FortiOS 5.4 Online Help Link FortiOS 5.2 Online Help Link FortiOS 5.0 Online Help Link FortiOS 4.3 Online Help Link

Home > Online Help

> Chapter 21 - Security Profiles > Intrusion protection > Enable IPS scanning

Enable IPS scanning

Enabling IPS scanning involves two separate parts of the FortiGate unit:

  • The security policy allows certain network traffic based on the sender, receiver, interface, traffic type, and time of day. Firewall policies can also be used to deny traffic, but those policies do not apply to IPS scanning.
  • The IPS sensor contains filters, signature entries, or both. These specify which signatures are included in the IPS sensor.

When IPS is enabled, an IPS sensor is selected in a security policy, and all network traffic matching the policy will be checked for the signatures in the IPS sensor.

General configuration steps

For best results in configuring IPS scanning, follow the procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

  1. Create an IPS sensor.
  2. Add signatures and /or filters.
    These can be:
  • Pattern based
  • Rate based
  • Customized
  1. Select a security policy or create a new one.
  2. In the security policy, turn on IPS, and choose the IPS sensor from the list.

All the network traffic controlled by this security policy will be processed according to the settings in the policy. These settings include the IPS sensor you specify in the policy.

Creating an IPS sensor

You need to create an IPS sensor before specific signatures or filters can be choosen. The signatures can be added to a new sensor before it is saved, but it is a good practice to keep in mind that the sensor and its included filters are separte things, and therefore their creation will be treated separately.

To create a new IPS sensor
  1. Go to Security Profiles > Intrusion Protection.
  2. Select the Create New icon in the top of the Edit IPS Sensor window.
  3. Enter the name of the new IPS sensor.
  4. Optionally, you may also enter a comment. The comment will appear in the IPS sensor list and serves to remind you of the details of the sensor.
  5. Select OK.

A newly created sensor is empty and contains no filters or signatures. You need to add one or more filters or signatures before the sensor will be of any use.

Adding an IPS filter to a sensor

While individual signatures can be added to a sensor, a filter allows you to add multiple signatures to a sensor by specifying the characteristics of the signatures to be added.

To create a new Pattern Based Signature and Filter

  1. Go to Security Profiles > Intrusion Protection.
  2. Select the IPS sensor to which you want to add the filter using the drop-down list in the top row of the Edit IPS Sensor window or by going to the list window.
  3. In the Pattern Based Signature and Filter widget, select the Create New icon
  4. For Sensor Type chose Filter Based.
  5. Configure the filter that you require. Signatures matching all of the characteristics you specify in the filter will be included in the filter. Select Specify and choose the filter option that have the appropriate parameters.

Basic

Severity

Refers to the level of threat possed by the attack.

The options include:

  • critical
  • high
  • medium
  • low
  • info

Target

Refers to the type of device targeted by the attack.

The options include:

  • client
  • server

OS

Refers to the Operating System affected by the attack.

The options include:

BSD Linux MacOS
Other Solaris Windows

Advanced

Application

Refers to the vendor or or type of application affected by the attack.

The options include:.

Adobe Apache Apple
CGI_app Cisco HP
IBM IE IIS
Mozilla MS_Office Novel
Oracle PHP_app Sun

This list can be expanded to include more options by selecting the [show more...] link. The additional options include:

ASP_app CA DB2
IM Ipswitch MailEnable
MediaPlayer MS_Exchange MSSQL
MySQL Netscape P2P
PostgreSQL Real Samba
SAP SCADA Sendmail
Veritas Winamp Other

Protocol

Refers to the protocol that is the vector for the attack.

The options include:

DNS FTP HTTP
ICMP IMAP LDAP
POP3 SCCP SIP
SMTP SNMP SSH
SSL TCP UDP

This list can be expanded to include more options by selecting the [show more...] link. The additional options include:

BO DCERPC DHCP
DNP3 H323 IM
MSSQL NBSS NNTP
P2P RADIUS RDT
RPC TRCP RTP
RTSP TELNET TFN
Other    
  1. Choose an action for when a signature is triggered.
Action Description
Signature Default All predefined signatures have an Action attribute that is set to Pass or Drop. This means that if a signature included in the filter has an Action setting of Pass, traffic matching the signature will be detected and then allowed to continue to its destination. Select Accept signature defaults use the default action for each included signature.

Note: to see what the default for a signature is, go to the IPS Signatures page and enable the column Action, then find the row with the signature name in it.
Monitor All Select Monitor all to pass all traffic matching the signatures included in the filter, regardless of their default Action setting.
Block All Select Block all to drop traffic matching any the signatures included in the filter.
Reset Select Reset to reset the session whenever the signature is triggered. In the CLI this action is referred to as Reject.
Quarantine The quarantine based on the attacker’s IP Address - Traffic from the Attacker’s IP address is refused until the expiration time from the trigger is reached.

2. Expires (time frame that the quarantine will be in effect):
•   5 Minute(s)
•   30 Minutes(s)
•   1 Hour(s)
•   1 Day(s)
•   1 Week(s)
•   1 Month(s)
Packet Logging Select to enable packet logging for the filter.

When you enable packet logging on a filter, the unit saves a copy of the packets that match any signatures included in the filter. The packets can be analyzed later.

For more information about packet filtering, see "Configuring packet logging options"
  1. Select OK.

The filter is created and added to the filter list.

Adding Rate Based Signatures

These are a subset of the signatures that are found in the database that are normally set to monitor. This group of signetures is for vulnerabilities that are normally only considered a serious threat when the targeted connections come in multiples, a little like DoS attacks.

Adding a rate based signature is straight forward. Select the enable button in the Rate Based Signature table that corresponds with the desired signature.

Customized signatures

Customized signatures must be created before they can be added to the sensor. To get more details on customized signatures check the IPS Signatures chapter.

Updating predefined IPS signatures

The FortiGuard Service periodically updates the pre-defined signatures and adds new signatures to counter emerging threats as they appear.

Because the signatures included in filters are defined by specifying signature attributes, new signatures matching existing filter specifications will automatically be included in those filters. For example, if you have a filter that includes all signatures for the Windows operating system, your filter will automatically incorporate new Windows signatures as they are added.

Viewing and searching predefined IPS signatures

Go to Security Profiles > Intrusion Protection. Select [View IPS Signatures] to view the list of existing IPS signatures. You may find signatures by paging manually through the list, apply filters, or by using the search field.

Searching manually

Signatures are displayed in a paged list, with 50 signatures per page. The bottom of the screen shows the current page and the total number of pages. You can enter a page number and press enter, to skip directly to that page. Previous Page and Next Page buttons move you through the list, one page at a time. The First Page and Last Page button take you to the beginning or end of the list.

Applying filters

You can enter criteria for one of more columns, and only the signatures matching all the conditions you specify will be listed.

To apply filters
  1. Go to Security Profiles > Intrusion Protection. Select [View IPS Signatures] .
  2. Select column by which to filter.
  3. Select the funnel/filter icon and enter the value or values to filter by.
  4. Use additional columns as needed to refine search.

The available options vary by column. For example, Enable allows you to choose between two options, while OS has multiple options, and you may select multiple items together. Filtering by name allows you to enter a text string and all signature names containing the string will be displayed.