Manuals / Brands / Computer Equipment / Network Card / Fortinet / Computer Equipment / Network Card

Fortinet 50A Viewing the signature list, Viewing attack descriptions

1 272

Download 272 pages, 3.34 Mb

Network Intrusion Detection System (NIDS) Detecting attacks

FortiGate-50A Installation and Configuration Guide 217

Viewing the signature list

You can display the current list of NIDS signature groups and the members of a

signature group.

To view the signature list

1Go to NIDS > Detection > Signature List.

2View the names and action status of the signature groups in the list.

The NIDS detects attacks listed in all the signature groups that have check marks in

the Enable column.

3Select View Details .to display the members of a signature group.

The Signature Group Members list displays the attack ID, Rule Name, and Revision

number for each group member.

Viewing attack descriptions

Fortinet provides online information for all NIDS attacks. You can view the

FortiResponse Attack Analysis web page for an attack listed on the signature list.

To view attack descriptions

1Go to NIDS > Detection > Signature List.

2Select View Details .to display the members of a signature group.

3Select a signature and copy its attack ID.

4Open a web browser and enter the following URL:

http://www.fortinet.com/ids/ID<attack-ID>

Make sure that you include the attack ID.

For example, to view the Fortinet Attack Analysis web page for the ssh CRC32

overflow /bin/sh attack (ID 101646338), use the following URL:

http://www.fortinet.com/ids/ID101646338

Note: The user-defined signature group is the last item in the signature list. See “Adding user-

defined signatures” on page 218.

Note: Each attack log message includes a URL that links directly to the FortiResponse Attack

Analysis web page for that attack. This URL is available in the Attack Log messages and Alert

email messages. For information about log message content and formats, and about log

locations, see the FortiGate Logging and Message Reference Guide. For information about

logging attack messages, see “Logging attacks” on page 222.

Contents

Main Page Table of Contents 4 Virus and attack definitions updates and registration..................................... 73 6 Page 8 Network Intrusion Detection System (NIDS) ................................................... 215 10 Page Page Introduction NAT/Route mode and Transparent mode NAT/Route mode Transparent mode Document conventions Fortinet documentation Comments on Fortinet technical documentation Customer service and technical support Getting started 18 Package contents Mounting Dimensions Weight Power requirements Powering on Connecting to the web-based manager Connecting to the command line interface (CLI) Page 22 Factory default FortiGate configuration settings Factory default DHCP configuration Factory default NAT/Route mode network configuration Factory default Transparent mode network configuration Factory default firewall configuration Page Factory default content profiles Strict content profile 26 Scan content profile Web content profile Unfiltered content profile Planning the FortiGate configuration NAT/Route mode 28 Transparent mode Configuration options Setup wizard CLI FortiGate model maximum values matrix Next steps Page NAT/Route mode installation Installing the FortiGate unit using the default configuration 34 Changing the default configuration Preparing to configure NAT/Route mode Advanced NAT/Route mode settings Using the setup wizard Starting the setup wizard Reconnecting to the web-based manager 36 Using the command line interface Configuring the FortiGate unit to operate in NAT/Route mode Configuring NAT/Route mode IP addresses Connecting the FortiGate unit to your networks Internal External FortiGate-50A Internal Network 38 Configuring your networks Completing the configuration Setting the date and time Changing antivirus protection Registering your FortiGate unit Configuring virus and attack definition updates Page Transparent mode installation Preparing to configure Transparent mode 42 Using the setup wizard Changing to Transparent mode Starting the setup wizard Reconnecting to the web-based manager Using the command line interface Connecting the FortiGate unit to your networks Internal External FortiGate-50A Internal Network Completing the configuration Setting the date and time Enabling antivirus protection Registering your FortiGate Configuring virus and attack definition updates Transparent mode configuration examples Default routes and static routes Example default route to an external network DMZ FortiGate-50A Internal Network Internet Example static route to an external destination Transparent mode installation Transparent mode configuration examples Internal Network FortiGate-50A Installation and Configuration Guide 49 Figure 8: Static route to an external destination FortiGate-50A DMZ Page Example static route to an internal destination Page System status Changing the FortiGate host name Changing the FortiGate firmware Upgrading to a new firmware version Upgrading the firmware using the web-based manager Upgrading the firmware using the CLI 56 Reverting to a previous firmware version Reverting to a previous firmware version using the web-based manager Reverting to a previous firmware version using the CLI Page Installing firmware images from a system reboot using the CLI Page Restoring the previous configuration Testing a new firmware image before installing it Page Manual virus definition updates Manual attack definition updates Displaying the FortiGate serial number Displaying the FortiGate up time Backing up system settings Restoring system settings Restoring system settings to factory defaults Changing to Transparent mode Changing to NAT/Route mode Restarting the FortiGate unit Shutting down the FortiGate unit System status Viewing CPU and memory status 68 Viewing sessions and network status Viewing virus and intrusions status Session list Each line of the session list displays the following information. Page Virus and attack definitions updates and registration Updating antivirus and attack definitions 74 Connecting to the FortiResponse Distribution Network Manually initiating antivirus and attack definitions updates 76 Configuring update logging Scheduling updates Enabling scheduled updates Adding an override server 78 Enabling scheduled updates through a proxy server Enabling push updates Enabling push updates Push updates when FortiGate IP addresses change Enabling push updates through a NAT device 80 Example: push updates through a NAT device Internet FortiGate-50A Internal Network FortiGate-300 NAT Device Adding a port forwarding virtual IP to the FortiGate NAT device 82 Adding a firewall policy for the port forwarding virtual IP Configuring the FortiGate unit with an override push IP and port Registering FortiGate units 84 FortiCare Service Contracts Registering the FortiGate unit 86 Updating registration information Recovering a lost Fortinet support password Viewing the list of registered FortiGate units 88 Registering a new FortiGate unit Adding or changing a FortiCare Support Contract number Changing your Fortinet support password Changing your contact information or security question 90 Downloading virus and attack definitions updates Registering a FortiGate unit after an RMA Page Network configuration Configuring interfaces 94 Viewing the interface list Changing the administrative status of an interface Configuring an interface with a manual IP address Configuring an interface for DHCP 96 Configuring an interface for PPPoE Adding a secondary IP address to an interface Adding a ping server to an interface Controlling administrative access to an interface 98 Changing the MTU size to improve network performance Configuring traffic logging for connections to an interface Configuring the management interface in Transparent mode 100 Adding DNS server IP addresses Configuring routing Adding a default route Adding destination-based routes to the routing table 102 Adding routes in Transparent mode Configuring the routing table Policy routing 104 Policy routing command syntax Configuring DHCP services Configuring a DHCP relay agent Configuring a DHCP server Adding a DHCP server to an interface Adding scopes to a DHCP server 106 Adding a reserve IP to a DHCP server Viewing a DHCP server dynamic IP list Configuring the modem interface 108 Connecting a modem to the FortiGate unit Configuring modem settings Connecting to a dialup account Disconnecting the modem 110 Viewing modem status Backup mode configuration Standalone mode configuration Adding firewall policies for modem connections Page RIP configuration RIP settings 6Select Apply to save the changes. Configuring RIP for FortiGate interfaces 4Select OK to save the RIP configuration for the selected interface. Adding RIP filters Adding a RIP filter list 118 Assigning a RIP filter list to the neighbors filter Assigning a RIP filter list to the incoming filter Page Page System configuration Setting system date and time Changing system options Modifying the Dead Gateway Detection settings Adding and editing administrator accounts 124 Adding new administrator accounts Editing administrator accounts Configuring SNMP 126 Configuring the FortiGate unit for SNMP monitoring Configuring FortiGate SNMP support Configuring SNMP access to an interface Configuring SNMP community settings 4Select Apply. 128 FortiGate MIBs FortiGate traps System traps General FortiGate traps 130 VPN traps NIDS traps Antivirus traps Logging traps System configuration and status Firewall configuration Users and authentication configuration Page Replacement messages Customizing replacement messages 134 Customizing alert emails NIDS event Virus alert Block alert Critical event Firewall configuration 138 Default firewall configuration Addresses Services Schedules Content profiles 140 Adding firewall policies Firewall policy options Source Destination Schedule Action Select how you want the firewall to respond when the policy matches a connection attempt. 142 NAT VPN Tunnel Traffic Shaping Authentication Anti-Virus & Web filter Configuring policy lists Policy matching in detail Changing the order of policies in a policy list 146 Enabling and disabling policies Disabling policies Addresses Adding addresses 148 Editing addresses Deleting addresses Organizing addresses into address groups Services Predefined services Page Page 152 Adding custom TCP and UDP services Adding custom ICMP services Adding custom IP services Grouping services Schedules Creating one-time schedules Creating recurring schedules 156 Adding schedules to policies Virtual IPs 158 Adding static NAT virtual IPs Adding port forwarding virtual IPs Page Adding policies with virtual IPs IP pools 162 Adding an IP pool IP Pools for firewall policies that use fixed ports IP pools and dynamic NAT IP/MAC binding Configuring IP/MAC binding for packets going through the firewall 164 Configuring IP/MAC binding for packets going to the firewall Adding IP/MAC addresses Viewing the dynamic IP/MAC list Enabling IP/MAC binding Content profiles Default content profiles Adding content profiles 6Enable the email filter protection options that you want. 7Enable the fragmented email and oversized file and email options that you want. 8Select OK. Adding content profiles to policies Page Users and authentication 172 Setting authentication timeout Adding user names and configuring authentication Adding user names and configuring authentication Deleting user names from the internal database 174 Configuring RADIUS support Adding RADIUS servers Deleting RADIUS servers Configuring LDAP support Adding LDAP servers 176 Deleting LDAP servers Configuring user groups Adding user groups 178 Deleting user groups IPSec VPN 180 Key management Manual Keys Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates AutoIKE with pre-shared keys AutoIKE with certificates Manual key IPSec VPNs General configuration steps for a manual key VPN Adding a manual key VPN tunnel AutoIKE IPSec VPNs General configuration steps for an AutoIKE VPN Adding a phase 1 configuration for an AutoIKE VPN Page Configuring advanced options 4Optionally, configure NAT Traversal. 6Select OK to save the phase 1 parameters. Page 188 Adding a phase 2 configuration for an AutoIKE VPN Page 190 Managing digital certificates Obtaining a signed local certificate Generating the certificate request Page 192 Downloading the certificate request Importing the signed local certificate Backing up and restoring the local certificate and private key Obtaining CA certificates Configuring encrypt policies 194 Adding a source address Adding a destination address Adding an encrypt policy IPSec VPN concentrators VPN concentrator (hub) general configuration steps 198 Adding a VPN concentrator VPN spoke general configuration steps Page Monitoring and Troubleshooting VPNs Viewing VPN tunnel status Viewing dialup VPN connection status 202 Testing a VPN PPTP and L2TP VPN Configuring PPTP Configuring the FortiGate unit as a PPTP gateway Page Page 206 Configuring a Windows 98 client for PPTP Configuring a Windows 2000 client for PPTP Configuring a Windows XP client for PPTP Page Configuring L2TP Configuring the FortiGate unit as an L2TP gateway Page Configuring a Windows 2000 client for L2TP Page Configuring a Windows XP client for L2TP Page Network Intrusion Detection System (NIDS) Detecting attacks 216 Selecting the interfaces to monitor Disabling monitoring interfaces Configuring checksum verification Viewing the signature list Viewing attack descriptions 218 Disabling NIDS attack signatures Adding user-defined signatures Downloading the user-defined signature list 220 Preventing attacks Enabling NIDS attack prevention Enabling NIDS attack prevention signatures Setting signature threshold values 222 Logging attacks Logging attack messages to the attack log Reducing the number of NIDS attack log and email messages Automatic message reduction Manual message reduction Page Antivirus protection Antivirus scanning File blocking Blocking files in firewall traffic Adding file patterns to block 228 Blocking oversized files and emails Configuring limits for oversized files and email Exempting fragmented email from blocking Page Page Web filtering 232 Content blocking Adding words and phrases to the Banned Word list Clearing the Banned Word list Backing up the Banned Word list Restoring the Banned Word list Page URL blocking Configuring FortiGate Web URL blocking Adding URLs to the Web URL block list 236 Clearing the Web URL block list Downloading the Web URL block list Uploading a URL block list Configuring FortiGate Web pattern blocking 238 Configuring Cerberian URL filtering Installing a Cerberian license key Adding a Cerberian user Configuring Cerberian web filter About the default group and policy Enabling Cerberian URL filtering 240 Script filtering Enabling script filtering Selecting script filter options Exempt URL list Adding URLs to the URL Exempt list 242 Downloading the URL Exempt List Uploading a URL Exempt List Page Page Email filter 246 Email banned word list Adding words and phrases to the email banned word list Downloading the email banned word list Uploading the email banned word list 248 Email block list Adding address patterns to the email block list Downloading the email block list Uploading an email block list Email exempt list 250 Adding address patterns to the email exempt list Adding a subject tag Logging and reporting Recording logs Recording logs on a remote computer 252 Recording logs on a NetIQ WebTrends server Log message levels Tab le 23 lists and describes FortiGate log message levels. Filtering log messages Configuring traffic logging Enabling traffic logging Enabling traffic logging for an interface Enabling traffic logging for a firewall policy Configuring traffic filter settings 256 Adding traffic filter entries Configuring alert email Adding alert email addresses 258 Testing alert email Enabling alert email Glossary Page Page Page Index A 264 B C D E F G 266 H I J L M N O 268 P Q R S 270 T U V W