Fortinet 400 - page 255

Network Intrusion Detection System (NIDS) Preventing attacks

FortiGate-400 Installation and Configuration Guide 255

For example, setting the icmpflood signature threshold to 500 will allow 500 echo

requests from a source address, to which the system sends echo replies. If the

number of requests is 501 or higher, the FortiGate unit will block the attacker to

eliminate disruption of system operations.

If you enter a threshold value of 0 or a number out of the allowable range, the

FortiGate unit uses the default value.

To set Prevention signature threshold values:

1Go to NIDS > Prevention.

2Select Modify beside the signature for which you want to set the Threshold value.

Signatures that do not have threshold values do not have Modify icons.

3Type the Threshold value.

4Select the Enable check box.

5Select OK.

Table 7: NIDS Prevention signatures with threshold values

Signature

abbreviation

Threshold value units Default

threshold

value

Minimum

threshold

value

Maximum

threshold

value

synflood Maximum number of SYN segments

received per second

200 30 3000

portscan Maximum number of SYN segments

received per second

128 10 256

srcsession Total number of TCP sessions initiated

from the same source

2048 128 10240

ftpovfl Maximum buffer size for an FTP

command (bytes)

256 128 1024

smtpovfl Maximum buffer size for an SMTP

command (bytes)

512 128 1024

pop3ovfl Maximum buffer size for a POP3

command (bytes)

512 128 1024

udpflood Maximum number of UDP packets

received from the same source or sent

to the same destination per second

2048 512 102400

udpsrcsession Total number of UDP sessions initiated

from the same source

1024 512 102400

icmpflood Maximum number of UDP packets

received from the same source or sent

to the same destination per second

256 128 102400

icmpsrcsession Total number of ICMP sessions

initiated from the same source

128 64 2048

icmpsweep Maximum number of ICMP packets

received from the same source per

second

32 16 2048

icmplarge Maximum ICMP packet size (bytes) 32000 1024 64000

Contents

Main Page Table of Contents 4 Page 6 Virus and attack definitions updates and registration................................... 115 Page 8 Page 10 Network Intrusion Detection System (NIDS) ................................................... 249 12 Page Page Introduction Antivirus protection Web content filtering Email filtering Firewall NAT/Route mode 18 Transparent mode VLAN Network intrusion detection VPN High availability 20 Secure installation, configuration, and management Web-based manager Command line interface Logging and reporting Whats new in Version 2.50 HA Replacement messages Firewall Users and authentication VPN 24 NIDS Antivirus Web Filter Email filter About this document Document conventions Fortinet documentation Comments on Fortinet technical documentation Customer service and technical support Getting started 30 Package contents Mounting Dimensions Weight Power requirements Powering on Connecting to the web-based manager Connecting to the command line interface (CLI) Factory default FortiGate configuration settings 34 Factory default NAT/Route mode network configuration Factory default Transparent mode network configuration Factory default firewall configuration The factory default firewall configuration is the same in NAT/Route and Transparent mode. 36 Factory default content profiles Strict content profile Scan content profile 38 Web content profile Unfiltered content profile Planning your FortiGate configuration NAT/Route mode 40 NAT/Route mode with multiple external network connections Transparent mode Configuration options Setup Wizard 42 CLI FortiGate model maximum values matrix Next steps Page NAT/Route mode installation Preparing to configure NAT/Route mode 46 Using the setup wizard Starting the setup wizard Reconnecting to the web-based manager Using the front control buttons and LCD Using the command line interface Configuring the FortiGate unit to operate in NAT/Route mode Configuring NAT/Route mode IP addresses Page Connecting the FortiGate unit to your networks 50 Configuring your network Completing the configuration Configuring interface 3 Configuring interface 4/HA Setting the date and time Enabling antivirus protection Registering your FortiGate unit 52 Configuration example: Multiple connections to the Internet Configuring Ping servers 54 Destination based routing examples Primary and backup links to the Internet Load sharing Load sharing and primary and secondary connections Page Policy routing examples Routing traffic from internal subnets to different external networks Routing a service to an external network 58 Firewall policy example Adding a redundant default policy Page Page Transparent mode installation Preparing to configure Transparent mode 62 Using the setup wizard Changing to Transparent mode Starting the setup wizard Reconnecting to the web-based manager Using the front control buttons and LCD Using the command line interface Changing to Transparent mode 64 Configuring the Transparent mode management IP address Completing the configuration Setting the date and time Enabling antivirus protection Registering your FortiGate Configuring virus and attack definition updates Connecting the FortiGate unit to your networks Transparent mode configuration examples Default routes and static routes Example default route to an external network Page Example static route to an external destination Page Page 72 Example static route to an internal destination General configuration steps Page Page High availability Active-passive HA Active-active HA HA in NAT/Route mode Installing and configuring the FortiGate units Configuring the HA interfaces 78 Configuring the HA cluster Page 80 Connecting the HA cluster to your network Page 82 Starting the HA cluster HA in Transparent mode Installing and configuring the FortiGate units Configuring the HA interface and HA IP address Configuring the HA cluster Page Connecting the HA cluster to your network 86 Starting the HA cluster Managing the HA cluster Viewing the status of cluster members Monitoring cluster members 88 Monitoring cluster sessions Viewing and managing cluster log messages Managing individual cluster units Synchronizing the cluster configuration 90 Returning to standalone configuration Replacing a FortiGate unit after fail-over Advanced HA options Selecting a FortiGate unit to a permanent primary unit 92 Configuring weighted-round-robin weights System status Changing the FortiGate host name Changing the FortiGate firmware Upgrade to a new firmware version Upgrading the firmware using the web-based manager Upgrading the firmware using the CLI 96 Revert to a previous firmware version Reverting to a previous firmware version using the web-based manager Reverting to a previous firmware version using the CLI Page Install a firmware image from a system reboot using the CLI Page Test a new firmware image before installing it Page Installing and using a backup firmware image Installing a backup firmware image Page Switching to the backup firmware image 106 Switching back to the default firmware image Manual virus definition updates Manual attack definition updates Displaying the FortiGate serial number Displaying the FortiGate up time Displaying log hard disk status Backing up system settings Restoring system settings Restoring system settings to factory defaults Changing to Transparent mode Changing to NAT/Route mode Restarting the FortiGate unit 110 Shutting down the FortiGate unit System status Viewing CPU and memory status Viewing sessions and network status 112 Viewing virus and intrusions status Session list Page Virus and attack definitions updates and registration Updating antivirus and attack definitions 116 Connecting to the FortiResponse Distribution Network Configuring scheduled updates 118 Configuring update logging Adding an override server Manually updating antivirus and attack definitions Configuring push updates 120 To enable push updates About push updates Push updates through a NAT device Example: push updates through a NAT device Page Page Page 124 Scheduled updates through a proxy server Registering FortiGate units FortiCare Service Contracts 126 Registering the FortiGate unit Page 128 Updating registration information Recovering a lost Fortinet support password Viewing the list of registered FortiGate units Registering a new FortiGate unit Adding or changing a FortiCare Support Contract number 130 Changing your Fortinet support password Changing your contact information or security question Downloading virus and attack definitions updates Registering a FortiGate unit after an RMA Page Network configuration Configuring zones Adding zones 134 Adding interfaces to a zone Adding VLAN subinterfaces to a zone Renaming zones Deleting zones Configuring interfaces Viewing the interface list Bringing up an interface 136 Changing an interface static IP address Adding a secondary IP address to an interface Adding a ping server to an interface Controlling management access to an interface Configuring traffic logging for connections to an interface Changing the MTU size to improve network performance 138 Configuring port4/ha Configuring port4/ha for HA mode Configuring port4/ha as a firewall interface Configuring the management interface (Transparent mode) Configuring VLANs VLAN network configuration Page Adding VLAN subinterfaces Rules for VLAN IDs Rules for VLAN IP addresses Adding a VLAN subinterface Page Configuring routing Adding a default route Adding destination-based routes to the routing table Page Adding routes in Transparent mode Configuring the routing table 146 Policy routing Policy routing command syntax Providing DHCP services to your internal network Page RIP configuration RIP settings 7Select Apply to save your changes. Configuring RIP for FortiGate interfaces Adding RIP neighbors 154 Adding RIP filters Adding a single RIP filter Adding a RIP filter list 156 Adding a neighbors filter Adding a routes filter System configuration Setting system date and time Changing web-based manager options Page 160 Adding and editing administrator accounts Adding new administrator accounts Editing administrator accounts 162 Configuring SNMP Configuring the FortiGate unit for SNMP monitoring Configuring FortiGate SNMP support FortiGate MIBs 164 FortiGate traps Customizing replacement messages Customizing replacement messages 166 Customizing alert emails Block alert Critical event Page Firewall configuration 170 Default firewall configuration Interfaces VLAN subinterfaces Zones Addresses 172 Services Schedules Adding firewall policies Page 174 Schedule Service Action NAT Traffic Shaping Authentication Page Log Traffic Comments Configuring policy lists Policy matching in detail 178 Changing the order of policies in a policy list Enabling and disabling policies Disabling a policy Enabling a policy Addresses Adding addresses 180 Editing addresses Deleting addresses Organizing addresses into address groups 182 Services Predefined services Page 184 Providing access to custom services Grouping services 186 Schedules Creating one-time schedules Creating recurring schedules 188 Adding a schedule to a policy Virtual IPs Adding static NAT virtual IPs 190 Adding port forwarding virtual IPs Adding policies with virtual IPs 192 IP pools Adding an IP pool IP Pools for firewall policies that use fixed ports IP pools and dynamic NAT IP/MAC binding 194 Configuring IP/MAC binding for packets going through the firewall Configuring IP/MAC binding for packets going to the firewall Adding IP/MAC addresses 196 Viewing the dynamic IP/MAC list Enabling IP/MAC binding Content profiles Default content profiles Adding a content profile 3Type a Profile Name. 4Enable antivirus protection options. 5Enable Web filtering options. 8Select OK. 6Enable Email filter protection options. 7Enable fragmented email and oversized file and email options. Adding a content profile to a policy Page Users and authentication 202 Setting authentication timeout Adding user names and configuring authentication Adding user names and configuring authentication Deleting user names from the internal database 204 Configuring RADIUS support Adding RADIUS servers Deleting RADIUS servers Configuring LDAP support Adding LDAP servers 206 Deleting LDAP servers Configuring user groups Adding user groups 208 Deleting user groups IPSec VPN 210 Key management Manual Keys Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates AutoIKE with pre-shared keys AutoIKE with certificates Manual key IPSec VPNs General configuration steps for a manual key VPN Adding a manual key VPN tunnel Page AutoIKE IPSec VPNs General configuration steps for an AutoIKE VPN Adding a phase 1 configuration for an AutoIKE VPN Page Page 4Optionally, configure NAT Traversal. 6Select OK to save the phase 1 parameters. Adding a phase 2 configuration for an AutoIKE VPN Page Managing digital certificates Obtaining a signed local certificate 220 Generating the certificate request Page 222 Retrieving the signed local certificate Importing the signed local certificate Obtaining a CA certificate Retrieving a CA certificate Importing a CA certificate Configuring encrypt policies Adding an encrypt policy Page IPSec VPN concentrators VPN concentrator (hub) general configuration steps Page Page 230 VPN spoke general configuration steps Redundant IPSec VPNs Configuring redundant IPSec VPN Page Monitoring and Troubleshooting VPNs Viewing VPN tunnel status Viewing dialup VPN connection status 234 Testing a VPN PPTP and L2TP VPN Configuring PPTP Page Adding a source address Adding an address group 238 Adding a destination address Adding a firewall policy Configuring a Windows 98 client for PPTP Installing PPTP support Configuring a Windows 2000 client for PPTP 240 Configuring a Windows XP client for PPTP Configuring the VPN connection Configuring L2TP Page Adding a source address Adding an address group 244 Adding a destination address Adding a firewall policy Configuring a Windows 2000 client for L2TP Configuring an L2TP dialup connection Disabling IPSec 246 Connecting to the L2TP VPN Configuring a Windows XP client for L2TP Configuring an L2TP VPN dialup connection Configuring the VPN connection Disabling IPSec Page Network Intrusion Detection System (NIDS) Detecting attacks Page Viewing the signature list Viewing attack descriptions 252 Enabling and disabling NIDS attack signatures Adding user-defined signatures Downloading the user-defined signature list Preventing attacks Enabling NIDS attack prevention 254 Enabling NIDS attack prevention signatures Setting signature threshold values Page 256 Configuring synflood signature values Logging attacks Logging attack messages to the attack log Reducing the number of NIDS attack log and email messages Automatic message reduction Manual message reduction Page Antivirus protection Antivirus scanning File blocking 262 Blocking files in firewall traffic Adding file patterns to block Quarantine Quarantining infected files Quarantining blocked files 264 Viewing the quarantine list 1Go to Anti-Virus > Quarantine. The quarantine list provides the following information. Sorting the quarantine list Filtering the quarantine list Deleting files from quarantine Downloading quarantined files Configuring quarantine options 266 Blocking oversized files and emails Configuring limits for oversized files and email Exempting fragmented email from blocking Viewing the virus list Web filtering 268 Content blocking Adding words and phrases to the banned word list URL blocking Using the FortiGate web filter Adding URLs or URL patterns to the block list 270 Clearing the URL block list Downloading the URL block list Uploading a URL block list 272 Using the Cerberian web filter General configuration steps Installing a Cerberian license key on the FortiGate unit Adding a Cerberian user to the FortiGate unit Configuring Cerberian web filter Enabling Cerberian URL filtering 274 Script filtering Enabling the script filter Selecting script filter options Exempt URL list Adding URLs to the exempt URL list Page Email filter 278 Email banned word list Adding words and phrases to the banned word list Email block list Adding address patterns to the email block list Email exempt list 280 Adding address patterns to the email exempt list Adding a subject tag Logging and reporting Recording logs 282 Recording logs on a remote computer Recording logs on a NetIQ WebTrends server Recording logs on the FortiGate hard disk 284 Recording logs in system memory Filtering log messages Page 286 Configuring traffic logging Enabling traffic logging Enabling traffic logging for an interface Enabling traffic logging for a VLAN subinterface Enabling traffic logging for a firewall policy Configuring traffic filter settings 288 Adding traffic filter entries Viewing logs saved to memory Viewing logs Searching logs 290 Viewing and managing logs saved to the hard disk Viewing logs Searching logs Downloading a log file to the management computer Deleting all messages in an active log 292 Deleting a saved log file Configuring alert email Adding alert email addresses Testing alert email Enabling alert email Page Glossary Page Page Page Index Numerics A 300 B C D E F G H 302 I J K L M N O P 304 Q R S 306 T U V W Z