Fortinet Understanding FortiGate IPS and How to Configure Exempt IPs

Page 44

Configuring IPS sensors

IPS sensors

Note: Before an override can affect network traffic, you must add it to a filter, and you must select the filter in a protection profile applied to a policy. An override does not have the ability to affect network traffic until these steps are taken.

To edit a pre-defined or custom override, go to Intrusion Protection >

IPS Sensor and select the Edit icon of the IPS sensor containing the override you want to edit. When the sensor window opens, select the Edit icon of the override you want to change.

Figure 11: Configure IPS override

Signature	Select the browse icon to view the list of available signatures. From this
	list, select a signature the override will apply to and then select OK.
Enable	Select to enable the signature override.
Action	Select one of Pass, Block or Reset. When the override is enabled, the
	action determines what the FortiGate will do with traffic containing the
	specified signature.
Logging	Select to enable creation of a log entry if the signature is discovered in
	network traffic.
Packet Log	Select to save packets that trigger the override to the FortiGate hard
	drive for later examination. This option is only valid on FortiGate units
	with an internal hard drive.
Exempt IP:	Enter IP addresses to exclude from the override. The override will then
	apply to all IP addresses except those defined as exempt. The exempt
	IP addresses are defined in pairs, with a source and destination, and
	traffic moving from the source to the destination is exempt from the
	override.
	Source	The exempt source IP address. Enter 0.0.0.0/0 to
		include all source IP addresses.

Destination: The exempt destination IP address. Enter 0.0.0.0/0 to include all destination IP addresses.

FortiGate IPS User Guide Version 3.0 MR7

44	01-30007-0080-20080916

Image 44

Contents E R G U I D E Trademarks Contents Protocol decoders IPS sensorsDoS sensors SYN flood attacksIntroduction FortiGate IPSAbout this document Fortinet documentationDocument conventions Typographic conventionsFortiGate Pptp VPN User Guide Comments on Fortinet technical documentation Customer service and technical supportFortinet Knowledge Center This section contains the following topics IPS overview and general configurationIPS settings and controls When to use IPS Default signature and anomaly settingsDefault fail open setting Config ips global Set fail-open enable disable endSetting the buffer size Configuring logging and alert emailMonitoring the network and dealing with attacks Controlling sessionsAttack log messages Signature Anomaly FortiGuard CenterUsing IPS sensors in a protection profile Creating a protection profile that uses IPS sensorsAdding protection profiles to firewall policies Select Create NewAdding protection profiles to user groups Using IPS sensors in a protection profile Viewing the predefined signature list Predefined signaturesIPS predefined signatures Settings EnableColumn Clear All FiltersCreate a sensor and add IPS filters to it Viewing the predefined signature list Viewing the custom signature list Custom signaturesIPS custom signatures Custom signature configuration Adding custom signatures using the web-based managerAdding custom signatures using the CLI Command syntax patternShows the valid characters for custom signature fields Creating custom signaturesCustom signature fields Custom signature syntax AttackidName BufferOverflow SrcportContent keywords Keyword and value Description Deprecated, see pattern and context keywords Pattern GET Context uriPattern yahoo.com Context hostPcre Regex/mdelimRegexdelimismxAEGRU Uri !uristrProtocol tcp IP header keywords Keyword and Value DescriptionTCP header keywords Keyword and Value Description Tcpflags AP Tcpflags S,12Other keywords Keyword and Value Description UDP header keywords Keyword and Value DescriptionIcmp keywords Keyword and Value Usage Sbid --name Block.example.com Example 1 signature to block access to example.comExample custom signatures Sbid --name Block.example.com Sbid --name Block.SMTP.VRFY.CMD --pattern vrfy Example 2 signature to block the Smtp ‘vrfy’ commandSbid --name Block.SMTP.VRFY.CMD Creating custom signatures Upgrading the IPS protocol decoder list Protocol decodersProtocol decoders Viewing the protocol decoder list Protocol decoder list Protocols Protocol decoder names PortAlldefault AlldefaultpassIPS sensors Viewing the IPS sensor listConfiguring IPS sensors Adding an IPS sensorProtectclient ProtectemailserverIPS sensor attributes IPS sensor filtersConfiguring filters ResetIPS sensor overrides Delete and Edit Delete or edit the filter IconsConfiguring pre-defined and custom overrides ApplicationExempt IP SourceDoS sensors Configuring DoS sensors Viewing the DoS sensor listSequence in which the sensors examine network traffic Appears, and select OKAnomaly configuration DoS sensor attributesName Enter or change the DoS sensor name Comments Will appear in the DoS sensor listUnderstanding the anomalies Anomaly Description Tcpdstsession UdpfloodUdpscan UdpsrcsessionUnderstanding the anomalies How SYN floods work What is a SYN flood attack?SYN flood attacks What is SYN threshold? What is SYN proxy?FortiGate IPS Response to SYN flood attacks How IPS works to prevent SYN floodsIPS operation before synflood threshold is reached Configure the options for tcpsynflood Select OK Configuring SYN flood protectionSuggested settings for different network conditions What is an Icmp sweep? Icmp sweep attacksHow Icmp sweep attacks work FortiGate IPS response to Icmp sweep attacksPredefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection Index FortiGate Version 3.0 MR7 IPS User GuideTechnical support