Manuals / Fortinet / Computer Equipment / Network Card

Fortinet FortiGate-800 Disabling Nids attack signatures, Adding user-defined signatures, 272

Models: FortiGate-800

1 336

Download 336 pages 18.65 Kb

Page 272

Detecting attacks	Network Intrusion Detection System (NIDS)

Figure 67: Example signature group members list

Disabling NIDS attack signatures

By default, all NIDS attack signatures are enabled. You can use the NIDS signature list to disable detection of some attacks. Disabling unnecessary NIDS attack signatures can improve system performance and reduce the number of IDS log messages and alert emails that the NIDS generates. For example, the NIDS detects a large number of web server attacks. If you do not provide access to a web server behind your firewall, you might want to disable all web server attack signatures.

Note: To save your NIDS attack signature settings, Fortinet recommends that you back up your FortiGate configuration before you update the firmware and restore the saved configuration after the update.

To disable NIDS attack signatures

1Go to NIDS > Detection > Signature List.

2Scroll through the signature list to find the signature group that you want to disable.

Attack ID numbers and rule names in attack log messages and alert email match those in the signature group members list. You can scroll through a signature group members list to locate specific attack signatures by ID number and name.

3Clear the Enable check box.

4Select OK.

5Repeat steps 2 to 4 for each NIDS attack signature group that you want to disable.

Select Check All to enable all NIDS attack signature groups in the signature list.

Select Uncheck All to disable all NIDS attack signature groups in the signature list.

Adding user-defined signatures

You can create a user-defined signature list in a text file and upload it from the management computer to the FortiGate unit.

Note: You cannot upload individual signatures. You must include, in a single text file, all the user-defined signatures that you want to upload. The file can contain one or more signatures.

For information about how to write user-defined signatures, see the FortiGate NIDS

Guide.

272	Fortinet Inc.

Image 272

Fortinet FortiGate-800 manual Disabling Nids attack signatures, Adding user-defined signatures, 272

Contents

Installation and Configuration Guide January 15Trademarks Regulatory ComplianceTable of Contents NAT/Route mode installation High availability Virus and attack definitions updates and registration 117 Network configuration 137 System configuration 169 Users and authentication 223 IPSec VPN 231 Network Intrusion Detection System Nids 269 Email filter 303 Glossary 323 Index 327 Contents Introduction Flexibility demanded by large enterprisesWeb content filtering Antivirus protectionEmail filtering FirewallNAT/Route mode Transparent modeVLANs and virtual domains Network intrusion detectionVPN High availabilitySecure installation, configuration, and management Web-based managerCommand line interface Logging and reportingDocument conventions Fortinet documentationCustomer service and technical support Comments on Fortinet technical documentationCustomer service and technical support Getting started Package contents MountingPowering on Power requirementsEnvironmental specifications To power on the FortiGate-800 unitConnecting to the web-based manager To connect to the web-based managerConnecting to the command line interface CLI To connect to the CLIBits per second 9600 Data bits Parity Stop bits Flow controlFactory default FortiGate configuration settings Factory default NAT/Route mode network configurationAccount Internal interfaceFactory default Transparent mode network configuration Factory default firewall configuration Factory default content profiles Strict content profileScan content profile Options Scan content profileStrict content profile Options Web content profile Unfiltered content profileWeb content profile Options Unfiltered content profile OptionsPlanning the FortiGate configuration Example NAT/Route mode network configurationNAT/Route mode with multiple external network connections Example NAT/Route multiple internet connection configurationConfiguration options Setup wizardFortiGate model maximum values matrix Front keypad and LCDNext steps Signatures Antivirus file Block patterns Web filterNAT/Route mode installation Preparing to configure NAT/Route modeDhcp server Advanced NAT/Route mode settingsAdvanced FortiGate NAT/Route mode settings Using the setup wizard Starting the setup wizardReconnecting to the web-based manager DMZ and user-defined interfacesUsing the front control buttons and LCD Using the command line interfaceConfiguring the FortiGate unit to operate in NAT/Route mode Configuring NAT/Route mode IP addressesSet system interface external mode static ip 204.23.1.5 Connecting the FortiGate unit to your networks To connect the FortiGate unit running in NAT/Route modeFortiGate-800 External To connect to FortiGate-800 user-defined interfacesConfiguring your networks Example FortiGate-800 user-defined interface connectionsCompleting the configuration Configuring the DMZ interfaceConfiguring interfaces 1 to Setting the date and timeRegistering your FortiGate unit Configuration example Multiple connections to the InternetConfiguring virus and attack definition updates Configuring ping servers InternalUsing the CLI Primary and backup links to the InternetDestination-based routing examples Go to System Network Routing TableLoad sharing Load sharing and primary and secondary connectionsTo add the routes using the CLI Routing table should have routes arranged as shown in TableRouting a service to an external network Policy routing examplesAdding a redundant default policy Destination DMZAll Schedule Always ServiceFirewall policy example Adding more firewall policiesRestricting access to a single Internet connection Configuration example Multiple connections to the Internet Transparent mode installation Preparing to configure Transparent modeTransparent mode settings Administrator Password DNS SettingsChanging to Transparent mode using the web-based manager Go to System StatusChanging to Transparent mode using the CLI Operation mode TransparentEnabling antivirus protection Configuring the Transparent mode management IP addressConfigure the Transparent mode default gateway Connecting the FortiGate unit to your networks Transparent mode configuration examples FortiGate-800Default routes and static routes Example default route to an external networkGeneral configuration steps Default route to an external networkWeb-based manager example configuration steps CLI configuration stepsExample static route to an external destination Go to System Network ManagementDMZ Example static route to an internal destination FortiGate-800 Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 Transparent mode configuration examples High availability Configuring an HA cluster Configuring FortiGate units for HA operationTo configure a FortiGate unit for HA operation Go to System Config HAWeighted Round Robin NoneHub Least ConnectionConnecting the cluster Example Active-Active HA configurationHA network configuration To connect the clusterTo add a new unit to the cluster Managing an HA clusterAdding a new FortiGate unit to a functioning cluster Configuring cluster interface monitoring Viewing the status of cluster members Monitoring cluster membersTo set the update frequency Example cluster CPU, memory, and hard disk displayViewing cluster sessions Viewing and managing cluster log messagesManaging individual cluster units Monitoring cluster units for failoverViewing cluster communication sessions To set the host name of each cluster member Changing cluster unit host namesTo manage a cluster unit Synchronizing the cluster configuration Keyword DescriptionUpgrading firmware Advanced HA options Replacing a FortiGate unit after failoverSelecting a FortiGate unit as a permanent primary unit To select a permanent primary unitConfiguring weighted-round-robin weights To set the priority of each FortiGate unit in a clusterActive-Active cluster packet flow Active-active HA packet flowNAT/Route mode packet flow Transparent mode packet flow Active-Active cluster packet flow System status System statusFirmware upgrade procedures Procedure Description Changing the FortiGate host nameChanging the FortiGate firmware To change the FortiGate host name Go to System StatusUpgrading the firmware using the web-based manager Upgrading the firmware using the CLITo upgrade the firmware using the web-based manager To upgrade the firmware using the CLIReverting to a previous firmware version Execute pingReverting to a previous firmware version using the CLI To revert to a previous firmware version using the CLI To install firmware from a system reboot Press any key to enter configuration menu 100101 Restoring the previous configurationTesting a new firmware image before installing it 102 To test a new firmware image103 Installing and using a backup firmware imageInstalling a backup firmware image To install a backup firmware image 104105 Switching to the backup firmware imageTo switch to the backup firmware image Manual virus definition updates Switching back to the default firmware imageTo switch back to the default firmware image To update the antivirus definitions manuallyManual attack definition updates To update the attack definitions manuallyDisplaying the FortiGate serial number 107Backing up system settings Restoring system settingsDisplaying the FortiGate up time Displaying log hard disk statusRestoring system settings to factory defaults Changing to Transparent modeTo change to Transparent mode Go to System Status 109Changing to NAT/Route mode To change to NAT/Route mode Go to System StatusRestarting the FortiGate unit Shutting down the FortiGate unitSystem status Viewing CPU and memory status111 To view CPU and memory status Go to System Status MonitorViewing sessions and network status CPU and memory status monitorViewing virus and intrusions status 113Session list To view the session list Go to System Status Session115 Protocol116 117 Virus and attack definitions updates and registrationUpdating antivirus and attack definitions Connecting to the FortiResponse Distribution Network Go to System UpdateVersion Expiry date Last update attempt Last update status To make sure the FortiGate unit can connect to the FDNManually initiating antivirus and attack definitions updates 119Scheduling updates Configuring update loggingEnabling scheduled updates 120121 To add an override server Go to System UpdateAdding an override server 122 Enabling push updatesEnabling scheduled updates through a proxy server Enabling push updates Push updates when FortiGate IP addresses changeTo enable push updates Go to System Update 123124 Enabling push updates through a NAT deviceExample push updates through a NAT device General procedure 125126 To configure the FortiGate NAT device Schedule Always Service ANY Action AcceptAdding a firewall policy for the port forwarding virtual IP 127Registering FortiGate units 128FortiCare Service Contracts 129Registering the FortiGate unit 130Updating registration information 131132 Recovering a lost Fortinet support passwordViewing the list of registered FortiGate units 133 Registering a new FortiGate unitAdding or changing a FortiCare Support Contract number 134 Changing your Fortinet support passwordChanging your contact information or security question Downloading virus and attack definitions updates 135Registering a FortiGate unit after an RMA 136137 Network configurationConfiguring zones Configuring interfaces Adding zonesDeleting zones 138Changing the administrative status of an interface Viewing the interface listAdding an interface to a zone 139140 Configuring an interface with a manual IP addressConfiguring an interface for Dhcp Configuring an interface for PPPoE 141142 Adding a secondary IP address to an interfaceAdding a ping server to an interface Controlling administrative access to an interface 143Configuring traffic logging for connections to an interface Configuring the management interface in Transparent modeChanging the MTU size to improve network performance 144Vlan overview 145VLANs in NAT/Route mode Rules for Vlan IDsRules for Vlan IP addresses 146Virtual domains in Transparent mode Adding Vlan subinterfaces147 To add Vlan subinterfaces Go to System Network Interface148 FortiGate unit with two virtual domainsConfiguring a virtual domain Virtual domain propertiesAdding a virtual domain 149150 Adding Vlan subinterfaces to a virtual domainAdding zones to virtual domains 151 To add a zone to a virtual domain Go to System Network ZoneAdding firewall policies for virtual domains Adding addresses for virtual domains152 Go to Firewall AddressConfiguring routing Adding DNS server IP addressesDeleting virtual domains 153Adding a default route To add a default route Go to System Network Routing TableAdding destination-based routes to the routing table 154Adding routes in Transparent mode 155156 Configuring the routing tablePolicy routing 157 Configuring Dhcp servicesPolicy routing command syntax Configuring a Dhcp relay agent Configuring a Dhcp serverAdding a Dhcp server to an interface Adding scopes to a Dhcp server159 To add a scope to a Dhcp server Go to System Network DhcpAdding a reserve IP to a Dhcp server Viewing a Dhcp server dynamic IP list160 Selected scope161 RIP configurationRIP settings 162 InvalidHolddown FlushConfiguring RIP for FortiGate interfaces 163Example RIP configuration for an internal interface 164Adding RIP filters Adding a RIP filter list165 To add a RIP filter list Go to System RIP Filter166 Assigning a RIP filter list to the neighbors filterAssigning a RIP filter list to the incoming filter Assigning a RIP filter list to the outgoing filter 167168 System configuration Setting system date and timeTo set the date and time Go to System Config Time 169To set the system idle timeout Go to System Config Options To set the Auth timeout Go to System Config OptionsChanging system options 170Modifying the Dead Gateway Detection settings 171Adding and editing administrator accounts Adding new administrator accountsTo add an administrator account Go to System Config Admin 172Configuring Snmp Editing administrator accountsTo edit an administrator account Go to System Config Admin 173Configuring the FortiGate unit for Snmp monitoring Configuring FortiGate Snmp supportConfiguring Snmp access to an interface Configuring Snmp community settingsSystem Location 175System Name FortiGate MIBs 176FortiGate traps General FortiGate trapsSystem traps 177VPN traps Nids trapsAntivirus traps Logging trapsSystem configuration and status Firewall configurationFortinet MIB fields 179180 181 Replacement messagesLogging and reporting configuration Customizing replacement messages 182Alert email message sections Customizing alert emails183 184 Alert email message sectionsFirewall configuration 185Default firewall configuration 186Interfaces Vlan subinterfacesZones 187Services Default addresses Interface Address DescriptionAddresses SchedulesContent profiles Adding firewall policies189 To add a firewall policy Go to Firewall Policy190 Firewall policy optionsSource Service DestinationSchedule ActionVPN Tunnel Traffic Shaping192 Dynamic IP Pool Fixed PortAuthentication Anti-Virus & Web filter193 Maximum Bandwidth Traffic Priority194 Log TrafficComments 195 Configuring policy listsPolicy matching in detail Changing the order of policies in a policy list Enabling and disabling policiesDisabling policies Enabling policiesAddresses Adding addresses197 To add an address Go to Firewall AddressTo edit an address Go to Firewall Address Editing addresses198 Deleting addresses Organizing addresses into address groups199 To delete an address Go to Firewall Address200 ServicesPredefined services 201 GRE202 LdapAdding custom TCP and UDP services 203Adding custom Icmp services Adding custom IP servicesGrouping services 204Schedules 205Creating one-time schedules 206Creating recurring schedules 207Virtual IPs Adding schedules to policies208 To add a schedule to a policy Go to Firewall PolicyAdding static NAT virtual IPs 209To add a static NAT virtual IP Go to Firewall Virtual IP Virtual IP External Interface examples Description InternalAdding port forwarding virtual IPs 210211 To add a policy with a virtual IP Go to Firewall Policy Adding policies with virtual IPs212 IP pools Adding an IP pool213 To add an IP pool Go to Firewall IP PoolIP/MAC binding IP Pools for firewall policies that use fixed portsIP pools and dynamic NAT 214215 Go to Firewall IP/MAC Binding Static IP/MACAdding IP/MAC addresses 216217 Viewing the dynamic IP/MAC listEnabling IP/MAC binding Content profiles 218Default content profiles Adding content profilesTo add a content profile Go to Firewall Content Profile 219220 Oversized File/Email Pass Fragmented Email221 Adding content profiles to policiesTo add a content profile to a policy Go to Firewall Policy 222 Users and authentication 223Setting authentication timeout Adding user names and configuring authenticationAdding user names and configuring authentication To set authentication timeout Go to System Config OptionsDeleting user names from the internal database 225Configuring Radius support Adding Radius serversDeleting Radius servers 226Configuring Ldap support Adding Ldap servers227 To add an Ldap server Go to User LdapTo delete an Ldap server Go to User Ldap Deleting Ldap servers228 Configuring user groups Adding user groups229 To add a user group Go to User User GroupTo delete a user group Go to User User Group Deleting user groups230 IPSec VPN 231Key management Manual KeysAutoIKE with pre-shared keys AutoIKE with certificatesGeneral configuration steps for a manual key VPN Manual key IPSec VPNsAdding a manual key VPN tunnel 233234 AES128AES192 AES256General configuration steps for an AutoIKE VPN Adding a phase 1 configuration for an AutoIKE VPNAutoIKE IPSec VPNs 235Remote Gateway Dialup User 236Remote Gateway Static IP Address 237 Configuring advanced optionsTo configure phase 1 advanced options 238 Adding a phase 1 configuration Standard options 239240 Adding a phase 2 configuration for an AutoIKE VPNTo add a phase 2 configuration Go to VPN Ipsec Phase Use wildcard selectors 241Use selectors from policy Managing digital certificates Obtaining a signed local certificateGenerating the certificate request 242Key Size 243Key Type 244 Downloading the certificate requestImporting the signed local certificate Configuring encrypt policies Obtaining CA certificatesImporting CA certificates 245To add a source address Go to Firewall Address Adding a source address246 Adding a destination address Adding an encrypt policy247 To add a destination address Go to Firewall Address248 IPSec VPN concentrators 249250 VPN concentrator hub general configuration stepsTo create a VPN concentrator configuration Adding a VPN concentrator 251252 VPN spoke general configuration stepsTo create a VPN spoke configuration Redundant IPSec VPNs 253254 Configuring redundant IPSec VPNsTo configure a redundant IPSec VPN Monitoring and Troubleshooting VPNs To view VPN tunnel status Go to VPN Ipsec PhaseViewing VPN tunnel status Viewing dialup VPN connection statusTesting a VPN 256257 Configuring PptpPptp and L2TP VPN Configuring the FortiGate unit as a Pptp gateway 258To add users and user groups To add a source address259 To add a source address groupTo add a destination address To add a firewall policyConfiguring a Windows 98 client for Pptp 260Configuring a Windows 2000 client for Pptp Configuring a Windows XP client for Pptp261 To connect to the Pptp VPNSelect Properties Security To configure the VPN connection262 263 Configuring L2TPConfiguring the FortiGate unit as an L2TP gateway 264 To add source addressesConfiguring a Windows 2000 client for L2TP 265To connect to the L2TP VPN To disable IPSec266 Configuring a Windows XP client for L2TP 267268 269 Network Intrusion Detection System NidsDetecting attacks Configuring checksum verification Selecting the interfaces to monitorDisabling monitoring interfaces 270271 Viewing the signature listViewing attack descriptions 272 Disabling Nids attack signaturesAdding user-defined signatures Downloading the user-defined signature list 273To enable Nids attack prevention Go to Nids Prevention Preventing attacksEnabling Nids attack prevention Enabling Nids attack prevention signaturesSetting signature threshold values 275Logging attacks Logging attack messages to the attack logReducing the number of Nids attack log and email messages Automatic message reductionManual message reduction 277278 279 General configuration stepsAntivirus protection To scan FortiGate firewall traffic for viruses Antivirus scanning280 File blocking 281Blocking files in firewall traffic Adding file patterns to block282 To block files in firewall trafficQuarantine Quarantining infected filesQuarantining blocked files 283Viewing the quarantine list Sorting the quarantine list284 To view the quarantine list Go to Anti-Virus QuarantineConfiguring quarantine options Filtering the quarantine listDeleting files from the quarantine list Downloading quarantined files286 Configuring limits for oversized files and emailBlocking oversized files and emails To view the virus list Go to Anti-Virus Config Virus List Exempting fragmented email from blockingViewing the virus list 287288 Web filtering 289Content blocking Go to Web Filter Content BlockAdding words and phrases to the Banned Word list 290Clearing the Banned Word list 291292 Backing up the Banned Word listRestoring the Banned Word list Configuring FortiGate Web URL blocking URL blockingAdding URLs to the Web URL block list 293Clearing the Web URL block list 294Downloading the Web URL block list Uploading a URL block list295 To upload a URL block list296 Configuring Cerberian URL filteringConfiguring FortiGate Web pattern blocking Installing a Cerberian license key Configuring Cerberian web filterAbout the default group and policy Adding a Cerberian user298 To configure Cerberian web filteringEnabling Cerberian URL filtering Script filtering Enabling script filteringSelecting script filter options 299Exempt URL list Adding URLs to the URL Exempt list300 Go to Web Filter URLExemptDownloading the URL Exempt List Uploading a URL Exempt List301 Go to Web Filter URL Exempt302 Email filter 303304 Email banned word listAdding words and phrases to the email banned word list 305 Downloading the email banned word listUploading the email banned word list Email block list Adding address patterns to the email block listDownloading the email block list 306Email exempt list Uploading an email block list307 To upload the email block listTo add a subject tag Go to Email Filter Config Adding a subject tagAdding address patterns to the email exempt list 308309 Logging and reportingRecording logs 310 Recording logs on a remote computerRecording logs on a NetIQ WebTrends server Recording logs on the FortiGate hard disk 311Overwrite Option312 Recording logs in system memoryLog message levels 313 To filter log entries Go to Log&Report Log SettingFiltering log messages Configuring traffic logging 314Enabling traffic logging Enabling traffic logging for an interfaceEnabling traffic logging for a Vlan subinterface Enabling traffic logging for a firewall policyConfiguring traffic filter settings Adding traffic filter entries316 Resolve IPDestination IP Address Destination Netmask Service Viewing logs saved to memoryViewing logs 317Viewing and managing logs saved to the hard disk Searching logs318 Keyword319 To view the active or saved logs Go to Log&Report LoggingDownloading a log file to the management computer Deleting all messages from an active logDeleting a saved log file 320Configuring alert email Testing alert emailAdding alert email addresses 321Enabling alert email 322Glossary 323324 325 326 Index 327328 Index329 Dialup Pptp330 Http331 Ldap332 333 Pptp dialup connection334 335 TCP336 Vlan