Fortinet 400 Logging attacks

256 Fortinet Inc.

Logging attacks Network Intrusion Detection System (NIDS)

Configuring synflood signature values

For synflood signatures, you can set the threshold, queue size, and keep alive values.

1Go to NIDS > Prevention.

2Select Modify for the synflood signature.

3Type the Threshold value.

4Type the Queue Size.

5Type the Timeout value.

6Select the Enable check box.

Alternatively, select the synflood Enable check box in the Prevention signature list.

7Select OK.

Logging attacks

Whenever the NIDS detects or prevents an attack, it generates an attack message.

You can configure the system to add the message to the attack log.

•Logging attack messages to the attack log

•Reducing the number of NIDS attack log and email messages

Logging attack messages to the attack log

Use the following procedure to log attack messages to the attack log.

1Go to Log&Report > Log Setting.

2Select Config Policy for the log locations you have set.

3Select Attack Log.

4Select Attack Detection and Attack Prevention.

5Select OK.

Value Description Minimum

value

Maximum

value

Default

value

Threshold Number of SYN requests sent to a

destination host or server per second. If the

SYN requests are being sent to all ports on

the destination, as opposed to just one port,

the threshold quadruples (4 x).

30 3000 200

Queue Size Maximum number of proxied connections

that the FortiGate unit handles. The

FortiGate unit discards additional proxy

requests.

10 10240 1024

Timeout Number of seconds for the SYN cookie to

keep a proxied connection alive. This value

limits the size of the proxy connection table.

36015

Note: For information about log message content and formats, and about log locations, see the

Logging Configuration and Reference Guide.

Contents

Main Page Table of Contents 4 Page 6 Virus and attack definitions updates and registration................................... 115 Page 8 Page 10 Network Intrusion Detection System (NIDS) ................................................... 249 12 Page Page Introduction Antivirus protection Web content filtering Email filtering Firewall NAT/Route mode 18 Transparent mode VLAN Network intrusion detection VPN High availability 20 Secure installation, configuration, and management Web-based manager Command line interface Logging and reporting Whats new in Version 2.50 HA Replacement messages Firewall Users and authentication VPN 24 NIDS Antivirus Web Filter Email filter About this document Document conventions Fortinet documentation Comments on Fortinet technical documentation Customer service and technical support Getting started 30 Package contents Mounting Dimensions Weight Power requirements Powering on Connecting to the web-based manager Connecting to the command line interface (CLI) Factory default FortiGate configuration settings 34 Factory default NAT/Route mode network configuration Factory default Transparent mode network configuration Factory default firewall configuration The factory default firewall configuration is the same in NAT/Route and Transparent mode. 36 Factory default content profiles Strict content profile Scan content profile 38 Web content profile Unfiltered content profile Planning your FortiGate configuration NAT/Route mode 40 NAT/Route mode with multiple external network connections Transparent mode Configuration options Setup Wizard 42 CLI FortiGate model maximum values matrix Next steps Page NAT/Route mode installation Preparing to configure NAT/Route mode 46 Using the setup wizard Starting the setup wizard Reconnecting to the web-based manager Using the front control buttons and LCD Using the command line interface Configuring the FortiGate unit to operate in NAT/Route mode Configuring NAT/Route mode IP addresses Page Connecting the FortiGate unit to your networks 50 Configuring your network Completing the configuration Configuring interface 3 Configuring interface 4/HA Setting the date and time Enabling antivirus protection Registering your FortiGate unit 52 Configuration example: Multiple connections to the Internet Configuring Ping servers 54 Destination based routing examples Primary and backup links to the Internet Load sharing Load sharing and primary and secondary connections Page Policy routing examples Routing traffic from internal subnets to different external networks Routing a service to an external network 58 Firewall policy example Adding a redundant default policy Page Page Transparent mode installation Preparing to configure Transparent mode 62 Using the setup wizard Changing to Transparent mode Starting the setup wizard Reconnecting to the web-based manager Using the front control buttons and LCD Using the command line interface Changing to Transparent mode 64 Configuring the Transparent mode management IP address Completing the configuration Setting the date and time Enabling antivirus protection Registering your FortiGate Configuring virus and attack definition updates Connecting the FortiGate unit to your networks Transparent mode configuration examples Default routes and static routes Example default route to an external network Page Example static route to an external destination Page Page 72 Example static route to an internal destination General configuration steps Page Page High availability Active-passive HA Active-active HA HA in NAT/Route mode Installing and configuring the FortiGate units Configuring the HA interfaces 78 Configuring the HA cluster Page 80 Connecting the HA cluster to your network Page 82 Starting the HA cluster HA in Transparent mode Installing and configuring the FortiGate units Configuring the HA interface and HA IP address Configuring the HA cluster Page Connecting the HA cluster to your network 86 Starting the HA cluster Managing the HA cluster Viewing the status of cluster members Monitoring cluster members 88 Monitoring cluster sessions Viewing and managing cluster log messages Managing individual cluster units Synchronizing the cluster configuration 90 Returning to standalone configuration Replacing a FortiGate unit after fail-over Advanced HA options Selecting a FortiGate unit to a permanent primary unit 92 Configuring weighted-round-robin weights System status Changing the FortiGate host name Changing the FortiGate firmware Upgrade to a new firmware version Upgrading the firmware using the web-based manager Upgrading the firmware using the CLI 96 Revert to a previous firmware version Reverting to a previous firmware version using the web-based manager Reverting to a previous firmware version using the CLI Page Install a firmware image from a system reboot using the CLI Page Test a new firmware image before installing it Page Installing and using a backup firmware image Installing a backup firmware image Page Switching to the backup firmware image 106 Switching back to the default firmware image Manual virus definition updates Manual attack definition updates Displaying the FortiGate serial number Displaying the FortiGate up time Displaying log hard disk status Backing up system settings Restoring system settings Restoring system settings to factory defaults Changing to Transparent mode Changing to NAT/Route mode Restarting the FortiGate unit 110 Shutting down the FortiGate unit System status Viewing CPU and memory status Viewing sessions and network status 112 Viewing virus and intrusions status Session list Page Virus and attack definitions updates and registration Updating antivirus and attack definitions 116 Connecting to the FortiResponse Distribution Network Configuring scheduled updates 118 Configuring update logging Adding an override server Manually updating antivirus and attack definitions Configuring push updates 120 To enable push updates About push updates Push updates through a NAT device Example: push updates through a NAT device Page Page Page 124 Scheduled updates through a proxy server Registering FortiGate units FortiCare Service Contracts 126 Registering the FortiGate unit Page 128 Updating registration information Recovering a lost Fortinet support password Viewing the list of registered FortiGate units Registering a new FortiGate unit Adding or changing a FortiCare Support Contract number 130 Changing your Fortinet support password Changing your contact information or security question Downloading virus and attack definitions updates Registering a FortiGate unit after an RMA Page Network configuration Configuring zones Adding zones 134 Adding interfaces to a zone Adding VLAN subinterfaces to a zone Renaming zones Deleting zones Configuring interfaces Viewing the interface list Bringing up an interface 136 Changing an interface static IP address Adding a secondary IP address to an interface Adding a ping server to an interface Controlling management access to an interface Configuring traffic logging for connections to an interface Changing the MTU size to improve network performance 138 Configuring port4/ha Configuring port4/ha for HA mode Configuring port4/ha as a firewall interface Configuring the management interface (Transparent mode) Configuring VLANs VLAN network configuration Page Adding VLAN subinterfaces Rules for VLAN IDs Rules for VLAN IP addresses Adding a VLAN subinterface Page Configuring routing Adding a default route Adding destination-based routes to the routing table Page Adding routes in Transparent mode Configuring the routing table 146 Policy routing Policy routing command syntax Providing DHCP services to your internal network Page RIP configuration RIP settings 7Select Apply to save your changes. Configuring RIP for FortiGate interfaces Adding RIP neighbors 154 Adding RIP filters Adding a single RIP filter Adding a RIP filter list 156 Adding a neighbors filter Adding a routes filter System configuration Setting system date and time Changing web-based manager options Page 160 Adding and editing administrator accounts Adding new administrator accounts Editing administrator accounts 162 Configuring SNMP Configuring the FortiGate unit for SNMP monitoring Configuring FortiGate SNMP support FortiGate MIBs 164 FortiGate traps Customizing replacement messages Customizing replacement messages 166 Customizing alert emails Block alert Critical event Page Firewall configuration 170 Default firewall configuration Interfaces VLAN subinterfaces Zones Addresses 172 Services Schedules Adding firewall policies Page 174 Schedule Service Action NAT Traffic Shaping Authentication Page Log Traffic Comments Configuring policy lists Policy matching in detail 178 Changing the order of policies in a policy list Enabling and disabling policies Disabling a policy Enabling a policy Addresses Adding addresses 180 Editing addresses Deleting addresses Organizing addresses into address groups 182 Services Predefined services Page 184 Providing access to custom services Grouping services 186 Schedules Creating one-time schedules Creating recurring schedules 188 Adding a schedule to a policy Virtual IPs Adding static NAT virtual IPs 190 Adding port forwarding virtual IPs Adding policies with virtual IPs 192 IP pools Adding an IP pool IP Pools for firewall policies that use fixed ports IP pools and dynamic NAT IP/MAC binding 194 Configuring IP/MAC binding for packets going through the firewall Configuring IP/MAC binding for packets going to the firewall Adding IP/MAC addresses 196 Viewing the dynamic IP/MAC list Enabling IP/MAC binding Content profiles Default content profiles Adding a content profile 3Type a Profile Name. 4Enable antivirus protection options. 5Enable Web filtering options. 8Select OK. 6Enable Email filter protection options. 7Enable fragmented email and oversized file and email options. Adding a content profile to a policy Page Users and authentication 202 Setting authentication timeout Adding user names and configuring authentication Adding user names and configuring authentication Deleting user names from the internal database 204 Configuring RADIUS support Adding RADIUS servers Deleting RADIUS servers Configuring LDAP support Adding LDAP servers 206 Deleting LDAP servers Configuring user groups Adding user groups 208 Deleting user groups IPSec VPN 210 Key management Manual Keys Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates AutoIKE with pre-shared keys AutoIKE with certificates Manual key IPSec VPNs General configuration steps for a manual key VPN Adding a manual key VPN tunnel Page AutoIKE IPSec VPNs General configuration steps for an AutoIKE VPN Adding a phase 1 configuration for an AutoIKE VPN Page Page 4Optionally, configure NAT Traversal. 6Select OK to save the phase 1 parameters. Adding a phase 2 configuration for an AutoIKE VPN Page Managing digital certificates Obtaining a signed local certificate 220 Generating the certificate request Page 222 Retrieving the signed local certificate Importing the signed local certificate Obtaining a CA certificate Retrieving a CA certificate Importing a CA certificate Configuring encrypt policies Adding an encrypt policy Page IPSec VPN concentrators VPN concentrator (hub) general configuration steps Page Page 230 VPN spoke general configuration steps Redundant IPSec VPNs Configuring redundant IPSec VPN Page Monitoring and Troubleshooting VPNs Viewing VPN tunnel status Viewing dialup VPN connection status 234 Testing a VPN PPTP and L2TP VPN Configuring PPTP Page Adding a source address Adding an address group 238 Adding a destination address Adding a firewall policy Configuring a Windows 98 client for PPTP Installing PPTP support Configuring a Windows 2000 client for PPTP 240 Configuring a Windows XP client for PPTP Configuring the VPN connection Configuring L2TP Page Adding a source address Adding an address group 244 Adding a destination address Adding a firewall policy Configuring a Windows 2000 client for L2TP Configuring an L2TP dialup connection Disabling IPSec 246 Connecting to the L2TP VPN Configuring a Windows XP client for L2TP Configuring an L2TP VPN dialup connection Configuring the VPN connection Disabling IPSec Page Network Intrusion Detection System (NIDS) Detecting attacks Page Viewing the signature list Viewing attack descriptions 252 Enabling and disabling NIDS attack signatures Adding user-defined signatures Downloading the user-defined signature list Preventing attacks Enabling NIDS attack prevention 254 Enabling NIDS attack prevention signatures Setting signature threshold values Page 256 Configuring synflood signature values Logging attacks Logging attack messages to the attack log Reducing the number of NIDS attack log and email messages Automatic message reduction Manual message reduction Page Antivirus protection Antivirus scanning File blocking 262 Blocking files in firewall traffic Adding file patterns to block Quarantine Quarantining infected files Quarantining blocked files 264 Viewing the quarantine list 1Go to Anti-Virus > Quarantine. The quarantine list provides the following information. Sorting the quarantine list Filtering the quarantine list Deleting files from quarantine Downloading quarantined files Configuring quarantine options 266 Blocking oversized files and emails Configuring limits for oversized files and email Exempting fragmented email from blocking Viewing the virus list Web filtering 268 Content blocking Adding words and phrases to the banned word list URL blocking Using the FortiGate web filter Adding URLs or URL patterns to the block list 270 Clearing the URL block list Downloading the URL block list Uploading a URL block list 272 Using the Cerberian web filter General configuration steps Installing a Cerberian license key on the FortiGate unit Adding a Cerberian user to the FortiGate unit Configuring Cerberian web filter Enabling Cerberian URL filtering 274 Script filtering Enabling the script filter Selecting script filter options Exempt URL list Adding URLs to the exempt URL list Page Email filter 278 Email banned word list Adding words and phrases to the banned word list Email block list Adding address patterns to the email block list Email exempt list 280 Adding address patterns to the email exempt list Adding a subject tag Logging and reporting Recording logs 282 Recording logs on a remote computer Recording logs on a NetIQ WebTrends server Recording logs on the FortiGate hard disk 284 Recording logs in system memory Filtering log messages Page 286 Configuring traffic logging Enabling traffic logging Enabling traffic logging for an interface Enabling traffic logging for a VLAN subinterface Enabling traffic logging for a firewall policy Configuring traffic filter settings 288 Adding traffic filter entries Viewing logs saved to memory Viewing logs Searching logs 290 Viewing and managing logs saved to the hard disk Viewing logs Searching logs Downloading a log file to the management computer Deleting all messages in an active log 292 Deleting a saved log file Configuring alert email Adding alert email addresses Testing alert email Enabling alert email Page Glossary Page Page Page Index Numerics A 300 B C D E F G H 302 I J K L M N O P 304 Q R S 306 T U V W Z