Preventing attacks, 274 | Fortinet FortiGate-800 guide

Preventing attacks	Network Intrusion Detection System (NIDS)

Preventing attacks

NIDS attack prevention protects the FortiGate unit and the networks connected to it from common TCP, ICMP, UDP, and IP attacks. You can enable NIDS attack prevention to prevent a set of default attacks with default threshold values. You can also enable or disable and set the threshold values for individual attack prevention signatures.

Note: After the FortiGate unit reboots, NIDS attack prevention and synflood prevention are always disabled.

•Enabling NIDS attack prevention

•Enabling NIDS attack prevention signatures

•Setting signature threshold values

Enabling NIDS attack prevention

To enable NIDS attack prevention

1Go to NIDS > Prevention.

2Select the Enable Prevention check box, in the top left corner.

Enabling NIDS attack prevention signatures

The NIDS Prevention module contains signatures that are designed to protect your network against attacks. Some signatures are enabled by default, others must be enabled. For a complete list of NIDS Prevention signatures and descriptions, see the FortiGate NIDS Guide.

To enable attack prevention signatures

1Go to NIDS > Prevention.

2Select the Enable check box beside each signature that you want to enable.

3Select Check All to enable all signatures in the NIDS attack prevention signature list.

4Select Uncheck All to disable all signatures in the NIDS attack prevention signature list.

5	Select Reset to Default Values	to enable only the default NIDS attack prevention
	signatures and return to the default threshold values.

274	Fortinet Inc.

Image 274

Fortinet FortiGate-800 manual Preventing attacks, Enabling Nids attack prevention signatures, 274

Contents

Installation and Configuration Guide January 15 Trademarks Regulatory Compliance Table of Contents NAT/Route mode installation High availability Virus and attack definitions updates and registration 117 Network configuration 137 System configuration 169 Users and authentication 223 IPSec VPN 231 Network Intrusion Detection System Nids 269 Email filter 303 Glossary 323 Index 327 Contents Introduction Flexibility demanded by large enterprises Web content filtering Antivirus protection Email filtering Firewall VLANs and virtual domains NAT/Route modeTransparent mode Network intrusion detection VPN High availability Secure installation, configuration, and management Web-based manager Command line interface Logging and reporting Document conventions Fortinet documentation Customer service and technical support Comments on Fortinet technical documentation Customer service and technical support Getting started Package contents Mounting Environmental specifications Powering onPower requirements To power on the FortiGate-800 unit Connecting to the web-based manager To connect to the web-based manager Bits per second 9600 Data bits Parity Connecting to the command line interface CLITo connect to the CLI Stop bits Flow control Account Factory default FortiGate configuration settingsFactory default NAT/Route mode network configuration Internal interface Factory default Transparent mode network configuration Factory default firewall configuration Factory default content profiles Strict content profile Strict content profile Options Scan content profileScan content profile Options Web content profile Options Web content profileUnfiltered content profile Unfiltered content profile Options Planning the FortiGate configuration Example NAT/Route mode network configuration NAT/Route mode with multiple external network connections Example NAT/Route multiple internet connection configuration Configuration options Setup wizard FortiGate model maximum values matrix Front keypad and LCD Next steps Signatures Antivirus file Block patterns Web filter NAT/Route mode installation Preparing to configure NAT/Route mode Advanced FortiGate NAT/Route mode settings Advanced NAT/Route mode settingsDhcp server Reconnecting to the web-based manager Using the setup wizardStarting the setup wizard DMZ and user-defined interfaces Configuring the FortiGate unit to operate in NAT/Route mode Using the front control buttons and LCDUsing the command line interface Configuring NAT/Route mode IP addresses Set system interface external mode static ip 204.23.1.5 Connecting the FortiGate unit to your networks To connect the FortiGate unit running in NAT/Route mode FortiGate-800 External To connect to FortiGate-800 user-defined interfaces Configuring your networks Example FortiGate-800 user-defined interface connections Configuring interfaces 1 to Completing the configurationConfiguring the DMZ interface Setting the date and time Configuring virus and attack definition updates Configuration example Multiple connections to the InternetRegistering your FortiGate unit Configuring ping servers Internal Destination-based routing examples Using the CLIPrimary and backup links to the Internet Go to System Network Routing Table Load sharing Load sharing and primary and secondary connections To add the routes using the CLI Routing table should have routes arranged as shown in Table Routing a service to an external network Policy routing examples Firewall policy example Adding a redundant default policyDestination DMZAll Schedule Always Service Adding more firewall policies Restricting access to a single Internet connection Configuration example Multiple connections to the Internet Transparent mode settings Administrator Password Transparent mode installationPreparing to configure Transparent mode DNS Settings Changing to Transparent mode using the web-based manager Go to System Status Changing to Transparent mode using the CLI Operation mode Transparent Configure the Transparent mode default gateway Configuring the Transparent mode management IP addressEnabling antivirus protection Connecting the FortiGate unit to your networks Transparent mode configuration examples FortiGate-800 Default routes and static routes Example default route to an external network General configuration steps Default route to an external network Example static route to an external destination Web-based manager example configuration stepsCLI configuration steps Go to System Network Management DMZ Example static route to an internal destination FortiGate-800 Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 Transparent mode configuration examples High availability To configure a FortiGate unit for HA operation Configuring an HA clusterConfiguring FortiGate units for HA operation Go to System Config HA Hub Weighted Round RobinNone Least Connection Connecting the cluster Example Active-Active HA configuration HA network configuration To connect the cluster Adding a new FortiGate unit to a functioning cluster Managing an HA clusterTo add a new unit to the cluster Configuring cluster interface monitoring Viewing the status of cluster members Monitoring cluster members To set the update frequency Example cluster CPU, memory, and hard disk display Viewing cluster sessions Viewing and managing cluster log messages Viewing cluster communication sessions Monitoring cluster units for failoverManaging individual cluster units To manage a cluster unit Changing cluster unit host namesTo set the host name of each cluster member Synchronizing the cluster configuration Keyword Description Upgrading firmware Selecting a FortiGate unit as a permanent primary unit Advanced HA optionsReplacing a FortiGate unit after failover To select a permanent primary unit Configuring weighted-round-robin weights To set the priority of each FortiGate unit in a cluster Active-Active cluster packet flow Active-active HA packet flow NAT/Route mode packet flow Transparent mode packet flow Active-Active cluster packet flow System status System status Changing the FortiGate firmware Firmware upgrade procedures Procedure DescriptionChanging the FortiGate host name To change the FortiGate host name Go to System Status To upgrade the firmware using the web-based manager Upgrading the firmware using the web-based managerUpgrading the firmware using the CLI To upgrade the firmware using the CLI Reverting to a previous firmware version Execute ping Reverting to a previous firmware version using the CLI To revert to a previous firmware version using the CLI To install firmware from a system reboot Press any key to enter configuration menu 100 Testing a new firmware image before installing it Restoring the previous configuration101 102 To test a new firmware image Installing a backup firmware image Installing and using a backup firmware image103 To install a backup firmware image 104 To switch to the backup firmware image Switching to the backup firmware image105 To switch back to the default firmware image Manual virus definition updatesSwitching back to the default firmware image To update the antivirus definitions manually Displaying the FortiGate serial number Manual attack definition updatesTo update the attack definitions manually 107 Displaying the FortiGate up time Backing up system settingsRestoring system settings Displaying log hard disk status To change to Transparent mode Go to System Status Restoring system settings to factory defaultsChanging to Transparent mode 109 Restarting the FortiGate unit Changing to NAT/Route modeTo change to NAT/Route mode Go to System Status Shutting down the FortiGate unit 111 System statusViewing CPU and memory status To view CPU and memory status Go to System Status Monitor Viewing sessions and network status CPU and memory status monitor Viewing virus and intrusions status 113 Session list To view the session list Go to System Status Session 115 Protocol 116 Updating antivirus and attack definitions Virus and attack definitions updates and registration117 Version Expiry date Last update attempt Last update status Connecting to the FortiResponse Distribution NetworkGo to System Update To make sure the FortiGate unit can connect to the FDN Manually initiating antivirus and attack definitions updates 119 Enabling scheduled updates Scheduling updatesConfiguring update logging 120 Adding an override server To add an override server Go to System Update121 Enabling scheduled updates through a proxy server Enabling push updates122 To enable push updates Go to System Update Enabling push updatesPush updates when FortiGate IP addresses change 123 Example push updates through a NAT device Enabling push updates through a NAT device124 General procedure 125 126 Adding a firewall policy for the port forwarding virtual IP To configure the FortiGate NAT deviceSchedule Always Service ANY Action Accept 127 Registering FortiGate units 128 FortiCare Service Contracts 129 Registering the FortiGate unit 130 Updating registration information 131 Viewing the list of registered FortiGate units Recovering a lost Fortinet support password132 Adding or changing a FortiCare Support Contract number Registering a new FortiGate unit133 Changing your contact information or security question Changing your Fortinet support password134 Downloading virus and attack definitions updates 135 Registering a FortiGate unit after an RMA 136 Configuring zones Network configuration137 Deleting zones Configuring interfacesAdding zones 138 Adding an interface to a zone Changing the administrative status of an interfaceViewing the interface list 139 Configuring an interface for Dhcp Configuring an interface with a manual IP address140 Configuring an interface for PPPoE 141 Adding a ping server to an interface Adding a secondary IP address to an interface142 Controlling administrative access to an interface 143 Changing the MTU size to improve network performance Configuring traffic logging for connections to an interfaceConfiguring the management interface in Transparent mode 144 Vlan overview 145 Rules for Vlan IP addresses VLANs in NAT/Route modeRules for Vlan IDs 146 147 Virtual domains in Transparent modeAdding Vlan subinterfaces To add Vlan subinterfaces Go to System Network Interface 148 FortiGate unit with two virtual domains Adding a virtual domain Configuring a virtual domainVirtual domain properties 149 Adding zones to virtual domains Adding Vlan subinterfaces to a virtual domain150 151 To add a zone to a virtual domain Go to System Network Zone 152 Adding firewall policies for virtual domainsAdding addresses for virtual domains Go to Firewall Address Deleting virtual domains Configuring routingAdding DNS server IP addresses 153 Adding destination-based routes to the routing table Adding a default routeTo add a default route Go to System Network Routing Table 154 Adding routes in Transparent mode 155 Policy routing Configuring the routing table156 Policy routing command syntax Configuring Dhcp services157 Adding a Dhcp server to an interface Configuring a Dhcp relay agentConfiguring a Dhcp server Adding scopes to a Dhcp server 159 To add a scope to a Dhcp server Go to System Network Dhcp 160 Adding a reserve IP to a Dhcp serverViewing a Dhcp server dynamic IP list Selected scope RIP settings RIP configuration161 Holddown 162Invalid Flush Configuring RIP for FortiGate interfaces 163 Example RIP configuration for an internal interface 164 165 Adding RIP filtersAdding a RIP filter list To add a RIP filter list Go to System RIP Filter Assigning a RIP filter list to the incoming filter Assigning a RIP filter list to the neighbors filter166 Assigning a RIP filter list to the outgoing filter 167 168 To set the date and time Go to System Config Time System configurationSetting system date and time 169 Changing system options To set the system idle timeout Go to System Config OptionsTo set the Auth timeout Go to System Config Options 170 Modifying the Dead Gateway Detection settings 171 To add an administrator account Go to System Config Admin Adding and editing administrator accountsAdding new administrator accounts 172 To edit an administrator account Go to System Config Admin Configuring SnmpEditing administrator accounts 173 Configuring Snmp access to an interface Configuring the FortiGate unit for Snmp monitoringConfiguring FortiGate Snmp support Configuring Snmp community settings System Name 175System Location FortiGate MIBs 176 System traps FortiGate trapsGeneral FortiGate traps 177 Antivirus traps VPN trapsNids traps Logging traps Fortinet MIB fields System configuration and statusFirewall configuration 179 180 Logging and reporting configuration Replacement messages181 Customizing replacement messages 182 183 Customizing alert emailsAlert email message sections 184 Alert email message sections Firewall configuration 185 Default firewall configuration 186 Zones InterfacesVlan subinterfaces 187 Addresses ServicesDefault addresses Interface Address Description Schedules 189 Content profilesAdding firewall policies To add a firewall policy Go to Firewall Policy Source Firewall policy options190 Schedule ServiceDestination Action 192 VPN TunnelTraffic Shaping Dynamic IP Pool Fixed Port 193 AuthenticationAnti-Virus & Web filter Maximum Bandwidth Traffic Priority Comments Log Traffic194 Policy matching in detail Configuring policy lists195 Disabling policies Changing the order of policies in a policy listEnabling and disabling policies Enabling policies 197 AddressesAdding addresses To add an address Go to Firewall Address 198 Editing addressesTo edit an address Go to Firewall Address 199 Deleting addressesOrganizing addresses into address groups To delete an address Go to Firewall Address Predefined services Services200 201 GRE 202 Ldap Adding custom TCP and UDP services 203 Grouping services Adding custom Icmp servicesAdding custom IP services 204 Schedules 205 Creating one-time schedules 206 Creating recurring schedules 207 208 Virtual IPsAdding schedules to policies To add a schedule to a policy Go to Firewall Policy To add a static NAT virtual IP Go to Firewall Virtual IP Adding static NAT virtual IPs209 Virtual IP External Interface examples Description Internal Adding port forwarding virtual IPs 210 211 212 Adding policies with virtual IPsTo add a policy with a virtual IP Go to Firewall Policy 213 IP poolsAdding an IP pool To add an IP pool Go to Firewall IP Pool IP pools and dynamic NAT IP/MAC bindingIP Pools for firewall policies that use fixed ports 214 215 Go to Firewall IP/MAC Binding Static IP/MAC Adding IP/MAC addresses 216 Enabling IP/MAC binding Viewing the dynamic IP/MAC list217 Content profiles 218 To add a content profile Go to Firewall Content Profile Default content profilesAdding content profiles 219 220 Oversized File/Email Pass Fragmented Email To add a content profile to a policy Go to Firewall Policy Adding content profiles to policies221 222 Users and authentication 223 Adding user names and configuring authentication Setting authentication timeoutAdding user names and configuring authentication To set authentication timeout Go to System Config Options Deleting user names from the internal database 225 Deleting Radius servers Configuring Radius supportAdding Radius servers 226 227 Configuring Ldap supportAdding Ldap servers To add an Ldap server Go to User Ldap 228 Deleting Ldap serversTo delete an Ldap server Go to User Ldap 229 Configuring user groupsAdding user groups To add a user group Go to User User Group 230 Deleting user groupsTo delete a user group Go to User User Group IPSec VPN 231 AutoIKE with pre-shared keys Key managementManual Keys AutoIKE with certificates Adding a manual key VPN tunnel General configuration steps for a manual key VPNManual key IPSec VPNs 233 AES192 234AES128 AES256 AutoIKE IPSec VPNs General configuration steps for an AutoIKE VPNAdding a phase 1 configuration for an AutoIKE VPN 235 Remote Gateway Static IP Address 236Remote Gateway Dialup User To configure phase 1 advanced options Configuring advanced options237 238 Adding a phase 1 configuration Standard options 239 To add a phase 2 configuration Go to VPN Ipsec Phase Adding a phase 2 configuration for an AutoIKE VPN240 Use selectors from policy 241Use wildcard selectors Generating the certificate request Managing digital certificatesObtaining a signed local certificate 242 Key Type 243Key Size Importing the signed local certificate Downloading the certificate request244 Importing CA certificates Configuring encrypt policiesObtaining CA certificates 245 246 Adding a source addressTo add a source address Go to Firewall Address 247 Adding a destination addressAdding an encrypt policy To add a destination address Go to Firewall Address 248 IPSec VPN concentrators 249 To create a VPN concentrator configuration VPN concentrator hub general configuration steps250 Adding a VPN concentrator 251 To create a VPN spoke configuration VPN spoke general configuration steps252 Redundant IPSec VPNs 253 To configure a redundant IPSec VPN Configuring redundant IPSec VPNs254 Viewing VPN tunnel status Monitoring and Troubleshooting VPNsTo view VPN tunnel status Go to VPN Ipsec Phase Viewing dialup VPN connection status Testing a VPN 256 Pptp and L2TP VPN Configuring Pptp257 To add users and user groups Configuring the FortiGate unit as a Pptp gateway258 To add a source address To add a destination address 259To add a source address group To add a firewall policy Configuring a Windows 98 client for Pptp 260 261 Configuring a Windows 2000 client for PptpConfiguring a Windows XP client for Pptp To connect to the Pptp VPN 262 To configure the VPN connectionSelect Properties Security Configuring the FortiGate unit as an L2TP gateway Configuring L2TP263 264 To add source addresses Configuring a Windows 2000 client for L2TP 265 266 To disable IPSecTo connect to the L2TP VPN Configuring a Windows XP client for L2TP 267 268 Detecting attacks Network Intrusion Detection System Nids269 Disabling monitoring interfaces Configuring checksum verificationSelecting the interfaces to monitor 270 Viewing attack descriptions Viewing the signature list271 Adding user-defined signatures Disabling Nids attack signatures272 Downloading the user-defined signature list 273 Enabling Nids attack prevention To enable Nids attack prevention Go to Nids PreventionPreventing attacks Enabling Nids attack prevention signatures Setting signature threshold values 275 Reducing the number of Nids attack log and email messages Logging attacksLogging attack messages to the attack log Automatic message reduction Manual message reduction 277 278 Antivirus protection General configuration steps279 280 Antivirus scanningTo scan FortiGate firewall traffic for viruses File blocking 281 282 Blocking files in firewall trafficAdding file patterns to block To block files in firewall traffic Quarantining blocked files QuarantineQuarantining infected files 283 284 Viewing the quarantine listSorting the quarantine list To view the quarantine list Go to Anti-Virus Quarantine Deleting files from the quarantine list Configuring quarantine optionsFiltering the quarantine list Downloading quarantined files Blocking oversized files and emails Configuring limits for oversized files and email286 Viewing the virus list To view the virus list Go to Anti-Virus Config Virus ListExempting fragmented email from blocking 287 288 Web filtering 289 Adding words and phrases to the Banned Word list Content blockingGo to Web Filter Content Block 290 Clearing the Banned Word list 291 Restoring the Banned Word list Backing up the Banned Word list292 Adding URLs to the Web URL block list Configuring FortiGate Web URL blockingURL blocking 293 Clearing the Web URL block list 294 295 Downloading the Web URL block listUploading a URL block list To upload a URL block list Configuring FortiGate Web pattern blocking Configuring Cerberian URL filtering296 About the default group and policy Installing a Cerberian license keyConfiguring Cerberian web filter Adding a Cerberian user Enabling Cerberian URL filtering To configure Cerberian web filtering298 Selecting script filter options Script filteringEnabling script filtering 299 300 Exempt URL listAdding URLs to the URL Exempt list Go to Web Filter URLExempt 301 Downloading the URL Exempt ListUploading a URL Exempt List Go to Web Filter URL Exempt 302 Email filter 303 Adding words and phrases to the email banned word list Email banned word list304 Uploading the email banned word list Downloading the email banned word list305 Downloading the email block list Email block listAdding address patterns to the email block list 306 307 Email exempt listUploading an email block list To upload the email block list Adding address patterns to the email exempt list To add a subject tag Go to Email Filter ConfigAdding a subject tag 308 Recording logs Logging and reporting309 Recording logs on a NetIQ WebTrends server Recording logs on a remote computer310 Overwrite Recording logs on the FortiGate hard disk311 Option Log message levels Recording logs in system memory312 Filtering log messages To filter log entries Go to Log&Report Log Setting313 Configuring traffic logging 314 Enabling traffic logging for a Vlan subinterface Enabling traffic loggingEnabling traffic logging for an interface Enabling traffic logging for a firewall policy 316 Configuring traffic filter settingsAdding traffic filter entries Resolve IP Viewing logs Destination IP Address Destination Netmask ServiceViewing logs saved to memory 317 318 Viewing and managing logs saved to the hard diskSearching logs Keyword 319 To view the active or saved logs Go to Log&Report Logging Deleting a saved log file Downloading a log file to the management computerDeleting all messages from an active log 320 Adding alert email addresses Configuring alert emailTesting alert email 321 Enabling alert email 322 Glossary 323 324 325 326 Index 327 328 Index 329 Dialup Pptp 330 Http 331 Ldap 332 333 Pptp dialup connection 334 335 TCP 336 Vlan