IPS Sensor window or by going to the list window.

3. Under IPS Filters, select Add Filter.

4. Configure the filter that you require. Signatures matching all of the characteristics you specify in the filter will be included in the filter. Once finished, select Use Filters.

Severity refers to the level of threat posed by the attack. The options include Critical, High, Medium, Low, and Info.

Target refers to the type of device targeted by the attack. The options include Clients and Server.

OS refers to the Operating System affected by the attack. The options include BSD, Linux, MacOS, Other,

Solaris, and Windows.

5. Once you have selected the filters you wish to add, right-click the filters and choose an action for when a signature is triggered:

 

Action                      Description
Pass                          Select Pass to allow traffic to continue to its destination.

 

Note: to see what the default for a signature is, go to the IPS Signatures page and enable the column Action, then find the row with the signature name in it.

Block                         Select Block to drop traffic matching any the signatures included in the filter.
Reset                         Select Reset to reset the session whenever the signature is triggered. In the CLI this action is referred to as Reject.
Default                      Select Default to pass all traffic matching the signatures included in the filter, regard- less of their default setting.
Quarantine               The quarantine based on the attacker’s IP Address – Traffic from the Attacker’s IP address is refused until the expiration time from the trigger is reached. You may set the Quarantine Duration to any number of Days, Hours, or Minutes.
Packet Logging       Select to enable packet logging for the filter.

 

When you enable packet logging on a filter, the unit saves a copy of the packets that match any signatures included in the filter. The packets can be analyzed later.

 

For more information about packet filtering, see “Configuring packet logging options”.


6
. Select Apply.

The filter is created and added to the filter list.

 

Adding Rate Based Signatures

These are a subset of the signatures that are found in the database that are normally set to monitor. This group of signatures is for vulnerabilities that are normally only considered a serious threat when the targeted connections come in multiples, a little like DoS attacks.

Adding a rate based signature is straight forward. Select the enable button in the Rate Based Signature table that corresponds with the desired signature.

 

Customized signatures

Customized signatures must be created before they can be added to the sensor. To get more details on customized signatures check the IPS Signatures chapter.

 

Updating predefined IPS signatures

The FortiGuard Service periodically updates the pre-defined signatures and adds new signatures to counter emerging threats as they appear.

To ensure that your system is providing the most protection available, these updates can be scheduled as often as on an hourly basis. To configure this feature, go to System > FortiGuard. Under AntiViru& IPS Scanning, enable Schedule Updates. From here you can set the updates to occur on a consistent weekly, daily, or even hourly basis.

Because the signatures included in filters are defined by specifying signature attributes, new signatures matching existing filter specifications will automatically be included in those filters. For example, if you have a filter that includes all signatures for the Windows operating system, your filter will automatically incorporate new Windows signatures as they are added.

 

Viewing and searching predefined IPS signatures

Go to Security Profiles > Intrusion Protection. Select [View IPS Signatures] to view the list of existing IPS signatures. You may find signatures by paging manually through the list, apply filters, or by using the search field.

 

Searching manually

Signatures are displayed in a paged list, with 50 signatures per page. The bottom of the screen shows the current page and the total number of pages. You can enter a page number and press enter, to skip directly to that page. Previous Page and Next Page buttons move you through the list, one page at a time. The First Page and Last Page button take you to the beginning or end of the list.

 

Searching CVE-IDs

A CVEID column displaying CVE-IDs can be optionally added to the IPS Signatures list, however the column is only available if the IPS package contains CVE-IDs for signatures. CVE-IDs can be numerically filtered by selecting the CVE-ID column’s arrows.

 

Applying filters

You can enter criteria for one of more columns, and only the signatures matching all the conditions you specify will be listed.

 

To apply filters

1. Go to Security Profiles > Intrusion Protection. Select [View IPS Signatures] .

2. Select column by which to filter.

3. Select the funnel/filter icon and enter the value or values to filter by.

4. Use additional columns as needed to refine search.

The available options vary by column. For example, Enable allows you to choose between two options, while OS has multiple options, and you may select multiple items together. Filtering by name allows you to enter a text string and all signature names containing the string will be displayed.