FortiGate IPS Configuration and Sensor Setup Guide

Configuring IPS sensors

IPS sensors

protect_client	Includes only the signatures designed to detect attacks
	against clients; uses the default enable status and action of
	each signature.
protect_email_server	Includes only the signatures designed to detect attacks
	against servers and the SMTP, POP3, or IMAP protocols;
	uses the default enable status and action of each signature.
protect_http_server	Includes only the signatures designed to detect attacks
	against servers and the HTTP protocol; uses the default
	enable status and action of each signature.

Adding an IPS sensor

An IPS sensor must be created before it can be configured by adding filters and overrides. To create an IPS sensor, go to Intrusion Protection > IPS Sensor and select Create New.

Figure 8: New IPS sensor

Name	Enter the name of the new IPS sensor.
Comment	Enter an optional comment to display in the IPS sensor list.

Configuring IPS sensors

Each IPS sensor consists of two parts: filters and overrides. Overrides are always checked before filters.

Each filter consists of a number of signatures attributes. All of the signatures with those attributes, and only those attributes, are checked against traffic when the filter is run. If multiple filters are defined in an IPS Sensor, they are checked against the traffic one at a time, from top to bottom. If a match is found, the FortiGate unit takes the appropriate action and stops further checking.

A signature override can modify the behavior of a signature specified in a filter. A signature override can also add a signature not specified in the sensor’s filters. Custom signatures are included in an IPS sensor using overrides.

The signatures in the overrides are first compared to network traffic. If the IPS sensor does not find any matches, it then compares the signatures in each filter to network traffic, one filter at a time, from top to bottom. If no signature matches are found, the IPS sensor allows the network traffic.

	FortiGate IPS User Guide Version 3.0 MR7
40	01-30007-0080-20080916

Image 40

Fortinet manual Configuring IPS sensors, Adding an IPS sensor, Protectclient, Protectemailserver, Protecthttpserver

Contents

E R G U I D E Trademarks Contents Protocol decoders IPS sensorsDoS sensors SYN flood attacks Introduction FortiGate IPS About this document Fortinet documentationDocument conventions Typographic conventions FortiGate Pptp VPN User Guide Fortinet Knowledge Center Customer service and technical supportComments on Fortinet technical documentation IPS settings and controls IPS overview and general configurationThis section contains the following topics When to use IPS Default signature and anomaly settingsDefault fail open setting Config ips global Set fail-open enable disable end Setting the buffer size Configuring logging and alert emailMonitoring the network and dealing with attacks Controlling sessions Attack log messages Signature Anomaly FortiGuard Center Using IPS sensors in a protection profile Creating a protection profile that uses IPS sensorsAdding protection profiles to firewall policies Select Create New Adding protection profiles to user groups Using IPS sensors in a protection profile IPS predefined signatures Predefined signaturesViewing the predefined signature list Settings EnableColumn Clear All Filters Create a sensor and add IPS filters to it Viewing the predefined signature list IPS custom signatures Custom signaturesViewing the custom signature list Custom signature configuration Adding custom signatures using the web-based managerAdding custom signatures using the CLI Command syntax pattern Custom signature fields Creating custom signaturesShows the valid characters for custom signature fields Custom signature syntax AttackidName BufferOverflow Srcport Content keywords Keyword and value Description Deprecated, see pattern and context keywords Pattern GET Context uriPattern yahoo.com Context host Pcre Regex/mdelimRegexdelimismxAEGRU Uri !uristr Protocol tcp IP header keywords Keyword and Value Description TCP header keywords Keyword and Value Description Tcpflags AP Tcpflags S,12 Icmp keywords Keyword and Value Usage UDP header keywords Keyword and Value DescriptionOther keywords Keyword and Value Description Example custom signatures Example 1 signature to block access to example.comSbid --name Block.example.com Sbid --name Block.example.com Sbid --name Block.SMTP.VRFY.CMD Example 2 signature to block the Smtp ‘vrfy’ commandSbid --name Block.SMTP.VRFY.CMD --pattern vrfy Creating custom signatures Protocol decoders Protocol decodersUpgrading the IPS protocol decoder list Viewing the protocol decoder list Protocol decoder list Protocols Protocol decoder names Port Alldefault AlldefaultpassIPS sensors Viewing the IPS sensor list Configuring IPS sensors Adding an IPS sensorProtectclient Protectemailserver IPS sensor attributes IPS sensor filters Configuring filters ResetIPS sensor overrides Delete and Edit Delete or edit the filter Icons Configuring pre-defined and custom overrides Application Exempt IP Source DoS sensors Configuring DoS sensors Viewing the DoS sensor listSequence in which the sensors examine network traffic Appears, and select OK Anomaly configuration DoS sensor attributesName Enter or change the DoS sensor name Comments Will appear in the DoS sensor list Understanding the anomalies Anomaly Description Tcpdstsession UdpfloodUdpscan Udpsrcsession Understanding the anomalies SYN flood attacks What is a SYN flood attack?How SYN floods work What is SYN threshold? What is SYN proxy?FortiGate IPS Response to SYN flood attacks How IPS works to prevent SYN floods IPS operation before synflood threshold is reached Suggested settings for different network conditions Configuring SYN flood protectionConfigure the options for tcpsynflood Select OK What is an Icmp sweep? Icmp sweep attacksHow Icmp sweep attacks work FortiGate IPS response to Icmp sweep attacks Predefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection Index FortiGate Version 3.0 MR7 IPS User Guide Technical support