Fortinet IPS manual

www.fortinet.com

FortiGate

IPS User Guide

Version 3.0 MR7

USER GUIDE

Contents

Main Page Contents IPS overview and general configuration.......................................... 9 Predefined signatures ..................................................................... 17 Custom signatures........................................................................... 21 Protocol decoders ........................................................................... 37 DoS sensors..................................................................................... 45 SYN flood attacks ............................................................................ 51 ICMP sweep attacks......................................................................... 55 Introduction The FortiGate IPS About this document Document conventions Typographic conventions ! Page Fortinet Knowledge Center Comments on Fortinet technical documentation Customer service and technical support IPS overview and general configuration The FortiGate IPS IPS settings and controls When to use IPS Network performance Default signature and anomaly settings Default fail open setting Controlling sessions Setting the buffer size Monitoring the network and dealing with attacks Configuring logging and alert email Attack log messages Signature Anomaly The FortiGuard Center Using IPS sensors in a protection profile Creating a protection profile that uses IPS sensors Adding protection profiles to firewall policies Page Page Predefined signatures IPS predefined signatures Viewing the predefined signature list Fine tuning IPS predefined signatures for enhanced system performance Page Page Custom signatures IPS custom signatures Viewing the custom signature list Custom signature configuration Adding custom signatures using the web-based manager Adding custom signatures using the CLI Command syntax pattern Creating custom signatures Custom signature fields Custom signature syntax --attack_id 1234; ---name "Buffer_Overflow"; --src_port 41523; --flow bi_direction; Page Page Page Page --protocol tcp; Page --tcp_flags AP tcp_flags S,12 Page Example custom signatures Example 1: signature to block access to example.com Page Example 2: signature to block the SMTP vrfy command Page Protocol decoders Protocol decoders Upgrading the IPS protocol decoder list Page IPS sensors Viewing the IPS sensor list Adding an IPS sensor Configuring IPS sensors IPS sensor attributes: IPS sensor filters: IPS sensor overrides: Configuring filters Configuring pre-defined and custom overrides Page DoS sensors Viewing the DoS sensor list Configuring DoS sensors DoS sensor attributes: Anomaly configuration: Understanding the anomalies Page Page SYN flood attacks What is a SYN flood attack? How SYN floods work The FortiGate IPS Response to SYN flood attacks What is SYN threshold? What is SYN proxy? How IPS works to prevent SYN floods Page Configuring SYN flood protection Suggested settings for different network conditions ICMP sweep attacks What is an ICMP sweep? How ICMP sweep attacks work The FortiGate IPS response to ICMP sweep attacks Predefined ICMP signatures Tabl e 11 describes all the ICMP-related predefined signatures and the default settings for each. ICMP sweep anomalies Configuring ICMP sweep protection Suggested settings for different network conditions Index A C D F