Fortinet 50A Logging attacks

222 Fortinet Inc.

Logging attacks Network Intrusion Detection System (NIDS)

To set Prevention signature threshold values

1Go to NIDS > Prevention.

2Select Modify beside the signature for which you want to set the Threshold value.

Signatures that do not have threshold values do not have Modify icons.

3Type the Threshold value.

4Select the Enable check box.

5Select OK.

Logging attacks

Whenever the NIDS detects or prevents an attack, it generates an attack message.

You can configure the system to add the message to the attack log.

•Logging attack messages to the attack log

•Reducing the number of NIDS attack log and email messages

Logging attack messages to the attack log

To log attack messages to the attack log

1Go to Log&Report > Log Setting.

2Select Config Policy for the log locations you have set.

3Select Attack Log.

4Select Attack Detection and Attack Prevention.

5Select OK.

Reducing the number of NIDS attack log and email messages

Intrusion attempts might generate an excessive number of attack messages. Based

on the frequency that messages are generated, the FortiGate unit automatically

deletes duplicates. If you still receive an excessive number of unnecessary

messages, you can manually disable message generation for unneeded signature

groups.

Automatic message reduction

The attack log and alert email messages that the NIDS produces include the ID

number and name of the attack that generated the message. The attack ID number

and name in the message are identical to the ID number and rule name that appear

on the NIDS Signature Group Members list.

Note: For information about log message content and formats, and about log locations, see the

FortiGate Logging and Message Reference Guide.

Contents

Main Page Table of Contents 4 Virus and attack definitions updates and registration..................................... 73 6 Page 8 Network Intrusion Detection System (NIDS) ................................................... 215 10 Page Page Introduction NAT/Route mode and Transparent mode NAT/Route mode Transparent mode Document conventions Fortinet documentation Comments on Fortinet technical documentation Customer service and technical support Getting started 18 Package contents Mounting Dimensions Weight Power requirements Powering on Connecting to the web-based manager Connecting to the command line interface (CLI) Page 22 Factory default FortiGate configuration settings Factory default DHCP configuration Factory default NAT/Route mode network configuration Factory default Transparent mode network configuration Factory default firewall configuration Page Factory default content profiles Strict content profile 26 Scan content profile Web content profile Unfiltered content profile Planning the FortiGate configuration NAT/Route mode 28 Transparent mode Configuration options Setup wizard CLI FortiGate model maximum values matrix Next steps Page NAT/Route mode installation Installing the FortiGate unit using the default configuration 34 Changing the default configuration Preparing to configure NAT/Route mode Advanced NAT/Route mode settings Using the setup wizard Starting the setup wizard Reconnecting to the web-based manager 36 Using the command line interface Configuring the FortiGate unit to operate in NAT/Route mode Configuring NAT/Route mode IP addresses Connecting the FortiGate unit to your networks Internal External FortiGate-50A Internal Network 38 Configuring your networks Completing the configuration Setting the date and time Changing antivirus protection Registering your FortiGate unit Configuring virus and attack definition updates Page Transparent mode installation Preparing to configure Transparent mode 42 Using the setup wizard Changing to Transparent mode Starting the setup wizard Reconnecting to the web-based manager Using the command line interface Connecting the FortiGate unit to your networks Internal External FortiGate-50A Internal Network Completing the configuration Setting the date and time Enabling antivirus protection Registering your FortiGate Configuring virus and attack definition updates Transparent mode configuration examples Default routes and static routes Example default route to an external network DMZ FortiGate-50A Internal Network Internet Example static route to an external destination Transparent mode installation Transparent mode configuration examples Internal Network FortiGate-50A Installation and Configuration Guide 49 Figure 8: Static route to an external destination FortiGate-50A DMZ Page Example static route to an internal destination Page System status Changing the FortiGate host name Changing the FortiGate firmware Upgrading to a new firmware version Upgrading the firmware using the web-based manager Upgrading the firmware using the CLI 56 Reverting to a previous firmware version Reverting to a previous firmware version using the web-based manager Reverting to a previous firmware version using the CLI Page Installing firmware images from a system reboot using the CLI Page Restoring the previous configuration Testing a new firmware image before installing it Page Manual virus definition updates Manual attack definition updates Displaying the FortiGate serial number Displaying the FortiGate up time Backing up system settings Restoring system settings Restoring system settings to factory defaults Changing to Transparent mode Changing to NAT/Route mode Restarting the FortiGate unit Shutting down the FortiGate unit System status Viewing CPU and memory status 68 Viewing sessions and network status Viewing virus and intrusions status Session list Each line of the session list displays the following information. Page Virus and attack definitions updates and registration Updating antivirus and attack definitions 74 Connecting to the FortiResponse Distribution Network Manually initiating antivirus and attack definitions updates 76 Configuring update logging Scheduling updates Enabling scheduled updates Adding an override server 78 Enabling scheduled updates through a proxy server Enabling push updates Enabling push updates Push updates when FortiGate IP addresses change Enabling push updates through a NAT device 80 Example: push updates through a NAT device Internet FortiGate-50A Internal Network FortiGate-300 NAT Device Adding a port forwarding virtual IP to the FortiGate NAT device 82 Adding a firewall policy for the port forwarding virtual IP Configuring the FortiGate unit with an override push IP and port Registering FortiGate units 84 FortiCare Service Contracts Registering the FortiGate unit 86 Updating registration information Recovering a lost Fortinet support password Viewing the list of registered FortiGate units 88 Registering a new FortiGate unit Adding or changing a FortiCare Support Contract number Changing your Fortinet support password Changing your contact information or security question 90 Downloading virus and attack definitions updates Registering a FortiGate unit after an RMA Page Network configuration Configuring interfaces 94 Viewing the interface list Changing the administrative status of an interface Configuring an interface with a manual IP address Configuring an interface for DHCP 96 Configuring an interface for PPPoE Adding a secondary IP address to an interface Adding a ping server to an interface Controlling administrative access to an interface 98 Changing the MTU size to improve network performance Configuring traffic logging for connections to an interface Configuring the management interface in Transparent mode 100 Adding DNS server IP addresses Configuring routing Adding a default route Adding destination-based routes to the routing table 102 Adding routes in Transparent mode Configuring the routing table Policy routing 104 Policy routing command syntax Configuring DHCP services Configuring a DHCP relay agent Configuring a DHCP server Adding a DHCP server to an interface Adding scopes to a DHCP server 106 Adding a reserve IP to a DHCP server Viewing a DHCP server dynamic IP list Configuring the modem interface 108 Connecting a modem to the FortiGate unit Configuring modem settings Connecting to a dialup account Disconnecting the modem 110 Viewing modem status Backup mode configuration Standalone mode configuration Adding firewall policies for modem connections Page RIP configuration RIP settings 6Select Apply to save the changes. Configuring RIP for FortiGate interfaces 4Select OK to save the RIP configuration for the selected interface. Adding RIP filters Adding a RIP filter list 118 Assigning a RIP filter list to the neighbors filter Assigning a RIP filter list to the incoming filter Page Page System configuration Setting system date and time Changing system options Modifying the Dead Gateway Detection settings Adding and editing administrator accounts 124 Adding new administrator accounts Editing administrator accounts Configuring SNMP 126 Configuring the FortiGate unit for SNMP monitoring Configuring FortiGate SNMP support Configuring SNMP access to an interface Configuring SNMP community settings 4Select Apply. 128 FortiGate MIBs FortiGate traps System traps General FortiGate traps 130 VPN traps NIDS traps Antivirus traps Logging traps System configuration and status Firewall configuration Users and authentication configuration Page Replacement messages Customizing replacement messages 134 Customizing alert emails NIDS event Virus alert Block alert Critical event Firewall configuration 138 Default firewall configuration Addresses Services Schedules Content profiles 140 Adding firewall policies Firewall policy options Source Destination Schedule Action Select how you want the firewall to respond when the policy matches a connection attempt. 142 NAT VPN Tunnel Traffic Shaping Authentication Anti-Virus & Web filter Configuring policy lists Policy matching in detail Changing the order of policies in a policy list 146 Enabling and disabling policies Disabling policies Addresses Adding addresses 148 Editing addresses Deleting addresses Organizing addresses into address groups Services Predefined services Page Page 152 Adding custom TCP and UDP services Adding custom ICMP services Adding custom IP services Grouping services Schedules Creating one-time schedules Creating recurring schedules 156 Adding schedules to policies Virtual IPs 158 Adding static NAT virtual IPs Adding port forwarding virtual IPs Page Adding policies with virtual IPs IP pools 162 Adding an IP pool IP Pools for firewall policies that use fixed ports IP pools and dynamic NAT IP/MAC binding Configuring IP/MAC binding for packets going through the firewall 164 Configuring IP/MAC binding for packets going to the firewall Adding IP/MAC addresses Viewing the dynamic IP/MAC list Enabling IP/MAC binding Content profiles Default content profiles Adding content profiles 6Enable the email filter protection options that you want. 7Enable the fragmented email and oversized file and email options that you want. 8Select OK. Adding content profiles to policies Page Users and authentication 172 Setting authentication timeout Adding user names and configuring authentication Adding user names and configuring authentication Deleting user names from the internal database 174 Configuring RADIUS support Adding RADIUS servers Deleting RADIUS servers Configuring LDAP support Adding LDAP servers 176 Deleting LDAP servers Configuring user groups Adding user groups 178 Deleting user groups IPSec VPN 180 Key management Manual Keys Automatic Internet Key Exchange (AutoIKE) with pre-shared keys or certificates AutoIKE with pre-shared keys AutoIKE with certificates Manual key IPSec VPNs General configuration steps for a manual key VPN Adding a manual key VPN tunnel AutoIKE IPSec VPNs General configuration steps for an AutoIKE VPN Adding a phase 1 configuration for an AutoIKE VPN Page Configuring advanced options 4Optionally, configure NAT Traversal. 6Select OK to save the phase 1 parameters. Page 188 Adding a phase 2 configuration for an AutoIKE VPN Page 190 Managing digital certificates Obtaining a signed local certificate Generating the certificate request Page 192 Downloading the certificate request Importing the signed local certificate Backing up and restoring the local certificate and private key Obtaining CA certificates Configuring encrypt policies 194 Adding a source address Adding a destination address Adding an encrypt policy IPSec VPN concentrators VPN concentrator (hub) general configuration steps 198 Adding a VPN concentrator VPN spoke general configuration steps Page Monitoring and Troubleshooting VPNs Viewing VPN tunnel status Viewing dialup VPN connection status 202 Testing a VPN PPTP and L2TP VPN Configuring PPTP Configuring the FortiGate unit as a PPTP gateway Page Page 206 Configuring a Windows 98 client for PPTP Configuring a Windows 2000 client for PPTP Configuring a Windows XP client for PPTP Page Configuring L2TP Configuring the FortiGate unit as an L2TP gateway Page Configuring a Windows 2000 client for L2TP Page Configuring a Windows XP client for L2TP Page Network Intrusion Detection System (NIDS) Detecting attacks 216 Selecting the interfaces to monitor Disabling monitoring interfaces Configuring checksum verification Viewing the signature list Viewing attack descriptions 218 Disabling NIDS attack signatures Adding user-defined signatures Downloading the user-defined signature list 220 Preventing attacks Enabling NIDS attack prevention Enabling NIDS attack prevention signatures Setting signature threshold values 222 Logging attacks Logging attack messages to the attack log Reducing the number of NIDS attack log and email messages Automatic message reduction Manual message reduction Page Antivirus protection Antivirus scanning File blocking Blocking files in firewall traffic Adding file patterns to block 228 Blocking oversized files and emails Configuring limits for oversized files and email Exempting fragmented email from blocking Page Page Web filtering 232 Content blocking Adding words and phrases to the Banned Word list Clearing the Banned Word list Backing up the Banned Word list Restoring the Banned Word list Page URL blocking Configuring FortiGate Web URL blocking Adding URLs to the Web URL block list 236 Clearing the Web URL block list Downloading the Web URL block list Uploading a URL block list Configuring FortiGate Web pattern blocking 238 Configuring Cerberian URL filtering Installing a Cerberian license key Adding a Cerberian user Configuring Cerberian web filter About the default group and policy Enabling Cerberian URL filtering 240 Script filtering Enabling script filtering Selecting script filter options Exempt URL list Adding URLs to the URL Exempt list 242 Downloading the URL Exempt List Uploading a URL Exempt List Page Page Email filter 246 Email banned word list Adding words and phrases to the email banned word list Downloading the email banned word list Uploading the email banned word list 248 Email block list Adding address patterns to the email block list Downloading the email block list Uploading an email block list Email exempt list 250 Adding address patterns to the email exempt list Adding a subject tag Logging and reporting Recording logs Recording logs on a remote computer 252 Recording logs on a NetIQ WebTrends server Log message levels Tab le 23 lists and describes FortiGate log message levels. Filtering log messages Configuring traffic logging Enabling traffic logging Enabling traffic logging for an interface Enabling traffic logging for a firewall policy Configuring traffic filter settings 256 Adding traffic filter entries Configuring alert email Adding alert email addresses 258 Testing alert email Enabling alert email Glossary Page Page Page Index A 264 B C D E F G 266 H I J L M N O 268 P Q R S 270 T U V W