Logging attacks, Automatic message reduction, 222 | Fortinet 50A

Logging attacks	Network Intrusion Detection System (NIDS)

To set Prevention signature threshold values

1Go to NIDS > Prevention.

2Select Modify beside the signature for which you want to set the Threshold value.

Signatures that do not have threshold values do not have Modify icons.

3Type the Threshold value.

4Select the Enable check box.

5Select OK.

Logging attacks

Whenever the NIDS detects or prevents an attack, it generates an attack message.

You can configure the system to add the message to the attack log.

•Logging attack messages to the attack log

•Reducing the number of NIDS attack log and email messages

Logging attack messages to the attack log

To log attack messages to the attack log

1Go to Log&Report > Log Setting.

2Select Config Policy for the log locations you have set.

3Select Attack Log.

4Select Attack Detection and Attack Prevention.

5Select OK.

Note: For information about log message content and formats, and about log locations, see the

FortiGate Logging and Message Reference Guide.

Reducing the number of NIDS attack log and email messages

Intrusion attempts might generate an excessive number of attack messages. Based on the frequency that messages are generated, the FortiGate unit automatically deletes duplicates. If you still receive an excessive number of unnecessary messages, you can manually disable message generation for unneeded signature groups.

Automatic message reduction

The attack log and alert email messages that the NIDS produces include the ID number and name of the attack that generated the message. The attack ID number and name in the message are identical to the ID number and rule name that appear on the NIDS Signature Group Members list.

222	Fortinet Inc.

Image 222

Fortinet 50A user manual Logging attacks, Logging attack messages to the attack log, Automatic message reduction, 222

Contents

Installation and Configuration Guide February Trademarks Regulatory Compliance Table of Contents Transparent mode installation Virus and attack definitions updates and registration Network configuration Firewall configuration 137 Users and authentication 171 Pptp and L2TP VPN 203 Antivirus protection 225 Glossary 259 Index 263 Contents Transparent mode NAT/Route mode and Transparent modeNAT/Route mode Introduction Document conventions Fortinet documentation Comments on Fortinet technical documentation Customer service and technical support Getting started Package contents Mounting Environmental specifications Powering onConnecting to the web-based manager To power on the FortiGate-50A unit Connecting to the command line interface CLI To connect to the web-based manager To connect to the CLI Bits per second Data bits ParityStop bits Flow control Factory default FortiGate configuration settings Factory default Dhcp configuration Factory default NAT/Route mode network configuration Factory default Transparent mode network configurationFactory default firewall configuration Authentication Factory default firewall configuration RecurringService Content Factory default content profiles Strict content profileStrict content profile Options Scan content profile Options Scan content profileWeb content profile Web content profile Options Planning the FortiGate configuration Unfiltered content profileUnfiltered content profile Options Configuration options Setup wizard CLI FortiGate model maximum values matrix Next steps Signatures Antivirus file Block patterns Web filter Next steps Getting started NAT/Route mode installation Preparing to configure NAT/Route mode Changing the default configurationInternal servers Starting the setup wizard Using the setup wizardAdvanced NAT/Route mode settings Reconnecting to the web-based manager Configuring NAT/Route mode IP addresses Using the command line interfaceConfiguring the FortiGate unit to operate in NAT/Route mode Example Connecting the FortiGate unit to your networks FortiGate-50A ExternalInternal Setting the date and time Configuring your networksCompleting the configuration Changing antivirus protection Configuring virus and attack definition updates Registering your FortiGate unit Completing the configuration Transparent mode settings Administrator Password Transparent mode installationPreparing to configure Transparent mode DNS Settings Changing to Transparent mode Go to System Status Configuring the Transparent mode management IP address Configure the Transparent mode default gateway Connecting the FortiGate unit to your networks Enabling antivirus protection Registering your FortiGateGo to Firewall Policy Int-Ext Transparent mode configuration examples Default routes and static routes General configuration steps Default route to an external network Go to System Network Management Web-based manager example configuration stepsCLI configuration steps Go to System Network Routing DMZ Set system route number 1 dst 24.102.233.5 255.255.255.0 gw1 Example static route to an internal destination Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 System status System status Changing the FortiGate firmware Firmware upgrade procedures Procedure DescriptionChanging the FortiGate host name To change the FortiGate host name Go to System Status To upgrade the firmware using the web-based manager Upgrading the firmware using the web-based managerUpgrading the firmware using the CLI To upgrade the firmware using the CLI Reverting to a previous firmware version Execute ping Reverting to a previous firmware version using the CLI To revert to a previous firmware version using the CLI To install firmware from a system reboot Press any key to enter configuration menu Restoring the previous configuration Testing a new firmware image before installing itTo test a new firmware image Save as Default firmware/Run image without savingD/R To update the antivirus definitions manually Manual virus definition updatesManual attack definition updates To update the attack definitions manually Displaying the FortiGate serial number Backing up system settingsRestoring system settings Displaying the FortiGate up time Restoring system settings to factory defaults Changing to Transparent modeTo change to Transparent mode Go to System Status Restarting the FortiGate unit Changing to NAT/Route modeTo change to NAT/Route mode Go to System Status Shutting down the FortiGate unit System status Viewing CPU and memory statusTo view CPU and memory status Go to System Status Monitor Viewing sessions and network status CPU and memory status monitor Viewing virus and intrusions status Sessions and network status monitor Session list To view the session list Go to System Status Session Protocol Example session list Session list Virus and attack definitions updates and registration Updating antivirus and attack definitions Version Expiry date Last update attempt Last update status Connecting to the FortiResponse Distribution NetworkGo to System Update To make sure the FortiGate unit can connect to the FDN Manually initiating antivirus and attack definitions updates Enabling scheduled updates Scheduling updatesConfiguring update logging To configure update logging Go to Log&Report Log Setting To add an override server Go to System Update Adding an override server Enabling push updates Enabling scheduled updates through a proxy server Enabling push updates through a NAT device Enabling push updatesPush updates when FortiGate IP addresses change To enable push updates Go to System Update Example push updates through a NAT device Example network topology Push updates through a NAT device General procedure To configure the FortiGate NAT device Schedule Always Service ANY Action AcceptAdding a firewall policy for the port forwarding virtual IP Example push update configuration Registering FortiGate units FortiCare Service Contracts Registering the FortiGate unit Recovering a lost Fortinet support password Updating registration information Viewing the list of registered FortiGate units Registering a new FortiGate unit Adding or changing a FortiCare Support Contract number Changing your Fortinet support password Changing your contact information or security question Downloading virus and attack definitions updates Downloading virus and attack definition updates Registering a FortiGate unit after an RMA Registering a FortiGate unit after an RMA Network configuration Configuring interfaces To stop an interface that is administratively up Changing the administrative status of an interfaceConfiguring an interface with a manual IP address Viewing the interface list Initializing Configuring an interface for DhcpConnecting Connected Configuring an interface for PPPoE Adding a secondary IP address to an interface Controlling administrative access to an interface Adding a ping server to an interface Configuring traffic logging for connections to an interface Changing the MTU size to improve network performance Configuring the management interface in Transparent mode Adding DNS server IP addresses Configuring routingAdding a default route 100 Adding destination-based routes to the routing table 101 Adding routes in Transparent mode Configuring the routing table102 Policy routing 103 Configuring a Dhcp relay agent Configuring Dhcp servicesPolicy routing command syntax 104 Adding scopes to a Dhcp server Configuring a Dhcp serverAdding a Dhcp server to an interface 105 Scope Name Adding a reserve IP to a Dhcp server106 IP Pool Configuring the modem interface Viewing a Dhcp server dynamic IP list107 To configure modem settings Go to System Network Modem Connecting a modem to the FortiGate unitConfiguring modem settings 108 109 Connecting to a dialup accountDisconnecting the modem To connect to a dialup account Go to System Network Modem To configure backup mode Go to System Network Modem Backup mode configurationStandalone mode configuration Viewing modem status To operate in standalone mode Go to System Network Modem Adding firewall policies for modem connections111 112 RIP configuration RIP settings113 Invalid HolddownFlush Configuring RIP for FortiGate interfaces 115 116 117 Adding RIP filtersAdding a RIP filter list To add a RIP filter list Go to System RIP Filter Assigning a RIP filter list to the neighbors filter Assigning a RIP filter list to the incoming filter Assigning a RIP filter list to the outgoing filter 119 120 To set the date and time Go to System Config Time System configurationSetting system date and time 121 Changing system options To set the system idle timeout Go to System Config OptionsTo set the Auth timeout Go to System Config Options 122 Adding and editing administrator accounts Modifying the Dead Gateway Detection settings123 To add an administrator account Go to System Config Admin Adding new administrator accountsEditing administrator accounts 124 Configuring Snmp To edit an administrator account Go to System Config Admin125 Configuring Snmp access to an interface Configuring the FortiGate unit for Snmp monitoringConfiguring FortiGate Snmp support Configuring Snmp community settings 127 System NameSystem Location FortiGate MIBs 128 System traps FortiGate trapsGeneral FortiGate traps 129 130 Users and authentication configuration System configuration and statusFirewall configuration 131 132 Replacement messages Customizing replacement messages133 Customizing alert emails 134 135 Nids event 136 Critical event Firewall configuration 137 Default firewall configuration Addresses138 Schedules ServicesContent profiles 139 Adding firewall policies 140 Action 141 142 VPN TunnelTraffic Shaping Dynamic IP Pool Fixed Port 143 AuthenticationAnti-Virus & Web filter Maximum Bandwidth Traffic Priority Comments Configuring policy listsLog Traffic 144 Policy matching in detail Changing the order of policies in a policy list145 Disabling policies AddressesEnabling and disabling policies Enabling policies Adding addresses 147To add an address Go to Firewall Address Organizing addresses into address groups Editing addressesDeleting addresses 148 Services Predefined services149 150 GRE 151 Ldap Adding custom TCP and UDP services 152 Grouping services Adding custom Icmp servicesAdding custom IP services 153 Schedules 154 Creating one-time schedules Creating recurring schedules155 Adding schedules to policies 156 Virtual IPs 157To add a schedule to a policy Go to Firewall Policy To add a static NAT virtual IP Go to Firewall Virtual IP Adding static NAT virtual IPs158 Virtual IP External Interface examples Description Internal Adding port forwarding virtual IPs 159 160 Adding a port forwarding virtual IP 161 IP poolsAdding policies with virtual IPs To add a policy with a virtual IP Go to Firewall Policy IP pools and dynamic NAT Adding an IP poolIP Pools for firewall policies that use fixed ports 162 IP/MAC binding 163Go to Firewall IP/MAC Binding Static IP/MAC Configuring IP/MAC binding for packets going to the firewall 164 Enabling IP/MAC binding Adding IP/MAC addressesViewing the dynamic IP/MAC list 165 Content profiles 166 To add a content profile Go to Firewall Content Profile Default content profilesAdding content profiles 167 168 Oversized File/Email Pass Fragmented Email Adding content profiles to policies To add a content profile to a policy Go to Firewall Policy169 170 Users and authentication 171 Adding user names and configuring authentication Setting authentication timeoutAdding user names and configuring authentication To set authentication timeout Go to System Config Options Deleting user names from the internal database 173 Deleting Radius servers Configuring Radius supportAdding Radius servers 174 175 Configuring Ldap supportAdding Ldap servers To add an Ldap server Go to User Ldap Deleting Ldap servers 176To delete an Ldap server Go to User Ldap 177 Configuring user groupsAdding user groups To add a user group Go to User User Group Deleting user groups 178To delete a user group Go to User User Group IPSec VPN 179 AutoIKE with pre-shared keys Key managementManual Keys AutoIKE with certificates Adding a manual key VPN tunnel General configuration steps for a manual key VPNManual key IPSec VPNs 181 AES128 AutoIKE IPSec VPNs182 AES192 To create an AutoIKE VPN configuration General configuration steps for an AutoIKE VPNAdding a phase 1 configuration for an AutoIKE VPN To add a phase 1 configuration Go to VPN Ipsec Phase 184 Remote Gateway Static IP AddressRemote Gateway Dialup User Configuring advanced options To configure phase 1 advanced options185 186 Adding a phase 1 configuration Standard options 187 Adding a phase 2 configuration for an AutoIKE VPN To add a phase 2 configuration Go to VPN Ipsec Phase188 189 Use selectors from policyUse wildcard selectors Generating the certificate request Managing digital certificatesObtaining a signed local certificate 190 191 Key TypeKey Size Obtaining CA certificates Downloading the certificate requestImporting the signed local certificate 192 Configuring encrypt policies Importing CA certificates193 194 Adding a source addressAdding a destination address To add a source address Go to Firewall Address Adding an encrypt policy 195To add an encrypt policy Go to Firewall Policy IPSec VPN concentrators 196 VPN concentrator hub general configuration steps To create a VPN concentrator configuration197 Adding a VPN concentrator 198Source InternalAll Destination VPN spoke address Action VPN spoke general configuration steps To create a VPN spoke configuration199 200 VPN TunnelPolicies Viewing VPN tunnel status Monitoring and Troubleshooting VPNsTo view VPN tunnel status Go to VPN Ipsec Phase Viewing dialup VPN connection status Testing a VPN 202 Pptp and L2TP VPN Configuring PptpConfiguring the FortiGate unit as a Pptp gateway 203 204 To add a source address To add a destination address 205To add a source address group To add a firewall policy Configuring a Windows 98 client for Pptp 206To connect to the Pptp VPN Configuring a Windows 2000 client for Pptp Configuring a Windows XP client for Pptp207 To configure the VPN connection 208Select Properties Security Configuring L2TP Configuring the FortiGate unit as an L2TP gateway209 210 To add source addresses Configuring a Windows 2000 client for L2TP 211 To disable IPSec 212To connect to the L2TP VPN Configuring a Windows XP client for L2TP 213 214 Network Intrusion Detection System Nids Detecting attacks215 Disabling monitoring interfaces Configuring checksum verificationSelecting the interfaces to monitor 216 Viewing the signature list Viewing attack descriptions217 Disabling Nids attack signatures Adding user-defined signatures218 Downloading the user-defined signature list 219 Enabling Nids attack prevention To enable Nids attack prevention Go to Nids PreventionPreventing attacks Enabling Nids attack prevention signatures Setting signature threshold values 221 Reducing the number of Nids attack log and email messages Logging attacksLogging attack messages to the attack log Automatic message reduction Manual message reduction 223 224 General configuration steps Antivirus protection225 Antivirus scanning 226To scan FortiGate firewall traffic for viruses Adding file patterns to block File blockingBlocking files in firewall traffic 227 Exempting fragmented email from blocking Configuring limits for oversized files and emailBlocking oversized files and emails 228 To view the virus list Go to Anti-Virus Config Virus List Viewing the virus list229 230 Web filtering 231 Adding words and phrases to the Banned Word list Content blockingGo to Web Filter Content Block 232 Restoring the Banned Word list Clearing the Banned Word listBacking up the Banned Word list 233 234 Example Banned Word List text file Adding URLs to the Web URL block list Configuring FortiGate Web URL blockingURL blocking 235 Uploading a URL block list Clearing the Web URL block listDownloading the Web URL block list 236 Configuring FortiGate Web pattern blocking 237To upload a URL block list Adding a Cerberian user Configuring Cerberian URL filteringInstalling a Cerberian license key 238 To configure Cerberian web filtering Configuring Cerberian web filterAbout the default group and policy Enabling Cerberian URL filtering Selecting script filter options Script filteringEnabling script filtering 240 241 Exempt URL listAdding URLs to the URL Exempt list Go to Web Filter URL Exempt Downloading the URL Exempt List Uploading a URL Exempt List242 243 244 Email filter 245 Email banned word list Adding words and phrases to the email banned word list246 Downloading the email banned word list Uploading the email banned word list247 Downloading the email block list Email block listAdding address patterns to the email block list 248 249 Email exempt listUploading an email block list To upload the email block list Adding address patterns to the email exempt list To add a subject tag Go to Email Filter ConfigAdding a subject tag 250 Recording logs on a remote computer Logging and reportingRecording logs 251 Recording logs on a NetIQ WebTrends server 252 Log message levels To filter log entries Go to Log&Report Log SettingFiltering log messages 253 Configuring traffic logging 254 Enabling traffic logging for an interface Configuring traffic filter settingsEnabling traffic logging Enabling traffic logging for a firewall policy Destination IP Address Destination Netmask Service Adding traffic filter entries256 257 Configuring alert emailAdding alert email addresses To add a DNS server Go to System Network DNS Testing alert email Enabling alert email258 Glossary 259 260 261 262 Index 263 264 Index 265 DNS 266 Http 267 NAT 268 269 RMA 270 TCP 271 VPN 272