Enabling IPS scanning involves two separate parts of the FortiGate unit:
- The security policy allows certain network traffic based on the sender, receiver, interface, traffic type, and time of day. Firewall policies can also be used to deny traffic, but those policies do not apply to IPS scanning.
- The IPS sensor contains filters, signature entries, or both. These specify which signatures are included in the IPS sensor.
When IPS is enabled, an IPS sensor is selected in a security policy, and all network traffic matching the policy will be checked for the signatures in the IPS sensor.
General configuration steps
For best results in configuring IPS scanning, follow the procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.
- Create an IPS sensor.
- Add signatures and /or filters.
These can be:
- Pattern based
- Rate based
- Select a security policy or create a new one.
- In the security policy, turn on IPS, and choose the IPS sensor from the list.
All the network traffic controlled by this security policy will be processed according to the settings in the policy. These settings include the IPS sensor you specify in the policy.
Creating an IPS sensor
You need to create an IPS sensor before specific signatures or filters can be chosen. The signatures can be added to a new sensor before it is saved. However, it is good practice to keep in mind that the sensor and its included filters are separate things, and that they are created separately.
To create a new IPS sensor
- Go to Security Profiles > Intrusion Protection.
- Select the Create New icon in the top of the Edit IPS Sensor window.
- Enter the name of the new IPS sensor.
- Optionally, you may also enter a comment. The comment will appear in the IPS sensor list and serves to remind you of the details of the sensor.
- Select OK.
A newly created sensor is empty and contains no filters or signatures. You need to add one or more filters or signatures before the sensor will be of any use.
Adding an IPS filter to a sensor
While individual signatures can be added to a sensor, a filter allows you to add multiple signatures to a sensor by specifying the characteristics of the signatures to be added.
To create a new Pattern Based Signature and Filter
- Go to Security Profiles > Intrusion Protection.
- Select the IPS sensor to which you want to add the filter using the drop-down list in the top row of the Edit IPS Sensor window or by going to the list window.
- Under IPS Filters, select Add Filter.
- Configure the filter that you require. Signatures matching all of the characteristics you specify in the filter will be included in the filter. Once finished, select Use Filters.
Application refers to the application affected by the attack and filter options include over 25 applications.
OS refers to the Operating System affected by the attack. The options include BSD, Linux, MacOS, Other, Solaris, and Windows.
Protocol refers to the protocol that is the vector for the attack; filter options include over 35 protocols, including "other."
Severity refers to the level of threat posed by the attack. The options include Critical, High, Medium, Low, and Info.
Target refers to the type of device targeted by the attack. The options include client and server.
- Once you have selected the filters you wish to add, right-click the filters and choose an action for when a signature is triggered:
|Pass||Select Pass to allow traffic to continue to its destination.
Note: to see what the default for a signature is, go to the IPS Signatures page and enable the column Action, then find the row with the signature name in it.
|Monitor||Select Monitor to allow traffic to continue to its destination and log the activity. The log will appear under Log & Report but will only be visible in the GUI in the event of an intrusion.|
|Block||Select Block to drop traffic matching any the signatures included in the filter.|
|Reset||Select Reset to reset the session whenever the signature is triggered. In the CLI this action is referred to as Reject.|
|Default||Select Default to use the default action of the signature.|
|Quarantine||The quarantine based on the attacker’s IP Address - Traffic from the Attacker’s IP address is refused until the expiration time from the trigger is reached. You may set the Quarantine Duration to any number of Days, Hours, or Minutes.|
|Packet Logging||Select to enable packet logging for the filter.
When you enable packet logging on a filter, the unit saves a copy of the packets that match any signatures included in the filter. The packets can be analyzed later.
For more information about packet filtering, see "Configuring packet logging options".
- Select Apply.
The filter is created and added to the filter list.
Adding Rate Based Signatures
These are a subset of the signatures that are found in the database that are normally set to monitor. This group of signatures is for vulnerabilities that are normally only considered a serious threat when the targeted connections come in multiples, a little like DoS attacks.
Adding a rate based signature is straight forward. Select the enable button in the Rate Based Signature table that corresponds with the desired signature.
Customized signatures must be created before they can be added to the sensor. To get more details on customized signatures check the Custom Application & IPS Signatures chapter.
Updating predefined IPS signatures
The FortiGuard Service periodically updates the predefined signatures and adds new signatures to counter emerging threats as they appear.
To ensure that your system is providing the most protection available, these updates can be scheduled as often as on an hourly basis. To configure this feature, go to System > FortiGuard. Under AntiVirus & IPS Updates, enable Scheduled Updates. From here you can set the updates to occur on a consistent weekly, daily, or even hourly basis.
Because the signatures included in filters are defined by specifying signature attributes, new signatures matching existing filter specifications will automatically be included in those filters. For example, if you have a filter that includes all signatures for the Windows operating system, your filter will automatically incorporate new Windows signatures as they are added.
Go to Security Profiles > Intrusion Protection. Select [View IPS Signatures] to view the list of existing IPS signatures. You may find signatures by paging manually through the list, apply filters, or by using the search field.
Signatures are displayed in a paged list, with 50 signatures per page. The bottom of the screen shows the current page and the total number of pages. You can enter a page number and press enter, to skip directly to that page. Previous Page and Next Page buttons move you through the list, one page at a time. The First Page and Last Page button take you to the beginning or end of the list.
A CVE-ID column displaying CVE-IDs can be optionally added to the IPS Signatures list, however the column is only available if the IPS package contains CVE-IDs for signatures. CVE-IDs can be numerically filtered by selecting the CVE-ID column's arrows.
You can enter criteria for one of more columns, and only the signatures matching all the conditions you specify will be listed.
To apply filters
- Go to Security Profiles > Intrusion Protection. Select [View IPS Signatures] .
- Select column by which to filter.
- Select the funnel/filter icon and enter the value or values to filter by.
- Use additional columns as needed to refine search.
The available options vary by column. For example, Enable allows you to choose between two options, while OS has multiple options, and you may select multiple items together. Filtering by name allows you to enter a text string and all signature names containing the string will be displayed.