Fortinet Understanding Fortigate IPS Default Action and IPS Signatures List

Page 17


Predefined signatures	IPS predefined signatures

Predefined signatures

This section describes:

•IPS predefined signatures

•Viewing the predefined signature list

IPS predefined signatures

Predefined signatures are arranged in alphabetical order. By default, some signatures are disabled to prevent interference with common traffic, but logging is enabled for all signatures.

Use the IPS sensor to customize the predefined signatures and apply appropriate sensors to different protection profiles. For details, see “IPS sensors” on page 39.

Note: By allowing your IPS signature settings to run on default, you may be slowing down the overall performance of the FortiGate unit. By fine tuning the predefined signature and logging setting, you can ensure maximum performance as well as maximum protection.

See “Fine tuning IPS predefined signatures for enhanced system performance” on page 18.

Viewing the predefined signature list

The predefined signature list displays the characteristics of each signature. Use these characteristics to define which signatures are included in your IPS sensors. The signature list also displays the default action, the default logging status, and whether the signature is enabled by default.

Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings are configured separately in each VDOM. All sensors and custom signatures will appear only in the VDOM in which they were created.

To view the predefined signature list, go to Intrusion Protection > Signature >

Predefined. You can also use filters to display the signatures you want to view.

Figure 3: Predefined signature list

FortiGate IPS User Guide Version 3.0 MR7
01-30007-0080-20080916	17

Image 17

Contents E R G U I D E Trademarks Contents IPS sensors Protocol decodersDoS sensors SYN flood attacksFortiGate IPS IntroductionFortinet documentation About this documentDocument conventions Typographic conventionsFortiGate Pptp VPN User Guide Comments on Fortinet technical documentation Customer service and technical supportFortinet Knowledge Center This section contains the following topics IPS overview and general configurationIPS settings and controls Default signature and anomaly settings When to use IPSDefault fail open setting Config ips global Set fail-open enable disable endConfiguring logging and alert email Setting the buffer sizeMonitoring the network and dealing with attacks Controlling sessionsAttack log messages Signature FortiGuard Center AnomalyCreating a protection profile that uses IPS sensors Using IPS sensors in a protection profileAdding protection profiles to firewall policies Select Create NewAdding protection profiles to user groups Using IPS sensors in a protection profile Viewing the predefined signature list Predefined signaturesIPS predefined signatures Enable SettingsColumn Clear All FiltersCreate a sensor and add IPS filters to it Viewing the predefined signature list Viewing the custom signature list Custom signaturesIPS custom signatures Adding custom signatures using the web-based manager Custom signature configurationAdding custom signatures using the CLI Command syntax patternShows the valid characters for custom signature fields Creating custom signaturesCustom signature fields Attackid Custom signature syntaxName BufferOverflow SrcportContent keywords Keyword and value Description Deprecated, see pattern and context keywords Context uri Pattern GETPattern yahoo.com Context hostRegex/mdelim PcreRegexdelimismxAEGRU Uri !uristrIP header keywords Keyword and Value Description Protocol tcpTCP header keywords Keyword and Value Description Tcpflags S,12 Tcpflags APOther keywords Keyword and Value Description UDP header keywords Keyword and Value DescriptionIcmp keywords Keyword and Value Usage Sbid --name Block.example.com Example 1 signature to block access to example.comExample custom signatures Sbid --name Block.example.com Sbid --name Block.SMTP.VRFY.CMD --pattern vrfy Example 2 signature to block the Smtp ‘vrfy’ commandSbid --name Block.SMTP.VRFY.CMD Creating custom signatures Upgrading the IPS protocol decoder list Protocol decodersProtocol decoders Protocol decoder list Protocols Protocol decoder names Port Viewing the protocol decoder listAlldefaultpass AlldefaultIPS sensors Viewing the IPS sensor listAdding an IPS sensor Configuring IPS sensorsProtectclient ProtectemailserverIPS sensor filters IPS sensor attributesReset Configuring filtersIPS sensor overrides Delete and Edit Delete or edit the filter IconsApplication Configuring pre-defined and custom overridesSource Exempt IPDoS sensors Viewing the DoS sensor list Configuring DoS sensorsSequence in which the sensors examine network traffic Appears, and select OKDoS sensor attributes Anomaly configurationName Enter or change the DoS sensor name Comments Will appear in the DoS sensor listUnderstanding the anomalies Udpflood Anomaly Description TcpdstsessionUdpscan UdpsrcsessionUnderstanding the anomalies How SYN floods work What is a SYN flood attack?SYN flood attacks What is SYN proxy? What is SYN threshold?FortiGate IPS Response to SYN flood attacks How IPS works to prevent SYN floodsIPS operation before synflood threshold is reached Configure the options for tcpsynflood Select OK Configuring SYN flood protectionSuggested settings for different network conditions Icmp sweep attacks What is an Icmp sweep?How Icmp sweep attacks work FortiGate IPS response to Icmp sweep attacksPredefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection FortiGate Version 3.0 MR7 IPS User Guide IndexTechnical support