Instruction/ maintenance manual of the product IPS Fortinet
Go to page of 62
www.fortinet.com FortiG at e IPS User Guide V ersion 3.0 MR7 USER GUIDE.
FortiGate IPS U ser Guide V ersion 3.0 MR7 September 16, 2 008 01-30007-00 80-20080916 © Copyright 2008 Fortine t, Inc. All rights reserved. No part of this publication including text, examples , dia.
Contents FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 3 Contents Introduction ............... ................................. .............................. .......... 5 The FortiGate IPS.. ................... ................ .
FortiGate IPS User Guide Version 3.0 MR7 4 01-30007-0080-200809 16 Creating custom signatures ............. ................... .................... ................... .... 23 Custom signature fields ............. ................... ................
Introduction The FortiGate IPS FortiGate IPS User Gu ide Version 3.0 MR7 01-30007-0080-2008091 6 5 Introduction This section introduces you to the Fort iGate Intrusion Prev ention System (IPS) and the.
FortiGate IPS User Guide Version 3.0 MR7 6 01-30007-0080-200809 16 About this document Introduction About this document Document conventions The following document convention s are used in this guide: • In the exa mples, priva te IP addre sses are us ed for both p rivate and public IP addresses.
Introduction Fortinet documentation FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 7 • FortiGate Installation Guide Describes how to install a FortiGate unit. Includes a hardware reference, default configuration information, insta llation procedures, connection procedures, and basic configura tion pr ocedures.
FortiGate IPS User Guide Version 3.0 MR7 8 01-30007-0080-200809 16 Customer service and technical support Introduction Fortinet Knowledge Center Additional Fortinet technical document ation is available from the Fortinet Knowledge Center . The knowledge center cont ains troubleshooting and how-to articles, F AQs, technical notes, and more.
IPS overview and gene ral configuration The FortiGate IPS FortiGate IPS User Gu ide Version 3.0 MR7 01-30007-0080-2008091 6 9 IPS overview and general configuration This section contains th e followin.
FortiGate IPS User Guide Version 3.0 MR7 10 01-30007-0080-200809 16 Network performance IPS overview and general configuration T o create an IPS sensor , go to Intrusion Protection > IPS Sensor .
IPS overview and gene ral configuration M onitoring the network and dealing with attacks FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 11 Controlling sessions Use this command to ignore sessions af ter a set amount of traf fic has passed.
FortiGate IPS User Guide Version 3.0 MR7 12 01-30007-0080-200809 16 Monitoring the network and dealing with atta cks IPS overview and general configuration 5 Select and configure authentication if re quired and enter the email addresses that will receive the alert email.
IPS overview and gene ral configuration M onitoring the network and dealing with attacks FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 13 Anomaly The following log messag e is gen.
FortiGate IPS User Guide Version 3.0 MR7 14 01-30007-0080-200809 16 Using IPS sensors in a protection profil e IPS overview and general configuration Using IPS sensors in a protection profile IPS can .
IPS overview and gene ral configuration Us ing IPS sensors in a protection profile FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 15 Adding protection profiles to user groups When creating a user gr oup, select a protec tion profile that applies to that group.
FortiGate IPS User Guide Version 3.0 MR7 16 01-30007-0080-200809 16 Using IPS sensors in a protection profil e IPS overview and general configuration.
Predefined signatures IPS predefined signatures FortiGate IPS User Gu ide Version 3.0 MR7 01-30007-0080-2008091 6 17 Predefined signatures This section describes: • IPS predefined signature s • Viewin g the predefined signature list IPS predefined signatures Predefined signatur es are arranged in alphabetical order.
FortiGate IPS User Guide Version 3.0 MR7 18 01-30007-0080-200809 16 Viewing the predefined signature list Predefined signature s By default, the signatures are sorted by name. T o sort the t able by another column, select the re quired column header name.
Predefined signatures Viewing the predefined signature list FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 19 Y ou should also review exactly how y ou use the information provided by the logging feature. If you find th at you do not review the information, it is best to turn off IPS logging.
FortiGate IPS User Guide Version 3.0 MR7 20 01-30007-0080-200809 16 Viewing the predefined signature list Predefined signature s.
Custom signatures IPS custom signatures FortiGate IPS User Gu ide Version 3.0 MR7 01-30007-0080-2008091 6 21 Custom signatures Custom signatures provide the power and flexibility to customize the FortiGate Intrusion Prot ection system for diverse network envir onments.
FortiGate IPS User Guide Version 3.0 MR7 22 01-30007-0080-200809 16 Custom signature configuration Custom signatures Custom signature configuration Add custom signatures using th e web-based manager or th e CLI.
Custom signatures Creating custom signatures FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 23 Creating custom signatures Custom signatures are added sep arately to each VDOM. In each VDOM, there can be a maximum of 255 custom signatures.
FortiGate IPS User Guide Version 3.0 MR7 24 01-30007-0080-200809 16 Creating custom signatures Custom signatures Custom signature syntax T able 2: Information keywords Keyword and value Description --attack_id <id_int>; This optional value is used to identify the signa ture.
Custom signatures Creating custom signatures FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 25 T able 4: Content keywo rds Keyword and value Description --byte_jump <bytes_to_co.
FortiGate IPS User Guide Version 3.0 MR7 26 01-30007-0080-200809 16 Creating custom signatures Custom signatures --byte_test <bytes_to_convert>, <operator>, <value>, <offset>[, relative] [, big] [, little] [, string] [, hex] [, dec] [, oct]; The FortiGa te unit comp ares a byte field against a specific value (with operator).
Custom signatures Creating custom signatures FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 27 --context {uri | header | body | host}; S pecify the protocol field that the pattern should be looked for . If context is not specified for a p attern, the FortiGate unit searches for the pattern anywhere in the packet buf fer .
FortiGate IPS User Guide Version 3.0 MR7 28 01-30007-0080-200809 16 Creating custom signatures Custom signatures --pcre [!]"(/<regex>/|m<delim>< regex><delim>)[ismxAEGRU B]"; Similar to the pattern keyword, pcre is used to specify a pattern using Perl-compatible regular expressions (PCRE).
Custom signatures Creating custom signatures FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 29 T able 5: IP header keywor ds Keyword and V alue Description --dst_addr [!]<ipv4>; The destination IP address.
FortiGate IPS User Guide Version 3.0 MR7 30 01-30007-0080-200809 16 Creating custom signatures Custom signatures T able 6: T CP header keywords Keyword and V alue Description --ack <ack_int>; Check for the specified TCP acknowledge number .
Custom signatures Creating custom signatures FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 31 --tcp_flags <FSRPAU120>[!|*|+] [,<FSRPAU120>]; S pecify the TCP flags to match in a packet. • S : Match the SYN flag. • A : Match the ACK flag.
FortiGate IPS User Guide Version 3.0 MR7 32 01-30007-0080-200809 16 Creating custom signatures Custom signatures T able 7: UDP header key words Keyword and V alue Description --dst_port [!]{<port_int> | :<port_int> | <port_int>: | <port_int>:<port_int>}; The destination port numbe r .
Custom signatures Creating custom signatures FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 33 Example custom signatures Custom signature fields and syntax are fully d escribed in this chapter , though using them to build a custom sig nature can be complex.
FortiGate IPS User Guide Version 3.0 MR7 34 01-30007-0080-200809 16 Creating custom signatures Custom signatures The FortiGate unit will limit its search for the pattern to the H TTP protocol. Even though the HTTP prot ocol uses only TCP traffi c, the FortiGate will search for HTTP prot ocol commu nication in TCP , UDP , and ICMP traffic.
Custom signatures Creating custom signatures FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 35 Example 2: signature to bl ock the SMTP ‘vrfy’ command The SMTP vrfy command can be used to verify the existence of a single email address, or it can be used to list all of the valid email account s on an email server .
FortiGate IPS User Guide Version 3.0 MR7 36 01-30007-0080-200809 16 Creating custom signatures Custom signatures Use the --protocol tcp keyword to limit the effect of the custom signature to only TCP traffic. This will save system re sources by not unnecessarily scanning UDP and ICMP traffic.
Protocol decoders Protocol decoders FortiGate IPS User Gu ide Version 3.0 MR7 01-30007-0080-2008091 6 37 Protocol decoders This section describes: • Protocol decoders • Upgrading the IPS protocol .
FortiGate IPS User Guide Version 3.0 MR7 38 01-30007-0080-200809 16 Viewing the protocol decoder list Protocol decoders V iewing the protocol decoder list T o view the decoder list, go to Intrusion Prot ection > Signature > Protocol Decoder . Figure 6: The protoc ol decoder list Protocols The protocol decoder names.
IPS sensors Viewing the IPS sensor list FortiGate IPS User Gu ide Version 3.0 MR7 01-30007-0080-2008091 6 39 IPS sensors Y ou can group signat ures into IPS sensors for e asy selection in protection profiles.
FortiGate IPS User Guide Version 3.0 MR7 40 01-30007-0080-200809 16 Configuring IPS sensors IPS sensors Adding an IPS sensor An IPS sensor must be created be fore it can be configured by adding filter s and overrides. T o create an IPS sensor , go to Intrusion Protec tion > IPS Sensor and select Create New .
IPS sensors Configuring IPS sensors FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 41 T o view an IPS sensor , go to Intrusion Protection > IPS Sensor and select the Edit icon of any IPS sensor . The Edit IP S Sensor window is divided into three part s: the sensor attributes, the filters, and the overrides.
FortiGate IPS User Guide Version 3.0 MR7 42 01-30007-0080-200809 16 Configuring IPS sensors IPS sensors IPS sensor overrides: Configuring filters T o configure a filter , go to Intrusion Protection > IPS Sen sor . Select the Edit icon of the IPS sensor containing the filter you want to edit.
IPS sensors Configuring IPS sensors FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 43 The signatures included in the filter are only those matching every attribute specified. When created, a new filter ha s every attribute set to “all” wh ich causes every signature to be included in th e filter .
FortiGate IPS User Guide Version 3.0 MR7 44 01-30007-0080-200809 16 Configuring IPS sensors IPS sensors T o edit a pre-defined or custom overr ide, go to Intrusion Protection > IPS Sensor and select the Edit ic on of the IPS sensor contain ing the override you want to edit.
DoS sensors FortiGate IPS User Gu ide Version 3.0 MR7 01-30007-0080-2008091 6 45 DoS sensors The FortiGate IPS u ses a traf fic anomaly detection fe ature to identify network traffic that does n ot fit known or co mmon traffic p atterns and behavior .
FortiGate IPS User Guide Version 3.0 MR7 46 01-30007-0080-200809 16 Viewing the DoS sensor list DoS sensors V iewing the DoS sensor list T o view the anomaly list, go to Intrusion Protection > DoS Sensor .
DoS sensors Configuring DoS sensors FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 47 Figure 13: Edit DoS Sensor DoS sensor attributes: Anomaly configuration: Name Enter or change the DoS sensor name. Comment s Enter or change an optional description of the DoS sensor .
FortiGate IPS User Guide Version 3.0 MR7 48 01-30007-0080-200809 16 Understanding the anomalies DoS sensors Protected addresses: Each entry in the protec ted addres s table includes a so urce and des tination IP address as well as a destination port. Th e DoS sens or will be applied to traffic matching the three attributes in any t able entry .
DoS sensors Understanding the anomalies FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 49 tcp_dst_session If the number of concurrent TCP con nections to one destination IP address exceeds the configured th reshold valu e, the action is executed.
FortiGate IPS User Guide Version 3.0 MR7 50 01-30007-0080-200809 16 Understanding the anomalies DoS sensors.
SYN flood attacks What is a SYN flood a ttack? FortiGate IPS User Gu ide Version 3.0 MR7 01-30007-0080-2008091 6 51 SYN flood att acks This section describes: • What is a SYN flood attack? • How S.
FortiGate IPS User Guide Version 3.0 MR7 52 01-30007-0080-200809 16 The FortiGate IPS Response to SYN flood attacks SYN flood attacks After the handsh aking process is comp lete the connection is open and dat a exchange can begin betwee n the originator and the receiver , in this case the web browser and the web ser ver .
SYN flood attacks The FortiGate IP S Response to SYN flood att acks FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 53 A true SYN proxy approach r equires that all three packet s (SYN, SYN/ACK, and ACK) are cached and replayed even befor e it is known if a TCP connection request is legitimate.
FortiGate IPS User Guide Version 3.0 MR7 54 01-30007-0080-200809 16 Configuring SYN flood p rotection SYN flood attacks Configuring SYN flood protection T o configure the SYN flood prot ection 1 Go to Intrusion Protection > DoS Sensor . 2 Select Create New .
ICMP sweep attacks What is an ICMP sweep? FortiGate IPS User Gu ide Version 3.0 MR7 01-30007-0080-2008091 6 55 ICMP sweep att acks This section describes: • What is an ICMP sweep? • How ICMP sweep.
FortiGate IPS User Guide Version 3.0 MR7 56 01-30007-0080-200809 16 The FortiGate IPS response to IC MP sweep attacks ICMP sweep attacks Predefined ICMP signatures Ta b l e 1 1 describes all the ICMP-relate d pr edef ined signature s and the default settings for each.
ICMP sweep attacks The FortiGate I PS response to ICMP sweep attacks FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 57 ICMP sweep anomalies The FortiGate unit also detect s ICMP sw eep s that do not have a predefined signature to block them.
FortiGate IPS User Guide Version 3.0 MR7 58 01-30007-0080-200809 16 Configuring ICMP sweep protection ICMP sweep attacks Configuring ICMP sweep protection T o configure the ICMP sweep anomaly pr otection settings 1 Go to Intrusion Protection > DoS Sensor .
Index FortiGate V ersion 3.0 MR7 IPS User Guide 01-30007-0080-2008091 6 59 Index A alert email configuring 11 anomalies log messages 13 anomaly destination session l imit 48 flooding 48 scan 48 source.
FortiGate V ersion 3.0 MR 7 IPS User Guide 60 01-30007-0080-200809 16 Index T technical support 8.
www.fortinet.com.
www.fortinet.com.
An important point after buying a device Fortinet IPS (or even before the purchase) is to read its user manual. We should do this for several simple reasons:
If you have not bought Fortinet IPS yet, this is a good time to familiarize yourself with the basic data on the product. First of all view first pages of the manual, you can find above. You should find there the most important technical data Fortinet IPS - thus you can check whether the hardware meets your expectations. When delving into next pages of the user manual, Fortinet IPS you will learn all the available features of the product, as well as information on its operation. The information that you get Fortinet IPS will certainly help you make a decision on the purchase.
If you already are a holder of Fortinet IPS, but have not read the manual yet, you should do it for the reasons described above. You will learn then if you properly used the available features, and whether you have not made any mistakes, which can shorten the lifetime Fortinet IPS.
However, one of the most important roles played by the user manual is to help in solving problems with Fortinet IPS. Almost always you will find there Troubleshooting, which are the most frequently occurring failures and malfunctions of the device Fortinet IPS along with tips on how to solve them. Even if you fail to solve the problem, the manual will show you a further procedure – contact to the customer service center or the nearest service center