Tag Archives: FortiOS 6

FortiOS 6 – Intrusion prevention

Intrusion prevention

The FortiOS Intrusion Prevention System (IPS) combines signature detection and prevention with low latency and excellent reliability. With intrusion protection, you can create multiple IPS sensors, each containing a complete configuration based on signatures. Then, you can apply any IPS sensor to any security policy.

This section describes how to configure the FortiOS Intrusion Prevention settings.

This Handbook chapter includes Inside FortiOS: Intrusion Prevention System providing readers an overview of the features and benefits of key FortiOS 5.6 components. For readers needing to delve into greater detail, we provide the following:

IPS concepts

Enabling IPS scanning

IPS processing in an HA cluster

Configure IPS options

Enabling IPS packet logging

Other IPS examples

IPS concepts

The FortiOS Intrusion Prevention System (IPS) protects your network from outside attacks. Your FortiGate unit has two techniques to deal with these attacks: anomaly- and signature-based defense.

Anomaly-based defense

Anomaly-based defense is used when network traffic itself is used as a weapon. A host can be flooded with far more traffic than it can handle, making the host inaccessible. The most common example is the denial of service (DoS) attack, in which an attacker directs a large number of computers to attempt normal access of the target system. If enough access attempts are made, the target is overwhelmed and unable to service genuine users. The attacker does not gain access to the target system, but it is not accessible to anyone else.

The FortiGate DoS feature will block traffic above a certain threshold from the attacker and allow connections from other legitimate users. The DoS policy configuration can be found in the Firewall chapter of the Handbook.

Access control lists in DoS Policies

This feature allows you to define a list of IPs/subnets/ranges in a DoS policy, and block those IPs from sending any traffic, by way of an ACL (access control list). The ACL looks similar to a firewall policy, but only checks source IP, destination IP, destination port, and protocol. To configure in the GUI, go to Policy & Objects > IPv4 Access Control List and create a new policy. Enter the incoming interface, the source address, the destination address, the services impacted, and, optionally, enter a comment.

CLI Syntax

config firewall acl edit 1

IPS concepts

set interface “port1” set srcaddr “google-drive” set dstaddr “all” set service “ALL”

next

end

Signature-based defense

Signature-based defense is used against known attacks or vulnerability exploits. These often involve an attacker attempting to gain access to your network. The attacker must communicate with the host in an attempt to gain access and this communication will include particular commands or sequences of commands and variables. The IPS signatures include these command sequences, allowing the FortiGate unit to detect and stop the attack.

Signatures

IPS signatures are the basis of signature-based intrusion prevention. Every attack can be reduced to a particular string of commands or a sequence of commands and variables. Signatures include this information so your FortiGate unit knows what to look for in network traffic.

Signatures also include characteristics about the attack they describe. These characteristics include the network protocol in which the attack will appear, the vulnerable operating system, and the vulnerable application.

To view the complete list of signatures, go to Security Profiles > Intrusion Prevention, and select View IPS Signatures. This will include the predefined signatures and any custom signatures that you may have created.

With the release of FortiOS 5.6, the IPS signatures list page shows which IPS package is currently deployed.

Users can also change their IPS package by hovering over the information icon next to the IPS package name. Text will appear that links directly to the FortiGate’s System > FortiGuard page from the IPS Signatures list page.

Protocol decoders

Before examining network traffic for attacks, the IPS engine uses protocol decoders to identify each protocol appearing in the traffic. Attacks are protocol-specific, so your FortiGate unit conserves resources by looking for attacks only in the protocols used to transmit them. For example, the FortiGate unit will only examine HTTP traffic for the presence of a signature describing an HTTP attack.

IPS engine

Once the protocol decoders separate the network traffic by protocol, the IPS engine examines the network traffic for the attack signatures.

IPS sensors

The IPS engine does not examine network traffic for all signatures. You must first create an IPS sensor and specify which signatures are included. Add signatures to sensors individually using signature entries, or in groups using IPS filters.

To view the IPS sensors, go to Security Profiles > Intrusion Prevention.

You can group signatures into IPS sensors for easy selection when applying to firewall policies. You can define signatures for specific types of traffic in separate IPS sensors, and then select those sensors in profiles designed to handle that type of traffic. For example, you can specify all of the web-server related signatures in an IPS

IPS concepts

sensor, and that sensor can then be applied to a firewall policy that controls all of the traffic to and from a web server protected by the unit.

The FortiGuard Service periodically updates the pre-defined signatures, with signatures added to counter new threats. Since the signatures included in filters are defined by specifying signature attributes, new signatures matching existing filter specifications will automatically be included in those filters. For example, if you have a filter that includes all signatures for the Windows operating system, your filter will automatically incorporate new Windows signatures as they are added.

Each IPS sensor consists of two parts: filters and overrides. Overrides are always checked before filters.

Each filter consists of a number of signatures attributes. All of the signatures with those attributes, and only those attributes, are checked against traffic when the filter is run. If multiple filters are defined in an IPS Sensor, they are checked against the traffic one at a time, from top to bottom. If a match is found, the unit takes the appropriate action and stops further checking.

A signature override can modify the behavior of a signature specified in a filter. A signature override can also add a signature not specified in the sensor’s filters. Custom signatures are included in an IPS sensor using overrides.

The signatures in the overrides are first compared to network traffic. If the IPS sensor does not find any matches, it then compares the signatures in each filter to network traffic, one filter at a time, from top to bottom. If no signature matches are found, the IPS sensor allows the network traffic.

The signatures included in the filter are only those matching every attribute specified. When created, a new filter has every attribute set to all which causes every signature to be included in the filter. If the severity is changed to high, and the target is changed to server, the filter includes only signatures checking for high priority attacks targeted at servers.

IPS filters

IPS sensors contain one or more IPS filters. A filter is a collection of signature attributes that you specify. The signatures that have all of the attributes specified in a filter are included in the IPS filter.

For example, if your FortiGate unit protects a Linux server running the Apache web server software, you could create a new filter to protect it. By setting OS to Linux, and Application to Apache, the filter will include only the signatures that apply to both Linux and Apache. If you wanted to scan for all the Linux signatures and all the Apache signatures, you would create two filters, one for each.

To view the filters in an IPS sensor, go to Security Profiles > Intrusion Prevention, select the IPS sensor containing the filters you want to view, and select Edit.

Custom/predefined signature entries

Signature entries allow you to add an individual custom or predefined IPS signature. If you need only one signature, adding a signature entry to an IPS sensor is the easiest way. Signature entries are also the only way to include custom signatures in an IPS sensor.

Another use for signature entries is to change the settings of individual signatures that are already included in a filter within the same IPS sensor. Add a signature entry with the required settings above the filter, and the signature entry will take priority.

Policies

To use an IPS sensor, you must select it in a security policy or an interface policy. An IPS sensor that it not selected in a policy will have no effect on network traffic.

Enabling IPS scanning

IPS is most often configured as part of a security policy. Unless stated otherwise, discussion of IPS sensor use will be in regards to firewall policies in this document.

Session timers for IPS sessions

A session time-to-live (TTL) timer for IPS sessions is available to reduce synchronization problems between the FortiOS Kernel and IPS, and to reduce IPS memory usage. The timeout values can be customized.

What I learned at Accelerate 18

What I Learned at Accelerate18

I was incredibly blessed to get the opportunity to go to Las Vegas this year for the Fortinet Accelerate 18 conference. For those that don’t know, this conference is the Fortinet Conference where they unveil all the goodies, provide excellent hands on trainings, and give the clients, partners, and distributors the unique opportunity to mingle, get to know each other, and more importantly put faces to names for people that could have been working together for years and never got the face to face time they normally would have.

As always, this event was a blast. Obviously, any event that takes place in Sin City is going to be a fun adventure for any red-blooded male that has a few bucks and some time to kill but let’s face it, that could probably be said about any major city these days.

This little post is going to be a summary of the things I consider to be the most important that I learned at the conference this year. This is purely subjective and geared more towards my interests so you may have differences of opinion.

FortiOS 6

Just as FortiOS 5.6 was starting to get stable enough to use Fortinet has unleashed FortiOS 6 which is going to bring a plethora of new features and capabilities. A lot of you will get a kick out of the revamped SD-WAN capabilities that make the functionality far superior to existing iterations. Not to mention the incredible visibility enhancements that are going to make your ability to decipher what is truly taking place on your network much easier.

FortiGate 6000 Series

The 7000 series (I’m running a 7060E) is an incredible piece of machinery. The 6000 series is going to provide excellent performance but in an appliance form. So, while you may be looking at doing some data center consolidation or space reduction this is definitely going to be the edge “top of rack” style FortiGate that you are going to look at. The Chassis are large, and with real estate being a premium, this appliance is really going to be a great replacement for those that aren’t looking to grow into the device (most chassis clients approach)

Wie Ling Neo Is Super Intelligent

Ok, so I didn’t learn this at Accelerate18. I got to learn this directly by having some discussions with her while troubleshooting some 7060E issues. Wie Ling is the product manager for the 5k chassis, 6k appliance, and 7k chassis. Words can not describe how sharp this woman is. If you ever get the opportunity to sit down with her and discuss FortiGate architecture, why they do what they do, and how they work in general you will be in for a treat.

The Fabric Is Growing

The direction the company is taking with the security fabric is incredible. When the fabric first came out I was skeptical. I thought to myself, “ahh another fabric/API/thing that is never going to be used. Well, I was wrong. Fortinet has taken this initiative and ran with it and the things that are coming out of the developer’s labs are just getting better and better. Automated responses, incident response readiness, it’s all going to be great.