Fortinet black logo

Handbook

Configuring IPS

Configuring IPS

The FortiADC Intrusion Prevention System (IPS) combines signature detection and prevention with low latency and excellent reliability. With intrusion protection, you can create multiple IPS profiles, each containing a complete configuration based on signatures. Then, you can apply any IPS profile to any L4 VS.

Intrusion Prevention System (IPS) technology protects your network from cybercriminal attacks by actively seeking and blocking external threats before they can reach potentially vulnerable network devices.

This section describes how to configure the FortiADC Intrusion Prevention settings.

Predefined Profiles

Every individual IPS Signature takes effect for a particular type of attack, for an effective detection and protection, a well-considered combination of different IPS signatures plays a key role for the whole IPS system. FortiADC has 8 predefined Profiles in respect to: action, application, severity, target, etc. are ready for customers for a fast security-set-up

Predefined Profile

Comment

all_default

signatures with default setting

all_default_pass

signatures with PASS action

default

Prevent critical attacks

high_security

Blocks all Critical/High/Medium and some Low severity vulnerabilities

protect_client

Protect against client-side vulnerabilities

protect_email_server

Protect against email server-side vulnerabilities

protect_http_server

Protect against HTTP server-side vulnerabilities

sniffer-profile

Monitor IPS attacks

Signature-based defense

Signature-based defense is used against known attacks or vulnerability exploits. These often involve an attacker attempting to gain access to your network. The attacker must communicate with the host in an attempt to gain access and this communication will include particular commands or sequences of commands and variables. The IPS signatures include these command sequences, allowing the FortiADC unit to detect and stop the attack.

Signatures

IPS signatures are the basis of signature-based intrusion prevention. Every attack can be reduced to a particular string of commands or a sequence of commands and variables. Signatures include this information so your FortiADC unit knows what to look for in network traffic.

Signatures also include characteristics about the attack they describe. These characteristics include the network protocol in which the attack will appear, the vulnerable operating system, and the vulnerable application.

The FortiGuard Intrusion Prevention Service (IPS) provides customers with the latest defenses against stealthy network-level threats through a constantly updated database of known threats and behavior-based signatures.

This update service is backed by a team of threat experts and a close relationship with major application vendors. The best-in-class team also uncovers significant zero-day vulnerabilities continuously, providing FortiADC units with advanced protection ahead of vendor patches.

The IPS Signatures Database is able to be updated automatically or manually by System > Settings > FortiGuard page.

Protocol decoders

Before examining network traffic for attacks, the IPS engine uses protocol decoders to identify each protocol appearing in the traffic. Attacks are protocol-specific, so your FortiADC unit conserves resources by looking for attacks only in the protocols used to transmit them. For example, the FortiADC unit will only examine HTTP traffic for the presence of a signature describing an HTTP attack.

IPS engine

Once the protocol decoders separate the network traffic by protocol, the IPS engine examines the network traffic for attack signatures. The engine count is configurable by CLI as well. (The recommendation is configuring the engine count as the same count of CPU of the FortiADC has, an ips-engine per CPU)

IPS profiles

The IPS engine does not examine network traffic for all signatures. You must first create an IPS profile and specify which signatures are included. Add signatures to profile individually using signature entries, or in groups using IPS filters.

To view the IPS profiles, go to Security Profiles > Intrusion Prevention.

You can group signatures into IPS profiles for easy selection when applying to L4 VS Security. You can define signatures for specific types of traffic in separate IPS profiles, and then select those profiles in profiles designed to handle that type of traffic. For example, you can specify all of the web-server related signatures in an IPS profile, and that the profile can then be applied to a L4 VS Security that controls all of the traffic to and from a web server protected by the unit.

The FortiGuard Service periodically updates the signatures, with signatures added to counter new threats. Since the signatures included in filters are defined by specifying signature attributes, new signatures matching existing filter specifications will automatically be included in those filters. For example, if you have a filter that includes all signatures for the Windows operating system, your filter will automatically incorporate new Windows signatures as they are added.

Each filter consists of a number of signatures attributes. All of the signatures with those attributes, and only those attributes, are checked against traffic when the filter is run. If multiple filters are defined in an IPS profile, they are checked against the traffic one at a time, from top to bottom. If a match is found, the unit takes the appropriate action and stops further checking.

The signatures included in the filter are only those matching every attribute specified. When created, a new filter has every attribute set to all which causes every signature to be included in the filter. If the severity is changed to high, and the target is changed to server, the filter includes only signatures checking for high priority attacks targeted at servers.

IPS filters

IPS profiles contain one or more IPS filters. A filter is a collection of signature attributes that you specify. The signatures that have all of the attributes specified in a filter are included in the IPS filter.

For example, if your FortiADC unit protects a Linux server running the Apache web server software, you could create a new filter to protect it. By setting OS to Linux, and Application to Apache, the filter will include only the signatures that apply to both Linux and Apache. If you wanted to scan for all the Linux signatures and all the Apache signatures, you would create two filters, one for each.

To view the filters in an IPS profile, go to Security Profiles > Intrusion Prevention, select the IPS profile containing the filters you want to view, and select Edit.

Custom/predefined signature entries

Signature entries allow you to add an individual custom or predefined IPS signature. If you need only one signature, adding a signature entry to an IPS profile is the easiest way. Signature entries are also the only way to include custom signatures in an IPS profile.

Another use for signature entries is to change the settings of individual signatures that are already included in a filter within the same IPS profile. Add a signature entry with the required settings above the filter, and the signature entry will take priority.

Security - L4 VS

To use an IPS profile, you must select it in a L4 VS security options. An IPS profile that it not selected in a policy options will have no effect on network traffic.

Note

IPS does not support NAT46

Session timers for IPS sessions

A session time-to-live (TTL) timer for IPS sessions is available to reduce synchronization problems between the FortiADC Kernel and IPS, and to reduce IPS memory usage.

Creating an IPS Profile

You need to create an IPS profile before specific signatures or filters can be chosen. The signatures can be added to a new profile before it is saved. However, it is good practice to keep in mind that the profile and its included filters are separate things, and that they are created separately. (Predefined Profiles)

To create a new IPS Profile

  1. Go to Security Profiles > Intrusion Prevention.
  2. Select the Create New icon in the top of the Edit IPS Profile window.
  3. Enter the name of the new IPS Profile.
  4. Optionally, enter a comment. The comment will appear in the IPS Profile list.
  5. Select OK.
  6. A newly created Profile is empty and contains no filters or signatures. You need to add one or more filters or signatures before the Profile will be of any use.

Adding IPS signatures to a Profile

  1. Go to Security > Intrusion Prevention.
  2. Select the IPS Profile to which you want to add the signature and click the pencil icon.
  3. Under IPS Signatures, select Add Signature.
  4. Select one or more signatures from the list and click Apply to add them to the sensor.
  5. After the selected signature has been added to the IPS Signatures, the drop-down list of Action, which is on the right side of the signature, has Default, Pass and Block, is changeable.
  6. Click Apply on the bottom of the IPS Profile page

Adding an IPS filter to a Profile

While individual signatures can be added to a Profile, a filter allows you to add multiple signatures to a Profile by specifying the characteristics of the signatures to be added.

To create a new pattern based signature and filter

  1. Go to Security Profiles > Intrusion Prevention.
  2. Select the IPS Profile to which you want to add the signature and click the pencil icon.
  3. Under IPS Filters, select Add Filter.
  4. Configure the filter that you require. Signatures matching all of the characteristics you specify in the filter will be included in the filter. Once finished, select Apply.

    Application refers to the application affected by the attack and filter options include over 25 applications.

    OS refers to the Operating System affected by the attack. The options include BSD, Linux, MacOS, Other, Solaris, and Windows.

    Protocol refers to the protocol that is the vector for the attack; filter options include over 35 protocols, including "other."

    Severity refers to the level of threat posed by the attack. The options include Critical, High, Medium, Low, and Info.

    Target refers to the type of device targeted by the attack. The options include client and server.

    Action

    Description

    Pass

    Select Pass to allow traffic to continue to its destination.

    Note: to see what the default for a signature is, go to the IPS Signatures page and enable the column Action, then find the row with the signature name in it.

    Block

    Select Block to drop traffic matching any signatures included in the filter.

    Default

    Select Default to use the default action of the signature.

  5. After the selected signature has been added to the IPS Signatures, the drop-down list of Action, which is on the right side of the Filter, has Default, Pass and Block, is changeable
  6. Click Apply on the bottom of the IPS Profile page

Adding rate based signatures

These are a subset of the signatures that are found in the database. This group of signatures is for vulnerabilities that are normally only considered a serious threat when the targeted connections come in multiples, a little like DoS attacks.

Adding a rate based signature is straight forward. Select the enable button in the Rate Based Signature table that corresponds with the desired signature.

Predefined IPS Profile

FortiADC has 8 predefined IPS Profiles for the convenience and fast-set-up of users to enable the IPS by an easier way, each predefined profile is created under the attributes of each signature and thoughtful consideration. For users demanding a widely protection but yet ready to create a particular customized one, predefined IPS profiles are highly recommended. They will be kept updated resulted from a periodically database update of the FortiGuard Service. These Profiles are available by directly selecting from Security -> IPS in L4 VS options as well as be considered as a Quick-Enabling-IPS.

Enabling IPS

Currently, the IPS Scanning only supports for the L4VS traffic

  • The IPS Profile contains filters, signature entries, or both. These specify which signatures are included in the IPS Profile.

When an IPS Profile is selected in a security option, and all network traffic matching the policy will be checked for the signatures in the IPS Profile.

Configuring Engine Count

For the consideration of varying demands and the performance of different platforms, the Engine-Count of IPS in FortiADC is configurable. The more Engine-Count that a FortiADC has, the better the IPS performs. Every coin has two sides, however, consequently, the more CPU and memory usage will be taken from the whole system.

The default value of the Engine-count is 1, for a better performance accordingly, the configuration could be setting the Engine-Count depends on CPU-Count of the platform has.

Eg: 4-Engine for a 4-Core device. (Refer to the hardware platform reference at the end of this article)

CLI Syntax

config global

config system ips

set engine-count {1-256}

next

end

Configuring IPS

The FortiADC Intrusion Prevention System (IPS) combines signature detection and prevention with low latency and excellent reliability. With intrusion protection, you can create multiple IPS profiles, each containing a complete configuration based on signatures. Then, you can apply any IPS profile to any L4 VS.

Intrusion Prevention System (IPS) technology protects your network from cybercriminal attacks by actively seeking and blocking external threats before they can reach potentially vulnerable network devices.

This section describes how to configure the FortiADC Intrusion Prevention settings.

Predefined Profiles

Every individual IPS Signature takes effect for a particular type of attack, for an effective detection and protection, a well-considered combination of different IPS signatures plays a key role for the whole IPS system. FortiADC has 8 predefined Profiles in respect to: action, application, severity, target, etc. are ready for customers for a fast security-set-up

Predefined Profile

Comment

all_default

signatures with default setting

all_default_pass

signatures with PASS action

default

Prevent critical attacks

high_security

Blocks all Critical/High/Medium and some Low severity vulnerabilities

protect_client

Protect against client-side vulnerabilities

protect_email_server

Protect against email server-side vulnerabilities

protect_http_server

Protect against HTTP server-side vulnerabilities

sniffer-profile

Monitor IPS attacks

Signature-based defense

Signature-based defense is used against known attacks or vulnerability exploits. These often involve an attacker attempting to gain access to your network. The attacker must communicate with the host in an attempt to gain access and this communication will include particular commands or sequences of commands and variables. The IPS signatures include these command sequences, allowing the FortiADC unit to detect and stop the attack.

Signatures

IPS signatures are the basis of signature-based intrusion prevention. Every attack can be reduced to a particular string of commands or a sequence of commands and variables. Signatures include this information so your FortiADC unit knows what to look for in network traffic.

Signatures also include characteristics about the attack they describe. These characteristics include the network protocol in which the attack will appear, the vulnerable operating system, and the vulnerable application.

The FortiGuard Intrusion Prevention Service (IPS) provides customers with the latest defenses against stealthy network-level threats through a constantly updated database of known threats and behavior-based signatures.

This update service is backed by a team of threat experts and a close relationship with major application vendors. The best-in-class team also uncovers significant zero-day vulnerabilities continuously, providing FortiADC units with advanced protection ahead of vendor patches.

The IPS Signatures Database is able to be updated automatically or manually by System > Settings > FortiGuard page.

Protocol decoders

Before examining network traffic for attacks, the IPS engine uses protocol decoders to identify each protocol appearing in the traffic. Attacks are protocol-specific, so your FortiADC unit conserves resources by looking for attacks only in the protocols used to transmit them. For example, the FortiADC unit will only examine HTTP traffic for the presence of a signature describing an HTTP attack.

IPS engine

Once the protocol decoders separate the network traffic by protocol, the IPS engine examines the network traffic for attack signatures. The engine count is configurable by CLI as well. (The recommendation is configuring the engine count as the same count of CPU of the FortiADC has, an ips-engine per CPU)

IPS profiles

The IPS engine does not examine network traffic for all signatures. You must first create an IPS profile and specify which signatures are included. Add signatures to profile individually using signature entries, or in groups using IPS filters.

To view the IPS profiles, go to Security Profiles > Intrusion Prevention.

You can group signatures into IPS profiles for easy selection when applying to L4 VS Security. You can define signatures for specific types of traffic in separate IPS profiles, and then select those profiles in profiles designed to handle that type of traffic. For example, you can specify all of the web-server related signatures in an IPS profile, and that the profile can then be applied to a L4 VS Security that controls all of the traffic to and from a web server protected by the unit.

The FortiGuard Service periodically updates the signatures, with signatures added to counter new threats. Since the signatures included in filters are defined by specifying signature attributes, new signatures matching existing filter specifications will automatically be included in those filters. For example, if you have a filter that includes all signatures for the Windows operating system, your filter will automatically incorporate new Windows signatures as they are added.

Each filter consists of a number of signatures attributes. All of the signatures with those attributes, and only those attributes, are checked against traffic when the filter is run. If multiple filters are defined in an IPS profile, they are checked against the traffic one at a time, from top to bottom. If a match is found, the unit takes the appropriate action and stops further checking.

The signatures included in the filter are only those matching every attribute specified. When created, a new filter has every attribute set to all which causes every signature to be included in the filter. If the severity is changed to high, and the target is changed to server, the filter includes only signatures checking for high priority attacks targeted at servers.

IPS filters

IPS profiles contain one or more IPS filters. A filter is a collection of signature attributes that you specify. The signatures that have all of the attributes specified in a filter are included in the IPS filter.

For example, if your FortiADC unit protects a Linux server running the Apache web server software, you could create a new filter to protect it. By setting OS to Linux, and Application to Apache, the filter will include only the signatures that apply to both Linux and Apache. If you wanted to scan for all the Linux signatures and all the Apache signatures, you would create two filters, one for each.

To view the filters in an IPS profile, go to Security Profiles > Intrusion Prevention, select the IPS profile containing the filters you want to view, and select Edit.

Custom/predefined signature entries

Signature entries allow you to add an individual custom or predefined IPS signature. If you need only one signature, adding a signature entry to an IPS profile is the easiest way. Signature entries are also the only way to include custom signatures in an IPS profile.

Another use for signature entries is to change the settings of individual signatures that are already included in a filter within the same IPS profile. Add a signature entry with the required settings above the filter, and the signature entry will take priority.

Security - L4 VS

To use an IPS profile, you must select it in a L4 VS security options. An IPS profile that it not selected in a policy options will have no effect on network traffic.

Note

IPS does not support NAT46

Session timers for IPS sessions

A session time-to-live (TTL) timer for IPS sessions is available to reduce synchronization problems between the FortiADC Kernel and IPS, and to reduce IPS memory usage.

Creating an IPS Profile

You need to create an IPS profile before specific signatures or filters can be chosen. The signatures can be added to a new profile before it is saved. However, it is good practice to keep in mind that the profile and its included filters are separate things, and that they are created separately. (Predefined Profiles)

To create a new IPS Profile

  1. Go to Security Profiles > Intrusion Prevention.
  2. Select the Create New icon in the top of the Edit IPS Profile window.
  3. Enter the name of the new IPS Profile.
  4. Optionally, enter a comment. The comment will appear in the IPS Profile list.
  5. Select OK.
  6. A newly created Profile is empty and contains no filters or signatures. You need to add one or more filters or signatures before the Profile will be of any use.

Adding IPS signatures to a Profile

  1. Go to Security > Intrusion Prevention.
  2. Select the IPS Profile to which you want to add the signature and click the pencil icon.
  3. Under IPS Signatures, select Add Signature.
  4. Select one or more signatures from the list and click Apply to add them to the sensor.
  5. After the selected signature has been added to the IPS Signatures, the drop-down list of Action, which is on the right side of the signature, has Default, Pass and Block, is changeable.
  6. Click Apply on the bottom of the IPS Profile page

Adding an IPS filter to a Profile

While individual signatures can be added to a Profile, a filter allows you to add multiple signatures to a Profile by specifying the characteristics of the signatures to be added.

To create a new pattern based signature and filter

  1. Go to Security Profiles > Intrusion Prevention.
  2. Select the IPS Profile to which you want to add the signature and click the pencil icon.
  3. Under IPS Filters, select Add Filter.
  4. Configure the filter that you require. Signatures matching all of the characteristics you specify in the filter will be included in the filter. Once finished, select Apply.

    Application refers to the application affected by the attack and filter options include over 25 applications.

    OS refers to the Operating System affected by the attack. The options include BSD, Linux, MacOS, Other, Solaris, and Windows.

    Protocol refers to the protocol that is the vector for the attack; filter options include over 35 protocols, including "other."

    Severity refers to the level of threat posed by the attack. The options include Critical, High, Medium, Low, and Info.

    Target refers to the type of device targeted by the attack. The options include client and server.

    Action

    Description

    Pass

    Select Pass to allow traffic to continue to its destination.

    Note: to see what the default for a signature is, go to the IPS Signatures page and enable the column Action, then find the row with the signature name in it.

    Block

    Select Block to drop traffic matching any signatures included in the filter.

    Default

    Select Default to use the default action of the signature.

  5. After the selected signature has been added to the IPS Signatures, the drop-down list of Action, which is on the right side of the Filter, has Default, Pass and Block, is changeable
  6. Click Apply on the bottom of the IPS Profile page

Adding rate based signatures

These are a subset of the signatures that are found in the database. This group of signatures is for vulnerabilities that are normally only considered a serious threat when the targeted connections come in multiples, a little like DoS attacks.

Adding a rate based signature is straight forward. Select the enable button in the Rate Based Signature table that corresponds with the desired signature.

Predefined IPS Profile

FortiADC has 8 predefined IPS Profiles for the convenience and fast-set-up of users to enable the IPS by an easier way, each predefined profile is created under the attributes of each signature and thoughtful consideration. For users demanding a widely protection but yet ready to create a particular customized one, predefined IPS profiles are highly recommended. They will be kept updated resulted from a periodically database update of the FortiGuard Service. These Profiles are available by directly selecting from Security -> IPS in L4 VS options as well as be considered as a Quick-Enabling-IPS.

Enabling IPS

Currently, the IPS Scanning only supports for the L4VS traffic

  • The IPS Profile contains filters, signature entries, or both. These specify which signatures are included in the IPS Profile.

When an IPS Profile is selected in a security option, and all network traffic matching the policy will be checked for the signatures in the IPS Profile.

Configuring Engine Count

For the consideration of varying demands and the performance of different platforms, the Engine-Count of IPS in FortiADC is configurable. The more Engine-Count that a FortiADC has, the better the IPS performs. Every coin has two sides, however, consequently, the more CPU and memory usage will be taken from the whole system.

The default value of the Engine-count is 1, for a better performance accordingly, the configuration could be setting the Engine-Count depends on CPU-Count of the platform has.

Eg: 4-Engine for a 4-Core device. (Refer to the hardware platform reference at the end of this article)

CLI Syntax

config global

config system ips

set engine-count {1-256}

next

end