|
|
IPS sensors | Configuring IPS sensors |
Name | Enter or change the name of the IPS filter. |
Severity | Select All, or select Specify and then one or more severity ratings. |
| Severity defines the relative importance of each signature. Signatures |
| rated critical detect the most dangerous attacks while those rated as |
| info pose a much smaller threat. |
Target | Select All, or select Specify and then the type of systems targeted by the |
| attack. The choices are server or client. |
OS | Select All, or Select Specify and then select one or more operating |
| systems that are vulnerable to the attack. |
| Signatures with an OS attribute of All affect all operating systems. |
| These signatures will be automatically included in any filter regardless |
| of whether a single, multiple, or all operating systems are specified. |
Protocol | Select All, or select Specify to list what network protocols are used by |
| the attack. Use the Right Arrow to move the ones you want to include in |
| the filter from the Available to the Selected list, or the Left Arrow to |
| remove previously selected protocols from the filter. |
Application | Select All, or select Specify to list the applications or application suites |
| vulnerable to the attack. Use the Right Arrow to move the ones you |
| want to include in the filter from the Available to the Selected list, or the |
| Left Arrow to remove previously selected protocols from the filter. |
Enable | Select from the options to specify what the FortiGate unit will do with the |
| signatures included in the filter: enable all, disable all, or enable or |
| disable each according to the individual default values shown in the |
| signature list. |
Logging | Select from the options to specify whether the FortiGate unit will create |
| log entries for the signatures included in the filter: enable all, disable all, |
| or enable or disable logging for each according to the individual default |
| values shown in the signature list. |
Action | Select from the options to specify what the FortiGate unit will do with |
| traffic containing a signature match: pass all, block all, reset all, or block |
| or pass traffic according to the individual default values shown in the |
| signature list. |
The signatures included in the filter are only those matching every attribute specified. When created, a new filter has every attribute set to “all” which causes every signature to be included in the filter. If the severity is changed to high, and the target is changed to server, the filter includes only signatures checking for high priority attacks targeted at servers.
Configuring pre-defined and custom overrides
Overrides can be used in two ways:
•To change the behavior of a signature already included in a filter. For example, to protect a web server, you could create a filter that includes and enables all signatures related to servers. If you wanted to disable one of those signatures, the simplest way would be to create an override and mark the signature as disabled.
•To add an individual signature, not included in any filters, to an IPS sensor. This is the only way to add custom signatures to IPS sensors.
When a
FortiGate IPS User Guide Version 3.0 MR7 |
|
43 |
