Manuals / Fortinet / Computer Equipment / Network Card

Fortinet FortiGate-800 manual Setting signature threshold values, 275

Models: FortiGate-800

1 336

Download 336 pages 18.65 Kb

Page 275

Network Intrusion Detection System (NIDS)	Preventing attacks

Setting signature threshold values

You can change the default threshold values for the NIDS Prevention signatures listed in Table 40. The threshold depends on the type of attack. For flooding attacks, the threshold is the maximum number of packets received per second. For overflow attacks, the threshold is the buffer size for the command. For large ICMP attacks, the threshold is the ICMP packet size limit to pass through.

For example, setting the icmpflood signature threshold to 500 allows 500 echo requests from a source address, to which the system sends echo replies. The FortiGate unit drops any requests over the threshold of 500.

If you enter a threshold value of 0 or a number out of the allowable range, the

FortiGate unit uses the default value.

Table 40: NIDS Prevention signatures with threshold values

Signature	Threshold value units	Default	Minimum	Maximum
abbreviation		threshold	threshold	threshold
		value	value	value

synflood	Threshold: Maximum number of SYN	2048	1	1000000
	segments received per second.

	Queue Size: Maximum proxied	4096	100	1000000
	connections.

	Timeout: Number of seconds for the	15	1	3600
	SYN cookie to keep a proxied
	connection alive.

portscan	Maximum number of SYN segments	512	1	1000000
	received per second

srcsession	Total number of TCP sessions initiated	2048	1	1000000
	from the same source

ftpovfl	Maximum buffer size for an FTP	256	32	1408
	command (bytes)

smtpovfl	Maximum buffer size for an SMTP	512	32	1408
	command (bytes)

pop3ovfl	Maximum buffer size for a POP3	512	32	1408
	command (bytes)

udpflood	Maximum number of UDP packets	2048	1	1000000
	received from the same source or sent
	to the same destination per second

udpsrcsession	Total number of UDP sessions initiated	2048	1	1000000
	from the same source

icmpflood	Maximum number of ICMP packets	256	1	1000000
	received from the same source or sent
	to the same destination per second

icmpsrcsession	Total number of ICMP sessions	128	1	1000000
	initiated from the same source

icmpsweep	Maximum number of ICMP packets	128	1	1000000
	received from the same source per
	second

icmplarge	Maximum ICMP packet size (bytes)	32000	64	64000

FortiGate-800 Installation and Configuration Guide

275

Image 275

Fortinet FortiGate-800 manual Setting signature threshold values, 275

Contents

January 15 Installation and Configuration GuideRegulatory Compliance TrademarksTable of Contents NAT/Route mode installation High availability Virus and attack definitions updates and registration 117 Network configuration 137 System configuration 169 Users and authentication 223 IPSec VPN 231 Network Intrusion Detection System Nids 269 Email filter 303 Glossary 323 Index 327 Contents Flexibility demanded by large enterprises IntroductionAntivirus protection Web content filteringFirewall Email filteringNetwork intrusion detection NAT/Route modeTransparent mode VLANs and virtual domainsHigh availability VPNWeb-based manager Secure installation, configuration, and managementLogging and reporting Command line interfaceFortinet documentation Document conventionsComments on Fortinet technical documentation Customer service and technical supportCustomer service and technical support Getting started Mounting Package contentsTo power on the FortiGate-800 unit Powering onPower requirements Environmental specificationsTo connect to the web-based manager Connecting to the web-based managerStop bits Flow control Connecting to the command line interface CLITo connect to the CLI Bits per second 9600 Data bits ParityInternal interface Factory default FortiGate configuration settingsFactory default NAT/Route mode network configuration AccountFactory default Transparent mode network configuration Factory default firewall configuration Strict content profile Factory default content profilesScan content profile Options Scan content profileStrict content profile Options Unfiltered content profile Options Web content profileUnfiltered content profile Web content profile OptionsExample NAT/Route mode network configuration Planning the FortiGate configurationExample NAT/Route multiple internet connection configuration NAT/Route mode with multiple external network connectionsSetup wizard Configuration optionsFront keypad and LCD FortiGate model maximum values matrixSignatures Antivirus file Block patterns Web filter Next stepsPreparing to configure NAT/Route mode NAT/Route mode installationDhcp server Advanced NAT/Route mode settingsAdvanced FortiGate NAT/Route mode settings DMZ and user-defined interfaces Using the setup wizardStarting the setup wizard Reconnecting to the web-based managerConfiguring NAT/Route mode IP addresses Using the front control buttons and LCDUsing the command line interface Configuring the FortiGate unit to operate in NAT/Route modeSet system interface external mode static ip 204.23.1.5 To connect the FortiGate unit running in NAT/Route mode Connecting the FortiGate unit to your networksTo connect to FortiGate-800 user-defined interfaces FortiGate-800 ExternalExample FortiGate-800 user-defined interface connections Configuring your networksSetting the date and time Completing the configurationConfiguring the DMZ interface Configuring interfaces 1 toRegistering your FortiGate unit Configuration example Multiple connections to the InternetConfiguring virus and attack definition updates Internal Configuring ping serversGo to System Network Routing Table Using the CLIPrimary and backup links to the Internet Destination-based routing examplesLoad sharing and primary and secondary connections Load sharingRouting table should have routes arranged as shown in Table To add the routes using the CLIPolicy routing examples Routing a service to an external networkAdding more firewall policies Adding a redundant default policyDestination DMZAll Schedule Always Service Firewall policy exampleRestricting access to a single Internet connection Configuration example Multiple connections to the Internet DNS Settings Transparent mode installationPreparing to configure Transparent mode Transparent mode settings Administrator PasswordGo to System Status Changing to Transparent mode using the web-based managerOperation mode Transparent Changing to Transparent mode using the CLIEnabling antivirus protection Configuring the Transparent mode management IP addressConfigure the Transparent mode default gateway Connecting the FortiGate unit to your networks FortiGate-800 Transparent mode configuration examplesExample default route to an external network Default routes and static routesDefault route to an external network General configuration stepsGo to System Network Management Web-based manager example configuration stepsCLI configuration steps Example static route to an external destinationDMZ Example static route to an internal destination FortiGate-800 Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 Transparent mode configuration examples High availability Go to System Config HA Configuring an HA clusterConfiguring FortiGate units for HA operation To configure a FortiGate unit for HA operationLeast Connection Weighted Round RobinNone HubExample Active-Active HA configuration Connecting the clusterTo connect the cluster HA network configurationTo add a new unit to the cluster Managing an HA clusterAdding a new FortiGate unit to a functioning cluster Configuring cluster interface monitoring Monitoring cluster members Viewing the status of cluster membersExample cluster CPU, memory, and hard disk display To set the update frequencyViewing and managing cluster log messages Viewing cluster sessionsManaging individual cluster units Monitoring cluster units for failoverViewing cluster communication sessions To set the host name of each cluster member Changing cluster unit host namesTo manage a cluster unit Keyword Description Synchronizing the cluster configurationUpgrading firmware To select a permanent primary unit Advanced HA optionsReplacing a FortiGate unit after failover Selecting a FortiGate unit as a permanent primary unitTo set the priority of each FortiGate unit in a cluster Configuring weighted-round-robin weightsActive-active HA packet flow Active-Active cluster packet flowNAT/Route mode packet flow Transparent mode packet flow Active-Active cluster packet flow System status System statusTo change the FortiGate host name Go to System Status Firmware upgrade procedures Procedure DescriptionChanging the FortiGate host name Changing the FortiGate firmwareTo upgrade the firmware using the CLI Upgrading the firmware using the web-based managerUpgrading the firmware using the CLI To upgrade the firmware using the web-based managerExecute ping Reverting to a previous firmware versionReverting to a previous firmware version using the CLI To revert to a previous firmware version using the CLI To install firmware from a system reboot 100 Press any key to enter configuration menu101 Restoring the previous configurationTesting a new firmware image before installing it To test a new firmware image 102103 Installing and using a backup firmware imageInstalling a backup firmware image 104 To install a backup firmware image105 Switching to the backup firmware imageTo switch to the backup firmware image To update the antivirus definitions manually Manual virus definition updatesSwitching back to the default firmware image To switch back to the default firmware image107 Manual attack definition updatesTo update the attack definitions manually Displaying the FortiGate serial numberDisplaying log hard disk status Backing up system settingsRestoring system settings Displaying the FortiGate up time109 Restoring system settings to factory defaultsChanging to Transparent mode To change to Transparent mode Go to System StatusShutting down the FortiGate unit Changing to NAT/Route modeTo change to NAT/Route mode Go to System Status Restarting the FortiGate unitTo view CPU and memory status Go to System Status Monitor System statusViewing CPU and memory status 111CPU and memory status monitor Viewing sessions and network status113 Viewing virus and intrusions statusTo view the session list Go to System Status Session Session listProtocol 115116 117 Virus and attack definitions updates and registrationUpdating antivirus and attack definitions To make sure the FortiGate unit can connect to the FDN Connecting to the FortiResponse Distribution NetworkGo to System Update Version Expiry date Last update attempt Last update status119 Manually initiating antivirus and attack definitions updates120 Scheduling updatesConfiguring update logging Enabling scheduled updates121 To add an override server Go to System UpdateAdding an override server 122 Enabling push updatesEnabling scheduled updates through a proxy server 123 Enabling push updatesPush updates when FortiGate IP addresses change To enable push updates Go to System Update124 Enabling push updates through a NAT deviceExample push updates through a NAT device 125 General procedure126 127 To configure the FortiGate NAT deviceSchedule Always Service ANY Action Accept Adding a firewall policy for the port forwarding virtual IP128 Registering FortiGate units129 FortiCare Service Contracts130 Registering the FortiGate unit131 Updating registration information132 Recovering a lost Fortinet support passwordViewing the list of registered FortiGate units 133 Registering a new FortiGate unitAdding or changing a FortiCare Support Contract number 134 Changing your Fortinet support passwordChanging your contact information or security question 135 Downloading virus and attack definitions updates136 Registering a FortiGate unit after an RMA137 Network configurationConfiguring zones 138 Configuring interfacesAdding zones Deleting zones139 Changing the administrative status of an interfaceViewing the interface list Adding an interface to a zone140 Configuring an interface with a manual IP addressConfiguring an interface for Dhcp 141 Configuring an interface for PPPoE142 Adding a secondary IP address to an interfaceAdding a ping server to an interface 143 Controlling administrative access to an interface144 Configuring traffic logging for connections to an interfaceConfiguring the management interface in Transparent mode Changing the MTU size to improve network performance145 Vlan overview146 VLANs in NAT/Route modeRules for Vlan IDs Rules for Vlan IP addressesTo add Vlan subinterfaces Go to System Network Interface Virtual domains in Transparent modeAdding Vlan subinterfaces 147FortiGate unit with two virtual domains 148149 Configuring a virtual domainVirtual domain properties Adding a virtual domain150 Adding Vlan subinterfaces to a virtual domainAdding zones to virtual domains To add a zone to a virtual domain Go to System Network Zone 151Go to Firewall Address Adding firewall policies for virtual domainsAdding addresses for virtual domains 152153 Configuring routingAdding DNS server IP addresses Deleting virtual domains154 Adding a default routeTo add a default route Go to System Network Routing Table Adding destination-based routes to the routing table155 Adding routes in Transparent mode156 Configuring the routing tablePolicy routing 157 Configuring Dhcp servicesPolicy routing command syntax Adding scopes to a Dhcp server Configuring a Dhcp relay agentConfiguring a Dhcp server Adding a Dhcp server to an interfaceTo add a scope to a Dhcp server Go to System Network Dhcp 159Selected scope Adding a reserve IP to a Dhcp serverViewing a Dhcp server dynamic IP list 160161 RIP configurationRIP settings Flush 162Invalid Holddown163 Configuring RIP for FortiGate interfaces164 Example RIP configuration for an internal interfaceTo add a RIP filter list Go to System RIP Filter Adding RIP filtersAdding a RIP filter list 165166 Assigning a RIP filter list to the neighbors filterAssigning a RIP filter list to the incoming filter 167 Assigning a RIP filter list to the outgoing filter168 169 System configurationSetting system date and time To set the date and time Go to System Config Time170 To set the system idle timeout Go to System Config OptionsTo set the Auth timeout Go to System Config Options Changing system options171 Modifying the Dead Gateway Detection settings172 Adding and editing administrator accountsAdding new administrator accounts To add an administrator account Go to System Config Admin173 Configuring SnmpEditing administrator accounts To edit an administrator account Go to System Config AdminConfiguring Snmp community settings Configuring the FortiGate unit for Snmp monitoringConfiguring FortiGate Snmp support Configuring Snmp access to an interfaceSystem Location 175System Name 176 FortiGate MIBs177 FortiGate trapsGeneral FortiGate traps System trapsLogging traps VPN trapsNids traps Antivirus traps179 System configuration and statusFirewall configuration Fortinet MIB fields180 181 Replacement messagesLogging and reporting configuration 182 Customizing replacement messagesAlert email message sections Customizing alert emails183 Alert email message sections 184185 Firewall configuration186 Default firewall configuration187 InterfacesVlan subinterfaces ZonesSchedules ServicesDefault addresses Interface Address Description AddressesTo add a firewall policy Go to Firewall Policy Content profilesAdding firewall policies 189190 Firewall policy optionsSource Action ServiceDestination ScheduleDynamic IP Pool Fixed Port VPN TunnelTraffic Shaping 192Maximum Bandwidth Traffic Priority AuthenticationAnti-Virus & Web filter 193194 Log TrafficComments 195 Configuring policy listsPolicy matching in detail Enabling policies Changing the order of policies in a policy listEnabling and disabling policies Disabling policiesTo add an address Go to Firewall Address AddressesAdding addresses 197To edit an address Go to Firewall Address Editing addresses198 To delete an address Go to Firewall Address Deleting addressesOrganizing addresses into address groups 199200 ServicesPredefined services GRE 201Ldap 202203 Adding custom TCP and UDP services204 Adding custom Icmp servicesAdding custom IP services Grouping services205 Schedules206 Creating one-time schedules207 Creating recurring schedulesTo add a schedule to a policy Go to Firewall Policy Virtual IPsAdding schedules to policies 208Virtual IP External Interface examples Description Internal Adding static NAT virtual IPs209 To add a static NAT virtual IP Go to Firewall Virtual IP210 Adding port forwarding virtual IPs211 To add a policy with a virtual IP Go to Firewall Policy Adding policies with virtual IPs212 To add an IP pool Go to Firewall IP Pool IP poolsAdding an IP pool 213214 IP/MAC bindingIP Pools for firewall policies that use fixed ports IP pools and dynamic NATGo to Firewall IP/MAC Binding Static IP/MAC 215216 Adding IP/MAC addresses217 Viewing the dynamic IP/MAC listEnabling IP/MAC binding 218 Content profiles219 Default content profilesAdding content profiles To add a content profile Go to Firewall Content ProfileOversized File/Email Pass Fragmented Email 220221 Adding content profiles to policiesTo add a content profile to a policy Go to Firewall Policy 222 223 Users and authenticationTo set authentication timeout Go to System Config Options Setting authentication timeoutAdding user names and configuring authentication Adding user names and configuring authentication225 Deleting user names from the internal database226 Configuring Radius supportAdding Radius servers Deleting Radius serversTo add an Ldap server Go to User Ldap Configuring Ldap supportAdding Ldap servers 227To delete an Ldap server Go to User Ldap Deleting Ldap servers228 To add a user group Go to User User Group Configuring user groupsAdding user groups 229To delete a user group Go to User User Group Deleting user groups230 231 IPSec VPNAutoIKE with certificates Key managementManual Keys AutoIKE with pre-shared keys233 General configuration steps for a manual key VPNManual key IPSec VPNs Adding a manual key VPN tunnelAES256 234AES128 AES192235 General configuration steps for an AutoIKE VPNAdding a phase 1 configuration for an AutoIKE VPN AutoIKE IPSec VPNsRemote Gateway Dialup User 236Remote Gateway Static IP Address 237 Configuring advanced optionsTo configure phase 1 advanced options 238 239 Adding a phase 1 configuration Standard options240 Adding a phase 2 configuration for an AutoIKE VPNTo add a phase 2 configuration Go to VPN Ipsec Phase Use wildcard selectors 241Use selectors from policy 242 Managing digital certificatesObtaining a signed local certificate Generating the certificate requestKey Size 243Key Type 244 Downloading the certificate requestImporting the signed local certificate 245 Configuring encrypt policiesObtaining CA certificates Importing CA certificatesTo add a source address Go to Firewall Address Adding a source address246 To add a destination address Go to Firewall Address Adding a destination addressAdding an encrypt policy 247248 249 IPSec VPN concentrators250 VPN concentrator hub general configuration stepsTo create a VPN concentrator configuration 251 Adding a VPN concentrator252 VPN spoke general configuration stepsTo create a VPN spoke configuration 253 Redundant IPSec VPNs254 Configuring redundant IPSec VPNsTo configure a redundant IPSec VPN Viewing dialup VPN connection status Monitoring and Troubleshooting VPNsTo view VPN tunnel status Go to VPN Ipsec Phase Viewing VPN tunnel status256 Testing a VPN257 Configuring PptpPptp and L2TP VPN To add a source address Configuring the FortiGate unit as a Pptp gateway258 To add users and user groupsTo add a firewall policy 259To add a source address group To add a destination address260 Configuring a Windows 98 client for PptpTo connect to the Pptp VPN Configuring a Windows 2000 client for PptpConfiguring a Windows XP client for Pptp 261Select Properties Security To configure the VPN connection262 263 Configuring L2TPConfiguring the FortiGate unit as an L2TP gateway To add source addresses 264265 Configuring a Windows 2000 client for L2TPTo connect to the L2TP VPN To disable IPSec266 267 Configuring a Windows XP client for L2TP268 269 Network Intrusion Detection System NidsDetecting attacks 270 Configuring checksum verificationSelecting the interfaces to monitor Disabling monitoring interfaces271 Viewing the signature listViewing attack descriptions 272 Disabling Nids attack signaturesAdding user-defined signatures 273 Downloading the user-defined signature listEnabling Nids attack prevention signatures To enable Nids attack prevention Go to Nids PreventionPreventing attacks Enabling Nids attack prevention275 Setting signature threshold valuesAutomatic message reduction Logging attacksLogging attack messages to the attack log Reducing the number of Nids attack log and email messages277 Manual message reduction278 279 General configuration stepsAntivirus protection To scan FortiGate firewall traffic for viruses Antivirus scanning280 281 File blockingTo block files in firewall traffic Blocking files in firewall trafficAdding file patterns to block 282283 QuarantineQuarantining infected files Quarantining blocked filesTo view the quarantine list Go to Anti-Virus Quarantine Viewing the quarantine listSorting the quarantine list 284Downloading quarantined files Configuring quarantine optionsFiltering the quarantine list Deleting files from the quarantine list286 Configuring limits for oversized files and emailBlocking oversized files and emails 287 To view the virus list Go to Anti-Virus Config Virus ListExempting fragmented email from blocking Viewing the virus list288 289 Web filtering290 Content blockingGo to Web Filter Content Block Adding words and phrases to the Banned Word list291 Clearing the Banned Word list292 Backing up the Banned Word listRestoring the Banned Word list 293 Configuring FortiGate Web URL blockingURL blocking Adding URLs to the Web URL block list294 Clearing the Web URL block listTo upload a URL block list Downloading the Web URL block listUploading a URL block list 295296 Configuring Cerberian URL filteringConfiguring FortiGate Web pattern blocking Adding a Cerberian user Installing a Cerberian license keyConfiguring Cerberian web filter About the default group and policy298 To configure Cerberian web filteringEnabling Cerberian URL filtering 299 Script filteringEnabling script filtering Selecting script filter optionsGo to Web Filter URLExempt Exempt URL listAdding URLs to the URL Exempt list 300Go to Web Filter URL Exempt Downloading the URL Exempt ListUploading a URL Exempt List 301302 303 Email filter304 Email banned word listAdding words and phrases to the email banned word list 305 Downloading the email banned word listUploading the email banned word list 306 Email block listAdding address patterns to the email block list Downloading the email block listTo upload the email block list Email exempt listUploading an email block list 307308 To add a subject tag Go to Email Filter ConfigAdding a subject tag Adding address patterns to the email exempt list309 Logging and reportingRecording logs 310 Recording logs on a remote computerRecording logs on a NetIQ WebTrends server Option Recording logs on the FortiGate hard disk311 Overwrite312 Recording logs in system memoryLog message levels 313 To filter log entries Go to Log&Report Log SettingFiltering log messages 314 Configuring traffic loggingEnabling traffic logging for a firewall policy Enabling traffic loggingEnabling traffic logging for an interface Enabling traffic logging for a Vlan subinterfaceResolve IP Configuring traffic filter settingsAdding traffic filter entries 316317 Destination IP Address Destination Netmask ServiceViewing logs saved to memory Viewing logsKeyword Viewing and managing logs saved to the hard diskSearching logs 318To view the active or saved logs Go to Log&Report Logging 319320 Downloading a log file to the management computerDeleting all messages from an active log Deleting a saved log file321 Configuring alert emailTesting alert email Adding alert email addresses322 Enabling alert email323 Glossary324 325 326 327 IndexIndex 328Dialup Pptp 329Http 330Ldap 331332 Pptp dialup connection 333334 TCP 335Vlan 336