Viewing the signature list, 251 | Fortinet 400 instruction

Network Intrusion Detection System (NIDS)	Detecting attacks

Viewing the signature list

To display the current list of NIDS signature groups and to view the members of a signature group:

1Go to NIDS > Detection > Signature List.

2View the names and action status of the signature groups in the list.

The NIDS detects attacks listed in all the signature groups that are checked in the Modify or Details column.

Note: The user-defined signature group is the last item in the signature list. See “Adding user- defined signatures” on page 252.

3Select View Details .to display the members of a signature group.

The Signature Group Members list displays the attack ID, Rule Name, and Revision number for each group member.

Viewing attack descriptions

Fortinet provides online information for all NIDS attacks. To view the FortiResponse

Attack Analysis web page for an attack listed on the signature list:

1Go to NIDS > Detection > Signature List.

2Select View Details .to display the members of a signature group. Select a signature and copy its attack ID.

3Open a web browser and enter this URL:

http://www.fortinet.com/ids/ID<attack-ID>

Remember to include the attack ID.

For example, to view the Fortinet Attack Analysis web page for the ssh CRC32 overflow /bin/sh attack (ID 101646338), use the following URL:

http://www.fortinet.com/ids/ID101646338

Note: Each attack log message includes a URL that links directly to the FortiResponse Attack Analysis web page for that attack. This URL is available from the Attack Log messages and Alert email messages. For information about log message content and formats, and about log locations, see the Logging Configuration and Reference Guide. To log attack messages, see “Logging attacks” on page 256.

Figure 34: Example signature group members list

FortiGate-400 Installation and Configuration Guide

251

Image 251

Fortinet 400 manual Viewing the signature list, Viewing attack descriptions, 251, Go to Nids Detection Signature List

Contents

August Installation and Configuration Guide Regulatory Compliance Trademarks Table of Contents NAT/Route mode installation High availability System status Network configuration 133 System configuration 157 Users and authentication 201 IPSec VPN 209 Network Intrusion Detection System Nids 249 Email filter 277 Glossary 295 Index 299 Contents Antivirus protection Introduction Email filtering Web content filtering Firewall NAT/Route mode Network intrusion detection Transparent mode High availability VPN Web-based manager Secure installation, configuration, and management Logging and reporting Command line interface What’s new in Version Firewall Replacement messagesUsers and authentication Email filter AntivirusWeb Filter About this document Document conventions Comments on Fortinet technical documentation Fortinet documentation Customer service and technical support Getting started Mounting Package contents FortiGate-400 LED indicators Powering onPower requirements Environmental specifications Connecting to the web-based manager Connecting to the web-based manager Stop bits Flow control Connecting to the command line interface CLIFactory default FortiGate configuration settings Bits per second 9600 Data bits Parity Interface Factory default NAT/Route mode network configurationAccount Factory default firewall configuration Factory default Transparent mode network configuration Factory default content profiles Scan content profile Options Strict content profileScan content profile Strict content profile Options Unfiltered content profile Options Web content profileUnfiltered content profile Web content profile Options Planning your FortiGate configuration Example NAT/Route mode network configuration NAT/Route mode with multiple external network connections Setup Wizard Configuration options Front keypad and LCD FortiGate model maximum values matrix Next steps Next steps Getting started NAT/Route mode settings Administrator Password Interface NAT/Route mode installationPreparing to configure NAT/Route mode Reconnecting to the web-based manager Using the setup wizardStarting the setup wizard Configuring NAT/Route mode IP addresses Using the front control buttons and LCDUsing the command line interface Configuring the FortiGate unit to operate in NAT/Route mode Set system interface port2 mode static ip IPaddress netmask Connecting the FortiGate unit to your networks Go to System Network Interface Configuring your networkCompleting the configuration Configuring interface Registering your FortiGate unit Configuring interface 4/HASetting the date and time Enabling antivirus protection Configuring virus and attack definition updates Configuration example Multiple connections to the Internet Example multiple Internet connection configuration Configuring Ping servers Go to System Network Routing Table Primary and backup links to the InternetUsing the CLI Destination based routing examples Load sharing and primary and secondary connections Load sharing Routing table should have routes arranged as shown in Table Adding the routes using the CLI Policy routing examples Routing a service to an external network Go to Firewall Policy port1-port3 Adding a redundant default policyFirewall policy example Adding more firewall policies Restricting access to a single Internet connection Configuration example Multiple connections to the Internet DNS Settings Transparent mode installationPreparing to configure Transparent mode Transparent mode settings Administrator Password Go to System Status Changing to Transparent mode Set system opmode transparent Configure the Transparent mode default gateway Configuring the Transparent mode management IP address Registering your FortiGate FortiGate-400 Transparent mode connections Transparent mode configuration examples Default routes and static routes Default route to an external network General configuration steps Go to System Network Routing Web-based manager example configuration stepsCLI configuration steps Go to System Network Management Static route to an external destination Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 Transparent mode configuration examples Active-passive HA High availability Active-active HA Configuring the HA interfaces HA in NAT/Route modeInstalling and configuring the FortiGate units Go to System Config HA Configuring the HA cluster Least Connection Weighted Round Robin Example Active-Active HA configuration Connecting the HA cluster to your network HA network configuration Starting the HA cluster HA in Transparent modeConfiguring the HA interface and HA IP address HA in Transparent mode None Sample active-passive HA configuration Go to System Status Cluster Members Managing the HA clusterViewing the status of cluster members Go to System Status Monitor Monitoring cluster members Go to Log&Report Logging Monitoring cluster sessionsViewing and managing cluster log messages Go to System Status Session Managing individual cluster units Synchronizing the cluster configuration Replacing a FortiGate unit after fail-over Returning to standalone configuration Selecting a FortiGate unit to a permanent primary unit Advanced HA options Set system ha weight 1 3 Configuring weighted-round-robin weights System status System status Changing the FortiGate firmware Firmware upgrade procedures Procedure DescriptionChanging the FortiGate host name Upgrading the firmware using the CLI Upgrade to a new firmware versionUpgrading the firmware using the web-based manager Revert to a previous firmware version Execute restore image namestr tftpip Reverting to a previous firmware version using the CLI Execute ping To install firmware from a system reboot Install a firmware image from a system reboot using the CLI 100 Execute reboot 101 Test a new firmware image before installing itRestoring your previous configuration 102 103 Installing and using a backup firmware imageInstalling a backup firmware image 104 105 Switching to the backup firmware image 106 Manual virus definition updatesSwitching back to the default firmware image Displaying log hard disk status Manual attack definition updatesDisplaying the FortiGate serial number Displaying the FortiGate up time 108 Backing up system settingsRestoring system settings Restoring system settings to factory defaults 109 Changing to Transparent modeChanging to NAT/Route mode Restarting the FortiGate unit Viewing CPU and memory status Shutting down the FortiGate unitSystem status 111 Viewing sessions and network status Sessions and network status monitor Viewing virus and intrusions status Viewing the session list Go to System Status Session Session list113 114 115 Virus and attack definitions updates and registrationUpdating antivirus and attack definitions Version Expiry date Last update attempt Last update status Connecting to the FortiResponse Distribution Network 117 Configuring scheduled updatesGo to System Update Successful Update FDN error Configuring update loggingGo to Log&Report Log Setting 119 Configuring push updatesAdding an override server Manually updating antivirus and attack definitions Example push updates through a NAT device To enable push updatesAbout push updates Push updates through a NAT device 121 General procedure Go to Firewall Virtual IP 122 Adding a firewall policy for the port forwarding virtual IP Schedule Always Service ANY Action Accept123 124 Scheduled updates through a proxy server 125 FortiCare Service ContractsRegistering FortiGate units 126 Registering the FortiGate unit Registering a FortiGate unit product information 127 128 Recovering a lost Fortinet support passwordUpdating registration information Viewing the list of registered FortiGate units 129 Registering a new FortiGate unitAdding or changing a FortiCare Support Contract number 130 Changing your Fortinet support passwordDownloading virus and attack definitions updates Changing your contact information or security question 131 Registering a FortiGate unit after an RMA 132 133 Network configurationConfiguring zones Adding zones 134 Adding interfaces to a zoneAdding Vlan subinterfaces to a zone Renaming zones Bringing up an interface Configuring interfacesDeleting zones Viewing the interface list 136 Changing an interface static IP addressAdding a secondary IP address to an interface Adding a ping server to an interface 137 Controlling management access to an interfaceConfiguring traffic logging for connections to an interface Changing the MTU size to improve network performance Configuring the management interface Transparent mode Configuring port4/haConfiguring port4/ha for HA mode Configuring port4/ha as a firewall interface 139 Configuring VLANsVlan network configuration 140 Typical Vlan network configuration Adding a Vlan subinterface Adding Vlan subinterfacesRules for Vlan IDs Rules for Vlan IP addresses Adding a Vlan subinterface 142 143 Configuring routingAdding a default route Adding destination-based routes to the routing table 144 145 Adding routes in Transparent modeConfiguring the routing table 146 Policy routing command syntaxPolicy routing 147 Providing Dhcp services to your internal networkSet system dhcpserver command syntax Keywords Description 148 149 RIP configuration 150 RIP settingsGo to System RIP Settings 151 Configuring RIP settings Mode Configuring RIP for FortiGate interfacesPassword 152 Adding RIP neighbors Go to System RIP Neighbor Adding RIP neighbors153 Go to System RIP Filter Adding RIP filtersAdding a single RIP filter 154 Mask Add the netmask of the route Action Adding a RIP filter list155 Add the IP address of the route 156 Adding a neighbors filterAdding a routes filter 157 System configurationSetting system date and time To set the date and time Go to System Config Time 158 To set the system idle timeoutChanging web-based manager options To select a language for the web-based manager To set the Auth timeoutTo modify the Dead Gateway Detection settings 159 160 Adding and editing administrator accountsAdding new administrator accounts Go to System Config Admin 161 Editing administrator accountsTo edit an administrator account Go to System Config Admin Go to System Config Snmp v1/v2c Configuring SnmpConfiguring the FortiGate unit for Snmp monitoring Configuring FortiGate Snmp support FortiGate MIBs MIB file name Description EtherLike.mib FortiGate MIBs163 Trap Community Trap Receiver IP Addresses FortiGate traps Trap message Description Customizing replacement messagesFortiGate traps 164 165 Customizing replacement messagesGo to System Config Replacement Messages Alert email message sections Customizing alert emails166 Alert email message sections 167 168 169 Firewall configuration 170 Default firewall configurationInterfaces Vlan subinterfaces 171 Default addresses Interface Address DescriptionZones Addresses Schedules ServicesContent profiles Adding firewall policies 173 Firewall policy optionsSource Destination VPN Tunnel ServiceSchedule Action 175 AuthenticationTraffic Shaping 176 Anti-Virus & Web filter Policy matching in detail Configuring policy listsLog Traffic Comments Enabling a policy Changing the order of policies in a policy listEnabling and disabling policies Disabling a policy Go to Firewall Address AddressesAdding addresses 179 180 Editing addressesDeleting addresses Go to Firewall Address Group Organizing addresses into address groups181 182 ServicesPredefined services Https 183 184 Providing access to custom servicesGo to Firewall Service Custom 185 Grouping servicesGo to Firewall Service Group Go to Firewall Schedule One-time SchedulesCreating one-time schedules 186 Go to Firewall Schedule Recurring Creating recurring schedules187 188 Virtual IPsAdding a schedule to a policy 189 Adding static NAT virtual IPs 190 Adding port forwarding virtual IPs 191 Adding policies with virtual IPs Go to Firewall IP Pool IP poolsAdding an IP pool 192 193 IP/MAC bindingIP Pools for firewall policies that use fixed ports IP pools and dynamic NAT Go to Firewall IP/MAC Binding Static IP/MAC Go to Firewall IP/MAC Binding Setting194 195 Adding IP/MAC addresses Go to Firewall IP/MAC Binding Dynamic IP/MAC Viewing the dynamic IP/MAC listEnabling IP/MAC binding 196 Go to Firewall Content Profile Content profilesDefault content profiles Adding a content profile Oversized File/Email Block Pass Fragmented Email 198File Block Quarantine 199 Adding a content profile to a policy 200 201 Users and authentication 202 Setting authentication timeoutAdding user names and configuring authentication Adding user names and configuring authentication 203 Deleting user names from the internal database 204 Configuring Radius supportAdding Radius servers Deleting Radius servers Go to User Ldap Configuring Ldap supportAdding Ldap servers 205 206 Deleting Ldap servers Go to User User Group Configuring user groupsAdding user groups 207 208 Deleting user groups 209 IPSec VPN AutoIKE with certificates Key managementManual Keys AutoIKE with pre-shared keys 211 General configuration steps for a manual key VPNManual key IPSec VPNs Adding a manual key VPN tunnel 212 AutoIKE IPSec VPNs General configuration steps for an AutoIKE VPNAdding a phase 1 configuration for an AutoIKE VPN Go to VPN Ipsec Phase Remote Gateway Dialup User 214Remote Gateway Static IP Address 215 Configuring advanced options 216 217 Adding a phase 2 configuration for an AutoIKE VPN 218 219 Managing digital certificatesObtaining a signed local certificate Go to VPN Local Certificates Generating the certificate request220 221 Downloading the certificate requestRequesting the signed local certificate 222 Retrieving the signed local certificateImporting the signed local certificate 223 Obtaining a CA certificateRetrieving a CA certificate Importing a CA certificate 224 Configuring encrypt policies 225 Adding a source addressAdding a destination address Adding an encrypt policy Adding an encrypt policy 226 227 VPN concentrator hub general configuration stepsIPSec VPN concentrators Source InternalAll Destination VPN spoke address Action 228 Go to VPN IPSec Concentrator Adding a VPN concentrator229 Policies VPN spoke general configuration steps230 VPN Tunnel 231 Configuring redundant IPSec VPNRedundant IPSec VPNs 232 See Adding a phase 1 configuration for an AutoIKE VPN on 233 Monitoring and Troubleshooting VPNsViewing VPN tunnel status Viewing dialup VPN connection status Go to VPN IPSec Dialup Testing a VPN234 235 Configuring PptpPptp and L2TP VPN 236 Configuring the FortiGate unit as a Pptp gatewayAdding users and user groups Enabling Pptp and specifying an address range 237 Adding an address group Adding a firewall policy Configuring a Windows 98 client for PptpInstalling Pptp support Go to Start Settings Control Panel Network 239 Configuring a Pptp dialup connectionConnecting to the Pptp VPN Configuring a Windows 2000 client for Pptp Go to Start Control Panel Configuring a Windows XP client for PptpConfiguring the VPN connection 240 241 Configuring L2TP Go to VPN L2TP L2TP Range Configuring the FortiGate unit as a L2TP gatewayEnabling L2TP and specifying an address range 242 243 Sample L2TP address range configuration 244 245 Configuring a Windows 2000 client for L2TPConfiguring an L2TP dialup connection Disabling IPSec Go to Start Settings Connecting to the L2TP VPNConfiguring a Windows XP client for L2TP Configuring an L2TP VPN dialup connection 247 248 249 Network Intrusion Detection System NidsDetecting attacks 250 Configuring checksum verificationSelecting the interfaces to monitor Disabling the Nids Go to Nids Detection Signature List Viewing the signature listViewing attack descriptions 251 Go to Nids Detection User Defined Signature List Enabling and disabling Nids attack signaturesAdding user-defined signatures 252 253 Preventing attacksDownloading the user-defined signature list Enabling Nids attack prevention 254 Setting signature threshold valuesEnabling Nids attack prevention signatures 255 Logging attack messages to the attack log Configuring synflood signature valuesValue Description Minimum Maximum Default Logging attacks 257 Reducing the number of Nids attack log and email messagesAutomatic message reduction Manual message reduction 258 259 General configuration stepsAntivirus protection To scan FortiGate firewall traffic for viruses Antivirus scanning260 261 File blocking Go to Anti-Virus File Block Blocking files in firewall trafficAdding file patterns to block 262 Quarantining blocked files Go to Anti-Virus Quarantine Quarantine ConfigQuarantine Quarantining infected files Go to Anti-Virus Quarantine Viewing the quarantine listSorting the quarantine list 264 Downloading quarantined files Configuring quarantine optionsFiltering the quarantine list Deleting files from quarantine Viewing the virus list Configuring limits for oversized files and emailBlocking oversized files and emails Exempting fragmented email from blocking 267 Web filtering 268 Content blockingGo to Web Filter Content Block Adding words and phrases to the banned word list 269 Using the FortiGate web filterURL blocking Adding URLs or URL patterns to the block list 270 Clearing the URL block list 271 Downloading the URL block listUploading a URL block list 272 Using the Cerberian web filterInstalling a Cerberian license key on the FortiGate unit Adding a Cerberian user to the FortiGate unit Enabling Cerberian URL filtering Configuring Cerberian web filterAbout the default group and policy To configure the Cerberian web filtering 274 Script filteringEnabling the script filter Selecting script filter options Go to Web Filter Exempt URL Exempt URL listAdding URLs to the exempt URL list 275 Example exempt URL list 276 277 Email filter 278 Go to Email Filter Content BlockEmail banned word list 279 Email block listEmail exempt list Adding address patterns to the email block list 280 To add a subject tag Go to Email Filter ConfigAdding a subject tag Adding address patterns to the email exempt list 281 Logging and reportingRecording logs 282 Recording logs on a remote computerRecording logs on a NetIQ WebTrends server Option Recording logs on the FortiGate hard disk283 Overwrite 284 Filtering log messagesRecording logs in system memory 285 Example log filter configuration Enabling traffic logging for a Vlan subinterface Configuring traffic loggingEnabling traffic logging Enabling traffic logging for an interface 287 Configuring traffic filter settingsGo to Log&Report Log Setting Traffic Filter Enabling traffic logging for a firewall policy 288 Destination IP Address Destination Netmask ServiceAdding traffic filter entries 289 Viewing logs saved to memoryViewing logs Searching logs 290 Viewing and managing logs saved to the hard disk 291 Downloading a log file to the management computerDeleting all messages in an active log 292 Configuring alert emailDeleting a saved log file Adding alert email addresses Go to Log&Report Alert Mail Categories Testing alert emailEnabling alert email 293 294 295 Glossary 296 297 298 299 IndexNumerics Index 300 FDS 301 Ldap 302 MIB 303 304 RMA 305 TCP 306 VPN 307 308