Create and test a packet logging IPS sensor

Chapter 15 Unified Threat Management for FortiOS 5.0 : Intrusion protection : IPS examples : Create and test a packet logging IPS sensor

In this example, you create a new IPS sensor and include a filter that detects the EICAR test file and saves a packet log when it is found. This is an ideal first experience with packet logging because the EICAR test file can cause no harm, and it is freely available for testing purposes.

Create an IPS senor

1. Go to Security Profiles > Intrusion Protection > IPS Sensors.

2. Select Create New.

3. Name the new IPS sensor EICAR_test.

4. Select OK.

Create an entry

1. Select the Create New drop down menu and for Sensor Type choose Specify Signatures.

2. Rather than search through the signature list, use the name filter by selecting the search icon over the header of the Signature column.

3. Enter EICAR in the Search field.

4. Highlight the Eicar.Virus.Test.File signature by clicking on it.

5. Select Block All as the Action.

6. Select Enable, Packet Logging.

7. Select OK to save the IPS sensor.

You are returned to the IPS sensor list. The EICAR test sensor appears in the list.

Add the IPS sensor to the security policy allowing Internet access

1. Go to Policy > Policy > Policy.

2. Select the security policy that allows you to access the Internet.

3. Select the Edit icon.

4. Enable Log Allowed Traffic.

5. Enable the IPS option.

6. Choose EICAR test from the available IPS sensors.

7. Select OK.

With the IPS sensor configured and selected in the security policy, the FortiGate unit blocks any attempt to download the EICAR test file.

Test the IPS sensor

1. Using your web browser, go to http://www.eicar.org/anti_virus_test_file.htm.

2. Scroll to the bottom of the page and select eicar.com from the row labeled as using the standard HTTP protocol.

3. The browser attempts to download the requested file and,

• If the file is successfully downloaded, the custom signature configuration failed at some point. Check the custom signature, the IPS sensor, and the firewall profile.

• If the download is blocked with a high security alert message explaining that you’re not permitted to download the file, the EICAR test file was blocked by the FortiGate unit antivirus scanner before the IPS sensor could examine it. Disable antivirus scanning and try to download the EICAR test file again.

• If no file is downloaded and the browser eventually times out, the custom signature successfully detected the EICAR test file and blocked the download.

Viewing the packet log

1. Go to Log&Report > Log & Archive Access > Security Log.

2. Locate the log entry that recorded the blocking of the EICAR test file block. The Message field data will be tools: EICAR.AV.Test.File.Download.

3. Select the View Packet Log icon in the Packet Log column.

4. The packet log viewer is displayed.