FortiGate IPS: Comprehensive Guide to Fortinet Intrusion Prevention Systems


Introduction	The FortiGate IPS

Introduction

This section introduces you to the FortiGate Intrusion Prevention System (IPS) and the following topics:

•The FortiGate IPS

•About this document

•Fortinet documentation

•Customer service and technical support

The FortiGate IPS

Spam and viruses are not the only threats facing enterprises and small businesses. Sophisticated, automated attack tools are prevalent on the Internet today, making intrusion detection and prevention vital to securing corporate networks. An attack or intrusion can be launched to steal confidential information, force a costly web site crash, or use network resources to launch other attacks.

The FortiGate IPS detects intrusions by using attack signatures for known intrusion methods, and detects anomalies in network traffic to identify new or unknown intrusions. Not only can the IPS detect and log attacks, but users can choose actions to take on the session when an attack is detected. This guide describes how to configure and use the IPS and the IPS response to some common attacks.

This guide describes:

•IPS overview and general configuration

•Predefined signatures

•Custom signatures

•Protocol decoders

•IPS sensors

•DoS sensors

•SYN flood attacks

•ICMP sweep attacks

FortiGate IPS User Guide Version 3.0 MR7
01-30007-0080-20080916	5

Image 5

Fortinet manual Introduction, FortiGate IPS

Contents

E R G U I D E Trademarks Contents IPS sensors Protocol decodersDoS sensors SYN flood attacks FortiGate IPS Introduction Fortinet documentation About this documentDocument conventions Typographic conventions FortiGate Pptp VPN User Guide Comments on Fortinet technical documentation Customer service and technical supportFortinet Knowledge Center This section contains the following topics IPS overview and general configurationIPS settings and controls Default signature and anomaly settings When to use IPSDefault fail open setting Config ips global Set fail-open enable disable end Configuring logging and alert email Setting the buffer sizeMonitoring the network and dealing with attacks Controlling sessions Attack log messages Signature FortiGuard Center Anomaly Creating a protection profile that uses IPS sensors Using IPS sensors in a protection profileAdding protection profiles to firewall policies Select Create New Adding protection profiles to user groups Using IPS sensors in a protection profile Viewing the predefined signature list Predefined signaturesIPS predefined signatures Enable SettingsColumn Clear All Filters Create a sensor and add IPS filters to it Viewing the predefined signature list Viewing the custom signature list Custom signaturesIPS custom signatures Adding custom signatures using the web-based manager Custom signature configurationAdding custom signatures using the CLI Command syntax pattern Shows the valid characters for custom signature fields Creating custom signaturesCustom signature fields Attackid Custom signature syntaxName BufferOverflow Srcport Content keywords Keyword and value Description Deprecated, see pattern and context keywords Context uri Pattern GETPattern yahoo.com Context host Regex/mdelim PcreRegexdelimismxAEGRU Uri !uristr IP header keywords Keyword and Value Description Protocol tcp TCP header keywords Keyword and Value Description Tcpflags S,12 Tcpflags AP Other keywords Keyword and Value Description UDP header keywords Keyword and Value DescriptionIcmp keywords Keyword and Value Usage Sbid --name Block.example.com Example 1 signature to block access to example.comExample custom signatures Sbid --name Block.example.com Sbid --name Block.SMTP.VRFY.CMD --pattern vrfy Example 2 signature to block the Smtp ‘vrfy’ commandSbid --name Block.SMTP.VRFY.CMD Creating custom signatures Upgrading the IPS protocol decoder list Protocol decodersProtocol decoders Protocol decoder list Protocols Protocol decoder names Port Viewing the protocol decoder list Alldefaultpass AlldefaultIPS sensors Viewing the IPS sensor list Adding an IPS sensor Configuring IPS sensorsProtectclient Protectemailserver IPS sensor filters IPS sensor attributes Reset Configuring filtersIPS sensor overrides Delete and Edit Delete or edit the filter Icons Application Configuring pre-defined and custom overrides Source Exempt IP DoS sensors Viewing the DoS sensor list Configuring DoS sensorsSequence in which the sensors examine network traffic Appears, and select OK DoS sensor attributes Anomaly configurationName Enter or change the DoS sensor name Comments Will appear in the DoS sensor list Understanding the anomalies Udpflood Anomaly Description TcpdstsessionUdpscan Udpsrcsession Understanding the anomalies How SYN floods work What is a SYN flood attack?SYN flood attacks What is SYN proxy? What is SYN threshold?FortiGate IPS Response to SYN flood attacks How IPS works to prevent SYN floods IPS operation before synflood threshold is reached Configure the options for tcpsynflood Select OK Configuring SYN flood protectionSuggested settings for different network conditions Icmp sweep attacks What is an Icmp sweep?How Icmp sweep attacks work FortiGate IPS response to Icmp sweep attacks Predefined Icmp signatures Icmp sweep anomalies Configuring Icmp sweep protection FortiGate Version 3.0 MR7 IPS User Guide Index Technical support