Logging attacks, 276 | Fortinet FortiGate-800 instruction

Logging attacks	Network Intrusion Detection System (NIDS)

To set Prevention signature threshold values

1Go to NIDS > Prevention.

2Select Modify beside the signature for which you want to set the Threshold value.

Signatures that do not have threshold values do not have Modify icons.

3Type the Threshold value.

4Select the Enable check box.

5Select OK.

Logging attacks

Whenever the NIDS detects or prevents an attack, it generates an attack message.

You can configure the system to add the message to the attack log.

•Logging attack messages to the attack log

•Reducing the number of NIDS attack log and email messages

Logging attack messages to the attack log

To log attack messages to the attack log

1Go to Log&Report > Log Setting.

2Select Config Policy for the log locations you have set.

3Select Attack Log.

4Select Attack Detection and Attack Prevention.

5Select OK.

Note: For information about log message content and formats, and about log locations, see the

FortiGate Logging and Message Reference Guide.

Reducing the number of NIDS attack log and email messages

Intrusion attempts might generate an excessive number of attack messages. Based on the frequency that messages are generated, the FortiGate unit automatically deletes duplicates. If you still receive an excessive number of unnecessary messages, you can manually disable message generation for unneeded signature groups.

Automatic message reduction

The attack log and alert email messages that the NIDS produces include the ID number and name of the attack that generated the message. The attack ID number and name in the message are identical to the ID number and rule name that appear on the NIDS Signature Group Members list.

276	Fortinet Inc.

Image 276

Fortinet FortiGate-800 manual Logging attacks, Logging attack messages to the attack log, Automatic message reduction, 276

Contents

Installation and Configuration Guide January 15 Trademarks Regulatory Compliance Table of Contents NAT/Route mode installation High availability Virus and attack definitions updates and registration 117 Network configuration 137 System configuration 169 Users and authentication 223 IPSec VPN 231 Network Intrusion Detection System Nids 269 Email filter 303 Glossary 323 Index 327 Contents Introduction Flexibility demanded by large enterprises Web content filtering Antivirus protection Email filtering Firewall NAT/Route mode Transparent modeVLANs and virtual domains Network intrusion detection VPN High availability Secure installation, configuration, and management Web-based manager Command line interface Logging and reporting Document conventions Fortinet documentation Customer service and technical support Comments on Fortinet technical documentation Customer service and technical support Getting started Package contents Mounting Powering on Power requirementsEnvironmental specifications To power on the FortiGate-800 unit Connecting to the web-based manager To connect to the web-based manager Connecting to the command line interface CLI To connect to the CLIBits per second 9600 Data bits Parity Stop bits Flow control Factory default FortiGate configuration settings Factory default NAT/Route mode network configurationAccount Internal interface Factory default Transparent mode network configuration Factory default firewall configuration Factory default content profiles Strict content profile Scan content profile Strict content profile OptionsScan content profile Options Web content profile Unfiltered content profileWeb content profile Options Unfiltered content profile Options Planning the FortiGate configuration Example NAT/Route mode network configuration NAT/Route mode with multiple external network connections Example NAT/Route multiple internet connection configuration Configuration options Setup wizard FortiGate model maximum values matrix Front keypad and LCD Next steps Signatures Antivirus file Block patterns Web filter NAT/Route mode installation Preparing to configure NAT/Route mode Advanced NAT/Route mode settings Advanced FortiGate NAT/Route mode settingsDhcp server Using the setup wizard Starting the setup wizardReconnecting to the web-based manager DMZ and user-defined interfaces Using the front control buttons and LCD Using the command line interfaceConfiguring the FortiGate unit to operate in NAT/Route mode Configuring NAT/Route mode IP addresses Set system interface external mode static ip 204.23.1.5 Connecting the FortiGate unit to your networks To connect the FortiGate unit running in NAT/Route mode FortiGate-800 External To connect to FortiGate-800 user-defined interfaces Configuring your networks Example FortiGate-800 user-defined interface connections Completing the configuration Configuring the DMZ interfaceConfiguring interfaces 1 to Setting the date and time Configuration example Multiple connections to the Internet Configuring virus and attack definition updatesRegistering your FortiGate unit Configuring ping servers Internal Using the CLI Primary and backup links to the InternetDestination-based routing examples Go to System Network Routing Table Load sharing Load sharing and primary and secondary connections To add the routes using the CLI Routing table should have routes arranged as shown in Table Routing a service to an external network Policy routing examples Adding a redundant default policy Destination DMZAll Schedule Always ServiceFirewall policy example Adding more firewall policies Restricting access to a single Internet connection Configuration example Multiple connections to the Internet Transparent mode installation Preparing to configure Transparent modeTransparent mode settings Administrator Password DNS Settings Changing to Transparent mode using the web-based manager Go to System Status Changing to Transparent mode using the CLI Operation mode Transparent Configuring the Transparent mode management IP address Configure the Transparent mode default gatewayEnabling antivirus protection Connecting the FortiGate unit to your networks Transparent mode configuration examples FortiGate-800 Default routes and static routes Example default route to an external network General configuration steps Default route to an external network Web-based manager example configuration steps CLI configuration stepsExample static route to an external destination Go to System Network Management DMZ Example static route to an internal destination FortiGate-800 Set system route number 1 dst 172.16.1.11 255.255.255.0 gw1 Transparent mode configuration examples High availability Configuring an HA cluster Configuring FortiGate units for HA operationTo configure a FortiGate unit for HA operation Go to System Config HA Weighted Round Robin NoneHub Least Connection Connecting the cluster Example Active-Active HA configuration HA network configuration To connect the cluster Managing an HA cluster Adding a new FortiGate unit to a functioning clusterTo add a new unit to the cluster Configuring cluster interface monitoring Viewing the status of cluster members Monitoring cluster members To set the update frequency Example cluster CPU, memory, and hard disk display Viewing cluster sessions Viewing and managing cluster log messages Monitoring cluster units for failover Viewing cluster communication sessionsManaging individual cluster units Changing cluster unit host names To manage a cluster unitTo set the host name of each cluster member Synchronizing the cluster configuration Keyword Description Upgrading firmware Advanced HA options Replacing a FortiGate unit after failoverSelecting a FortiGate unit as a permanent primary unit To select a permanent primary unit Configuring weighted-round-robin weights To set the priority of each FortiGate unit in a cluster Active-Active cluster packet flow Active-active HA packet flow NAT/Route mode packet flow Transparent mode packet flow Active-Active cluster packet flow System status System status Firmware upgrade procedures Procedure Description Changing the FortiGate host nameChanging the FortiGate firmware To change the FortiGate host name Go to System Status Upgrading the firmware using the web-based manager Upgrading the firmware using the CLITo upgrade the firmware using the web-based manager To upgrade the firmware using the CLI Reverting to a previous firmware version Execute ping Reverting to a previous firmware version using the CLI To revert to a previous firmware version using the CLI To install firmware from a system reboot Press any key to enter configuration menu 100 Restoring the previous configuration Testing a new firmware image before installing it101 102 To test a new firmware image Installing and using a backup firmware image Installing a backup firmware image103 To install a backup firmware image 104 Switching to the backup firmware image To switch to the backup firmware image105 Manual virus definition updates Switching back to the default firmware imageTo switch back to the default firmware image To update the antivirus definitions manually Manual attack definition updates To update the attack definitions manuallyDisplaying the FortiGate serial number 107 Backing up system settings Restoring system settingsDisplaying the FortiGate up time Displaying log hard disk status Restoring system settings to factory defaults Changing to Transparent modeTo change to Transparent mode Go to System Status 109 Changing to NAT/Route mode To change to NAT/Route mode Go to System StatusRestarting the FortiGate unit Shutting down the FortiGate unit System status Viewing CPU and memory status111 To view CPU and memory status Go to System Status Monitor Viewing sessions and network status CPU and memory status monitor Viewing virus and intrusions status 113 Session list To view the session list Go to System Status Session 115 Protocol 116 Virus and attack definitions updates and registration Updating antivirus and attack definitions117 Connecting to the FortiResponse Distribution Network Go to System UpdateVersion Expiry date Last update attempt Last update status To make sure the FortiGate unit can connect to the FDN Manually initiating antivirus and attack definitions updates 119 Scheduling updates Configuring update loggingEnabling scheduled updates 120 To add an override server Go to System Update Adding an override server121 Enabling push updates Enabling scheduled updates through a proxy server122 Enabling push updates Push updates when FortiGate IP addresses changeTo enable push updates Go to System Update 123 Enabling push updates through a NAT device Example push updates through a NAT device124 General procedure 125 126 To configure the FortiGate NAT device Schedule Always Service ANY Action AcceptAdding a firewall policy for the port forwarding virtual IP 127 Registering FortiGate units 128 FortiCare Service Contracts 129 Registering the FortiGate unit 130 Updating registration information 131 Recovering a lost Fortinet support password Viewing the list of registered FortiGate units132 Registering a new FortiGate unit Adding or changing a FortiCare Support Contract number133 Changing your Fortinet support password Changing your contact information or security question134 Downloading virus and attack definitions updates 135 Registering a FortiGate unit after an RMA 136 Network configuration Configuring zones137 Configuring interfaces Adding zonesDeleting zones 138 Changing the administrative status of an interface Viewing the interface listAdding an interface to a zone 139 Configuring an interface with a manual IP address Configuring an interface for Dhcp140 Configuring an interface for PPPoE 141 Adding a secondary IP address to an interface Adding a ping server to an interface142 Controlling administrative access to an interface 143 Configuring traffic logging for connections to an interface Configuring the management interface in Transparent modeChanging the MTU size to improve network performance 144 Vlan overview 145 VLANs in NAT/Route mode Rules for Vlan IDsRules for Vlan IP addresses 146 Virtual domains in Transparent mode Adding Vlan subinterfaces147 To add Vlan subinterfaces Go to System Network Interface 148 FortiGate unit with two virtual domains Configuring a virtual domain Virtual domain propertiesAdding a virtual domain 149 Adding Vlan subinterfaces to a virtual domain Adding zones to virtual domains150 151 To add a zone to a virtual domain Go to System Network Zone Adding firewall policies for virtual domains Adding addresses for virtual domains152 Go to Firewall Address Configuring routing Adding DNS server IP addressesDeleting virtual domains 153 Adding a default route To add a default route Go to System Network Routing TableAdding destination-based routes to the routing table 154 Adding routes in Transparent mode 155 Configuring the routing table Policy routing156 Configuring Dhcp services Policy routing command syntax157 Configuring a Dhcp relay agent Configuring a Dhcp serverAdding a Dhcp server to an interface Adding scopes to a Dhcp server 159 To add a scope to a Dhcp server Go to System Network Dhcp Adding a reserve IP to a Dhcp server Viewing a Dhcp server dynamic IP list160 Selected scope RIP configuration RIP settings161 162 InvalidHolddown Flush Configuring RIP for FortiGate interfaces 163 Example RIP configuration for an internal interface 164 Adding RIP filters Adding a RIP filter list165 To add a RIP filter list Go to System RIP Filter Assigning a RIP filter list to the neighbors filter Assigning a RIP filter list to the incoming filter166 Assigning a RIP filter list to the outgoing filter 167 168 System configuration Setting system date and timeTo set the date and time Go to System Config Time 169 To set the system idle timeout Go to System Config Options To set the Auth timeout Go to System Config OptionsChanging system options 170 Modifying the Dead Gateway Detection settings 171 Adding and editing administrator accounts Adding new administrator accountsTo add an administrator account Go to System Config Admin 172 Configuring Snmp Editing administrator accountsTo edit an administrator account Go to System Config Admin 173 Configuring the FortiGate unit for Snmp monitoring Configuring FortiGate Snmp supportConfiguring Snmp access to an interface Configuring Snmp community settings 175 System NameSystem Location FortiGate MIBs 176 FortiGate traps General FortiGate trapsSystem traps 177 VPN traps Nids trapsAntivirus traps Logging traps System configuration and status Firewall configurationFortinet MIB fields 179 180 Replacement messages Logging and reporting configuration181 Customizing replacement messages 182 Customizing alert emails 183Alert email message sections 184 Alert email message sections Firewall configuration 185 Default firewall configuration 186 Interfaces Vlan subinterfacesZones 187 Services Default addresses Interface Address DescriptionAddresses Schedules Content profiles Adding firewall policies189 To add a firewall policy Go to Firewall Policy Firewall policy options Source190 Service DestinationSchedule Action VPN Tunnel Traffic Shaping192 Dynamic IP Pool Fixed Port Authentication Anti-Virus & Web filter193 Maximum Bandwidth Traffic Priority Log Traffic Comments194 Configuring policy lists Policy matching in detail195 Changing the order of policies in a policy list Enabling and disabling policiesDisabling policies Enabling policies Addresses Adding addresses197 To add an address Go to Firewall Address Editing addresses 198To edit an address Go to Firewall Address Deleting addresses Organizing addresses into address groups199 To delete an address Go to Firewall Address Services Predefined services200 201 GRE 202 Ldap Adding custom TCP and UDP services 203 Adding custom Icmp services Adding custom IP servicesGrouping services 204 Schedules 205 Creating one-time schedules 206 Creating recurring schedules 207 Virtual IPs Adding schedules to policies208 To add a schedule to a policy Go to Firewall Policy Adding static NAT virtual IPs 209To add a static NAT virtual IP Go to Firewall Virtual IP Virtual IP External Interface examples Description Internal Adding port forwarding virtual IPs 210 211 Adding policies with virtual IPs 212To add a policy with a virtual IP Go to Firewall Policy IP pools Adding an IP pool213 To add an IP pool Go to Firewall IP Pool IP/MAC binding IP Pools for firewall policies that use fixed portsIP pools and dynamic NAT 214 215 Go to Firewall IP/MAC Binding Static IP/MAC Adding IP/MAC addresses 216 Viewing the dynamic IP/MAC list Enabling IP/MAC binding217 Content profiles 218 Default content profiles Adding content profilesTo add a content profile Go to Firewall Content Profile 219 220 Oversized File/Email Pass Fragmented Email Adding content profiles to policies To add a content profile to a policy Go to Firewall Policy221 222 Users and authentication 223 Setting authentication timeout Adding user names and configuring authenticationAdding user names and configuring authentication To set authentication timeout Go to System Config Options Deleting user names from the internal database 225 Configuring Radius support Adding Radius serversDeleting Radius servers 226 Configuring Ldap support Adding Ldap servers227 To add an Ldap server Go to User Ldap Deleting Ldap servers 228To delete an Ldap server Go to User Ldap Configuring user groups Adding user groups229 To add a user group Go to User User Group Deleting user groups 230To delete a user group Go to User User Group IPSec VPN 231 Key management Manual KeysAutoIKE with pre-shared keys AutoIKE with certificates General configuration steps for a manual key VPN Manual key IPSec VPNsAdding a manual key VPN tunnel 233 234 AES128AES192 AES256 General configuration steps for an AutoIKE VPN Adding a phase 1 configuration for an AutoIKE VPNAutoIKE IPSec VPNs 235 236 Remote Gateway Static IP AddressRemote Gateway Dialup User Configuring advanced options To configure phase 1 advanced options237 238 Adding a phase 1 configuration Standard options 239 Adding a phase 2 configuration for an AutoIKE VPN To add a phase 2 configuration Go to VPN Ipsec Phase240 241 Use selectors from policyUse wildcard selectors Managing digital certificates Obtaining a signed local certificateGenerating the certificate request 242 243 Key TypeKey Size Downloading the certificate request Importing the signed local certificate244 Configuring encrypt policies Obtaining CA certificatesImporting CA certificates 245 Adding a source address 246To add a source address Go to Firewall Address Adding a destination address Adding an encrypt policy247 To add a destination address Go to Firewall Address 248 IPSec VPN concentrators 249 VPN concentrator hub general configuration steps To create a VPN concentrator configuration250 Adding a VPN concentrator 251 VPN spoke general configuration steps To create a VPN spoke configuration252 Redundant IPSec VPNs 253 Configuring redundant IPSec VPNs To configure a redundant IPSec VPN254 Monitoring and Troubleshooting VPNs To view VPN tunnel status Go to VPN Ipsec PhaseViewing VPN tunnel status Viewing dialup VPN connection status Testing a VPN 256 Configuring Pptp Pptp and L2TP VPN257 Configuring the FortiGate unit as a Pptp gateway 258To add users and user groups To add a source address 259 To add a source address groupTo add a destination address To add a firewall policy Configuring a Windows 98 client for Pptp 260 Configuring a Windows 2000 client for Pptp Configuring a Windows XP client for Pptp261 To connect to the Pptp VPN To configure the VPN connection 262Select Properties Security Configuring L2TP Configuring the FortiGate unit as an L2TP gateway263 264 To add source addresses Configuring a Windows 2000 client for L2TP 265 To disable IPSec 266To connect to the L2TP VPN Configuring a Windows XP client for L2TP 267 268 Network Intrusion Detection System Nids Detecting attacks269 Configuring checksum verification Selecting the interfaces to monitorDisabling monitoring interfaces 270 Viewing the signature list Viewing attack descriptions271 Disabling Nids attack signatures Adding user-defined signatures272 Downloading the user-defined signature list 273 To enable Nids attack prevention Go to Nids Prevention Preventing attacksEnabling Nids attack prevention Enabling Nids attack prevention signatures Setting signature threshold values 275 Logging attacks Logging attack messages to the attack logReducing the number of Nids attack log and email messages Automatic message reduction Manual message reduction 277 278 General configuration steps Antivirus protection279 Antivirus scanning 280To scan FortiGate firewall traffic for viruses File blocking 281 Blocking files in firewall traffic Adding file patterns to block282 To block files in firewall traffic Quarantine Quarantining infected filesQuarantining blocked files 283 Viewing the quarantine list Sorting the quarantine list284 To view the quarantine list Go to Anti-Virus Quarantine Configuring quarantine options Filtering the quarantine listDeleting files from the quarantine list Downloading quarantined files Configuring limits for oversized files and email Blocking oversized files and emails286 To view the virus list Go to Anti-Virus Config Virus List Exempting fragmented email from blockingViewing the virus list 287 288 Web filtering 289 Content blocking Go to Web Filter Content BlockAdding words and phrases to the Banned Word list 290 Clearing the Banned Word list 291 Backing up the Banned Word list Restoring the Banned Word list292 Configuring FortiGate Web URL blocking URL blockingAdding URLs to the Web URL block list 293 Clearing the Web URL block list 294 Downloading the Web URL block list Uploading a URL block list295 To upload a URL block list Configuring Cerberian URL filtering Configuring FortiGate Web pattern blocking296 Installing a Cerberian license key Configuring Cerberian web filterAbout the default group and policy Adding a Cerberian user To configure Cerberian web filtering Enabling Cerberian URL filtering298 Script filtering Enabling script filteringSelecting script filter options 299 Exempt URL list Adding URLs to the URL Exempt list300 Go to Web Filter URLExempt Downloading the URL Exempt List Uploading a URL Exempt List301 Go to Web Filter URL Exempt 302 Email filter 303 Email banned word list Adding words and phrases to the email banned word list304 Downloading the email banned word list Uploading the email banned word list305 Email block list Adding address patterns to the email block listDownloading the email block list 306 Email exempt list Uploading an email block list307 To upload the email block list To add a subject tag Go to Email Filter Config Adding a subject tagAdding address patterns to the email exempt list 308 Logging and reporting Recording logs309 Recording logs on a remote computer Recording logs on a NetIQ WebTrends server310 Recording logs on the FortiGate hard disk 311Overwrite Option Recording logs in system memory Log message levels312 To filter log entries Go to Log&Report Log Setting Filtering log messages313 Configuring traffic logging 314 Enabling traffic logging Enabling traffic logging for an interfaceEnabling traffic logging for a Vlan subinterface Enabling traffic logging for a firewall policy Configuring traffic filter settings Adding traffic filter entries316 Resolve IP Destination IP Address Destination Netmask Service Viewing logs saved to memoryViewing logs 317 Viewing and managing logs saved to the hard disk Searching logs318 Keyword 319 To view the active or saved logs Go to Log&Report Logging Downloading a log file to the management computer Deleting all messages from an active logDeleting a saved log file 320 Configuring alert email Testing alert emailAdding alert email addresses 321 Enabling alert email 322 Glossary 323 324 325 326 Index 327 328 Index 329 Dialup Pptp 330 Http 331 Ldap 332 333 Pptp dialup connection 334 335 TCP 336 Vlan