Fortinet 100 Preventing attacks

Network Intrusion Detection System (NIDS) Enabling NIDS attack prevention

FortiGate-100 Installation and Configuration Guide 225

Figure 35:Example user-defined signature list

Downloading the user-defined signature list

You can back up the user-defined signature list by downloading it to a text file on the

management computer.

1Go to NIDS > Detection > User Defined Signature List.

2Select Download.

The FortiGate unit downloads the user-defined signature list to a text file on the

management computer. You can specify a location to which to download the text file

as well as a name for the text file.

Preventing attacks

NIDS attack prevention protects the FortiGate unit and the networks connected to it

from common TCP, ICMP, UDP, and IP attacks. You can enable the NIDS attack

prevention to prevent a set of default attacks with default threshold values. You can

also enable and set the threshold values for individual attack signatures.

•Enabling NIDS attack prevention

•Enabling NIDS attack prevention signatures

•Setting signature threshold values

•Configuring synflood signature values

Enabling NIDS attack prevention

1Go to NIDS > Prevention.

2Select Enable in the top left corner.

Note: After the FortiGate unit reboots, the NIDS attack prevention and synflood prevention are

always disabled.

Contents

Main Page Table of Contents 4 Page 6 Virus and attack definitions updates and registration..................................... 91 Page 8 Page 10 Network Intrusion Detection System (NIDS) ................................................... 221 Page Page Introduction Antivirus protection Web content filtering Email filtering Firewall NAT/Route mode 16 Transparent mode Network intrusion detection VPN Secure installation, configuration, and management Web-based manager 18 Command line interface Logging and reporting Whats new in Version 2.50 System administration Network configuration Routing Page Page About this document Document conventions 24 Fortinet documentation Comments on Fortinet technical documentation Customer service and technical support Page Getting started 28 Package contents Mounting Dimensions Weight Power requirements Powering on Connecting to the web-based manager Connecting to the command line interface (CLI) Factory default FortiGate configuration settings 32 Factory default NAT/Route mode network configuration Factory default Transparent mode network configuration Factory default firewall configuration The factory default firewall configuration is the same in NAT/Route and Transparent mode. 34 Factory default content profiles Strict content profile Scan content profile 36 Web content profile Unfiltered content profile Planning your FortiGate configuration NAT/Route mode 38 NAT/Route mode with multiple external network connections Transparent mode Configuration options Setup Wizard CLI FortiGate model maximum values matrix Next steps Page NAT/Route mode installation Preparing to configure NAT/Route mode 44 Advanced NAT/Route mode settings DMZ interface Using the setup wizard Starting the setup wizard Reconnecting to the web-based manager Using the command line interface Configuring the FortiGate unit to operate in NAT/Route mode Page Connecting the FortiGate unit to your networks 48 Configuring your networks Completing the configuration Configuring the DMZ interface Setting the date and time Enabling antivirus protection Configuration example: Multiple connections to the Internet Page Configuring Ping servers Destination based routing examples Primary and backup links to the Internet 52 Load sharing Load sharing and primary and secondary connections Page 54 Policy routing examples Routing traffic from internal subnets to different external networks Routing a service to an external network Firewall policy example Adding a redundant default policy Adding more firewall policies Page Transparent mode installation Preparing to configure Transparent mode 58 Using the setup wizard Changing to Transparent mode Starting the setup wizard Reconnecting to the web-based manager Using the command line interface Changing to Transparent mode Configuring the Transparent mode management IP address Configure the Transparent mode default gateway Connecting the FortiGate unit to your networks Completing the configuration Setting the date and time Enabling antivirus protection Registering your FortiGate Configuring virus and attack definition updates Transparent mode configuration examples Default routes and static routes Example default route to an external network Example static route to an external destination Page Page Example static route to an internal destination Page System status Changing the FortiGate host name Changing the FortiGate firmware Upgrade to a new firmware version Upgrading the firmware using the web-based manager Upgrading the firmware using the CLI 72 Revert to a previous firmware version Reverting to a previous firmware version using the web-based manager Reverting to a previous firmware version using the CLI Page Install a firmware image from a system reboot using the CLI Page Test a new firmware image before installing it Page Installing and using a backup firmware image Installing a backup firmware image Page Switching to the backup firmware image 82 Switching back to the default firmware image Manual virus definition updates Manual attack definition updates Displaying the FortiGate serial number Displaying the FortiGate up time Backing up system settings Restoring system settings Restoring system settings to factory defaults Changing to Transparent mode Changing to NAT/Route mode Restarting the FortiGate unit 86 Shutting down the FortiGate unit System status Viewing CPU and memory status Viewing sessions and network status 88 Viewing virus and intrusions status Session list Page Virus and attack definitions updates and registration Updating antivirus and attack definitions 92 Connecting to the FortiResponse Distribution Network Configuring scheduled updates 94 Configuring update logging Adding an override server Manually updating antivirus and attack definitions Configuring push updates 96 To enable push updates About push updates Push updates and external dynamic IP addresses Push updates through a NAT device Example: push updates through a NAT device Page Page 100 Scheduled updates through a proxy server Registering FortiGate units FortiCare Service Contracts 102 Registering the FortiGate unit Page 104 Updating registration information Recovering a lost Fortinet support password Viewing the list of registered FortiGate units Registering a new FortiGate unit Adding or changing a FortiCare Support Contract number 106 Changing your Fortinet support password Changing your contact information or security question Downloading virus and attack definitions updates Registering a FortiGate unit after an RMA Page Network configuration Configuring interfaces 110 Viewing the interface list Bringing up an interface Changing an interface static IP address Adding a secondary IP address to an interface Adding a ping server to an interface Controlling management access to an interface Page Configuring the external interface for PPPoE Changing the external interface MTU size to improve network performance 114 Configuring the management interface (Transparent mode) Adding DNS server IP addresses Configuring routing 116 Adding a default route Adding destination-based routes to the routing table Adding routes in Transparent mode 118 Configuring the routing table Policy routing Policy routing command syntax Providing DHCP services to your internal network 120 Viewing the dynamic IP list RIP configuration RIP settings 7Select Apply to save your changes. Configuring RIP for FortiGate interfaces Adding RIP neighbors 126 Adding RIP filters Adding a single RIP filter Adding a RIP filter list 128 Adding a neighbors filter Adding a routes filter System configuration Setting system date and time Changing web-based manager options Page 132 Adding and editing administrator accounts Adding new administrator accounts Editing administrator accounts 134 Configuring SNMP Configuring the FortiGate unit for SNMP monitoring Configuring FortiGate SNMP support FortiGate MIBs 136 FortiGate traps Customizing replacement messages Customizing replacement messages 138 Customizing alert emails Block alert Critical event Page Firewall configuration 142 Default firewall configuration Addresses Services Schedules Content profiles Adding firewall policies Page 146 VPN Tunnel Traffic Shaping Authentication Anti-Virus & Web filter Page Configuring policy lists Policy matching in detail Changing the order of policies in a policy list 150 Enabling and disabling policies Addresses Adding addresses 152 Editing addresses Deleting addresses Organizing addresses into address groups Services Predefined services Page Page 156 Providing access to custom services Grouping services Schedules 158 Creating one-time schedules Creating recurring schedules Adding a schedule to a policy 160 Virtual IPs Adding static NAT virtual IPs Adding port forwarding virtual IPs Page Adding policies with virtual IPs 164 IP pools Adding an IP pool IP Pools for firewall policies that use fixed ports IP pools and dynamic NAT 166 IP/MAC binding Configuring IP/MAC binding for packets going through the firewall Configuring IP/MAC binding for packets going to the firewall Adding IP/MAC addresses 168 Viewing the dynamic IP/MAC list Enabling IP/MAC binding Content profiles 170 Default content profiles Adding a content profile Adding a content profile to a policy Page Users and authentication 174 Setting authentication timeout Adding user names and configuring authentication Adding user names and configuring authentication Deleting user names from the internal database 176 Configuring RADIUS support Adding RADIUS servers Deleting RADIUS servers Configuring LDAP support Adding LDAP servers 178 Deleting LDAP servers Configuring user groups Adding user groups 180 Deleting user groups IPSec VPN 182 Key management Manual Keys Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates AutoIKE with pre-shared keys AutoIKE with certificates Manual key IPSec VPNs General configuration steps for a manual key VPN Adding a manual key VPN tunnel Page AutoIKE IPSec VPNs General configuration steps for an AutoIKE VPN Adding a phase 1 configuration for an AutoIKE VPN Page Page 4Optionally, configure NAT Traversal. 6Select OK to save the phase 1 parameters. Adding a phase 2 configuration for an AutoIKE VPN Page Managing digital certificates Obtaining a signed local certificate 192 Generating the certificate request Page 194 Retrieving the signed local certificate Importing the signed local certificate Obtaining a CA certificate Retrieving a CA certificate Importing a CA certificate Configuring encrypt policies Adding an encrypt policy Page IPSec VPN concentrators VPN concentrator (hub) general configuration steps Page Page 202 VPN spoke general configuration steps Redundant IPSec VPNs Configuring redundant IPSec VPN Page Monitoring and Troubleshooting VPNs Viewing VPN tunnel status Viewing dialup VPN connection status 206 Testing a VPN PPTP and L2TP VPN Configuring PPTP Page Adding a source address Adding an address group 210 Adding a destination address Adding a firewall policy Configuring a Windows 98 client for PPTP Installing PPTP support Configuring a Windows 2000 client for PPTP 212 Configuring a Windows XP client for PPTP Configuring the VPN connection Configuring L2TP Page Adding a source address Adding an address group 216 Adding a destination address Adding a firewall policy Configuring a Windows 2000 client for L2TP Configuring an L2TP dialup connection Disabling IPSec 218 Connecting to the L2TP VPN Configuring a Windows XP client for L2TP Configuring an L2TP VPN dialup connection Configuring the VPN connection Disabling IPSec Page Network Intrusion Detection System (NIDS) Detecting attacks Page Viewing the signature list Viewing attack descriptions 224 Enabling and disabling NIDS attack signatures Adding user-defined signatures Downloading the user-defined signature list Preventing attacks Enabling NIDS attack prevention 226 Enabling NIDS attack prevention signatures Setting signature threshold values Page 228 Configuring synflood signature values Logging attacks Logging attack messages to the attack log Reducing the number of NIDS attack log and email messages Automatic message reduction Manual message reduction Page Antivirus protection Antivirus scanning File blocking Blocking files in firewall traffic Adding file patterns to block 234 Blocking oversized files and emails Configuring limits for oversized files and email Exempting fragmented email from blocking Viewing the virus list Web filtering 236 Content blocking Adding words and phrases to the banned word list URL blocking Using the FortiGate web filter Adding URLs or URL patterns to the block list 238 Clearing the URL block list Downloading the URL block list Uploading a URL block list 240 Using the Cerberian web filter Installing a Cerberian license key on the FortiGate unit Adding a Cerberian user to the FortiGate unit Configuring Cerberian web filter Enabling Cerberian URL filtering 242 Script filtering Enabling the script filter Selecting script filter options Exempt URL list Adding URLs to the exempt URL list Page Email filter 246 Email banned word list Adding words and phrases to the banned word list Email block list Adding address patterns to the email block list Email exempt list 248 Adding address patterns to the email exempt list Adding a subject tag Logging and reporting Recording logs 250 Recording logs on a remote computer Recording logs on a NetIQ WebTrends server Recording logs in system memory Filtering log messages Page Configuring traffic logging Enabling traffic logging Enabling traffic logging for an interface Enabling traffic logging for a firewall policy 254 Configuring traffic filter settings Adding traffic filter entries Viewing logs saved to memory Viewing logs 256 Searching logs Configuring alert email Adding alert email addresses Testing alert email Enabling alert email Page Glossary Page Page Page Index A 264 B C D E F G H I 266 J K L M N O P 268 R S T 270 U V W