Fortinet black logo

Handbook

Configuring profiles

6.0.0
Copy Link
Copy Doc ID 4afb0436-a998-11e9-81a4-00505692583a:238303
Download PDF

Configuring profiles

Enabling IPS scanning involves two separate features of FortiOS 5.6:

  • The security policy allows certain network traffic based on the sender, receiver, interface, traffic type, and time of day. Firewall policies can also be used to deny traffic, but those policies do not apply to IPS scanning.
  • The IPS sensor contains filters, signature entries, or both. These specify which signatures are included in the IPS sensor.

When IPS is enabled and an IPS sensor is selected in a security policy, and all network traffic matching the policy will be checked for the signatures in the IPS sensor.

General configuration steps

For best results in configuring IPS scanning, follow the procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

  1. Create an IPS sensor.
  2. Add signatures and /or filters. These can be:
    1. Pattern based
    2. Rate based
    3. Customized
  3. Optionally enable blocking malicious URLs.

  4. Optionally enable Botnet C&C protection.
  5. Select a security policy or create a new one.
  6. In the security policy, turn on IPS, and choose the IPS sensor from the list.

All the network traffic controlled by this security policy will be processed according to the settings in the policy. These settings include the IPS sensor you specify in the policy.

Creating an IPS sensor

You need to create an IPS sensor before specific signatures or filters can be chosen. The signatures can be added to a new sensor before it is saved. However, it is good practice to keep in mind that the sensor and its included filters are separate things, and that they are created separately.

To create a new IPS sensor
  1. Go to Security Profiles > Intrusion Prevention.
  2. Select the Create New icon in the top of the Edit IPS Sensor window.
  3. Enter the name of the new IPS sensor.
  4. Optionally, enter a comment. The comment will appear in the IPS sensor list.
  5. Select OK.

A newly created sensor is empty and contains no filters or signatures. You need to add one or more filters or signatures before the sensor will be of any use.

Blocking Malicious URLs

To use this IPS signature to block malicious URLs, select Block malicious URLs. This feature uses a local malicious URL database on the FortiGate to assist in drive-by exploits detection. The database contains all malicious URLs active in the last one month, and all drive-by exploit URLs active in the last three months. The number of URLs controlled are in the one million range.

Adding IPS signatures to a sensor

  1. Go to Security Profiles > Intrusion Prevention.
  2. Select the IPS sensor to which you want to add the signature using the drop-down list in the top row of the Edit IPS Sensor window or by going to the list window.
  3. Under IPS Signatures, select Add Signatures.
  4. Select one or more signatures from the list and select Use Selected Signatures to add them to the sensor.
  5. Optionally right-click on each signature to change the Action (Pass, Monitor, Block, Reset, Default or Quarantine) and enable or disable Packet Logging.

Adding an IPS filter to a sensor

While individual signatures can be added to a sensor, a filter allows you to add multiple signatures to a sensor by specifying the characteristics of the signatures to be added.

To create a new pattern based signature and filter

  1. Go to Security Profiles > Intrusion Prevention.
  2. Select the IPS sensor to which you want to add the filter using the drop-down list in the top row of the Edit IPS Sensor window or by going to the list window.
  3. Under IPS Filters, select Add Filter.
  4. Configure the filter that you require. Signatures matching all of the characteristics you specify in the filter will be included in the filter. Once finished, select Use Filters.
  5. Application refers to the application affected by the attack and filter options include over 25 applications.

    OS refers to the Operating System affected by the attack. The options include BSD, Linux, MacOS, Other, Solaris, and Windows.

    Protocol refers to the protocol that is the vector for the attack; filter options include over 35 protocols, including "other."

    Severity refers to the level of threat posed by the attack. The options include Critical, High, Medium, Low, and Info.

    Target refers to the type of device targeted by the attack. The options include client and server.

  6. Once you have selected the filters you wish to add, right-click the filters and choose an action for when a signature is triggered:

    Action

    Description

    Pass

    Select Pass to allow traffic to continue to its destination.

    Note: to see what the default for a signature is, go to the IPS Signatures page and enable the column Action, then find the row with the signature name in it.

    Monitor

    Select Monitor to allow traffic to continue to its destination and log the activity. The log will appear under Log & Report but will only be visible in the GUI in the event of an intrusion.

    Block

    Select Block to drop traffic matching any the signatures included in the filter.

    Reset

    Select Reset to reset the session whenever the signature is triggered. In the CLI this action is referred to as Reject.

    Default

    Select Default to use the default action of the signature.

    Quarantine

    The quarantine based on the attacker’s IP Address - Traffic from the Attacker’s IP address is refused until the expiration time from the trigger is reached. You may set the Quarantine Duration to any number of Days, Hours, or Minutes.

    Packet Logging

    Select to enable packet logging for the filter.

    When you enable packet logging on a filter, the unit saves a copy of the packets that match any signatures included in the filter. The packets can be analyzed later.

    For more information about packet filtering, see "Configuring packet logging options".

  7. Select Apply.

    The filter is created and added to the filter list.

Adding rate based signatures

These are a subset of the signatures that are found in the database that are normally set to monitor. This group of signatures is for vulnerabilities that are normally only considered a serious threat when the targeted connections come in multiples, a little like DoS attacks.

Adding a rate based signature is straight forward. Select the enable button in the Rate Based Signature table that corresponds with the desired signature.

Customized signatures

Customized signatures must be created before they can be added to the sensor.

Botnet C&C protection

You can set Botnet C&C protection to Block outgoing connections to Botnet sites or just record log messages (Monitor) when an outgoing Botnet connection attempt is detected.

The latest botnet database is available from FortiGuard. To see the version of the database and display its contents, go to System > FortiGuard and view the lists for Botnet IPs and Botnet Domains. You can look up more details about Botnet IPs and Domains on the FortiGuard site.

Updating predefined IPS signatures

The FortiGuard Service periodically updates the predefined signatures and adds new signatures to counter emerging threats as they appear.

To ensure that your system is providing the most protection available, these updates can be scheduled as often as on an hourly basis. To configure this feature, go to System > FortiGuard. Under AntiVirus & IPS Updates, enable Scheduled Updates. From here you can set the updates to occur on a consistent weekly, daily, or even hourly basis.

Because the signatures included in filters are defined by specifying signature attributes, new signatures matching existing filter specifications will automatically be included in those filters. For example, if you have a filter that includes all signatures for the Windows operating system, your filter will automatically incorporate new Windows signatures as they are added.

Viewing and searching predefined IPS signatures

Go to Security Profiles > Intrusion Prevention. Select [View IPS Signatures] to view the list of existing IPS signatures. You may find signatures by paging manually through the list, apply filters, or by using the search field.

Searching manually

Signatures are displayed in a paged list, with 50 signatures per page. The bottom of the screen shows the current page and the total number of pages. You can enter a page number and press enter, to skip directly to that page. Previous Page and Next Page buttons move you through the list, one page at a time. The First Page and Last Page button take you to the beginning or end of the list.

Searching CVE-IDs

A CVE-ID column displaying CVE-IDs can be optionally added to the IPS Signatures list, however the column is only available if the IPS package contains CVE-IDs for signatures. CVE-IDs can be numerically filtered by selecting the CVE-ID column's arrows.

Applying filters

You can enter criteria for one of more columns, and only the signatures matching all the conditions you specify will be listed.

To apply filters
  1. Go to Security Profiles > Intrusion Prevention. Select [View IPS Signatures] .
  2. Select column by which to filter.
  3. Select the funnel/filter icon and enter the value or values to filter by.
  4. Use additional columns as needed to refine search.

The available options vary by column. For example, Enable allows you to choose between two options, while OS has multiple options, and you may select multiple items together. Filtering by name allows you to enter a text string and all signature names containing the string will be displayed.

Configuring profiles

Enabling IPS scanning involves two separate features of FortiOS 5.6:

  • The security policy allows certain network traffic based on the sender, receiver, interface, traffic type, and time of day. Firewall policies can also be used to deny traffic, but those policies do not apply to IPS scanning.
  • The IPS sensor contains filters, signature entries, or both. These specify which signatures are included in the IPS sensor.

When IPS is enabled and an IPS sensor is selected in a security policy, and all network traffic matching the policy will be checked for the signatures in the IPS sensor.

General configuration steps

For best results in configuring IPS scanning, follow the procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

  1. Create an IPS sensor.
  2. Add signatures and /or filters. These can be:
    1. Pattern based
    2. Rate based
    3. Customized
  3. Optionally enable blocking malicious URLs.

  4. Optionally enable Botnet C&C protection.
  5. Select a security policy or create a new one.
  6. In the security policy, turn on IPS, and choose the IPS sensor from the list.

All the network traffic controlled by this security policy will be processed according to the settings in the policy. These settings include the IPS sensor you specify in the policy.

Creating an IPS sensor

You need to create an IPS sensor before specific signatures or filters can be chosen. The signatures can be added to a new sensor before it is saved. However, it is good practice to keep in mind that the sensor and its included filters are separate things, and that they are created separately.

To create a new IPS sensor
  1. Go to Security Profiles > Intrusion Prevention.
  2. Select the Create New icon in the top of the Edit IPS Sensor window.
  3. Enter the name of the new IPS sensor.
  4. Optionally, enter a comment. The comment will appear in the IPS sensor list.
  5. Select OK.

A newly created sensor is empty and contains no filters or signatures. You need to add one or more filters or signatures before the sensor will be of any use.

Blocking Malicious URLs

To use this IPS signature to block malicious URLs, select Block malicious URLs. This feature uses a local malicious URL database on the FortiGate to assist in drive-by exploits detection. The database contains all malicious URLs active in the last one month, and all drive-by exploit URLs active in the last three months. The number of URLs controlled are in the one million range.

Adding IPS signatures to a sensor

  1. Go to Security Profiles > Intrusion Prevention.
  2. Select the IPS sensor to which you want to add the signature using the drop-down list in the top row of the Edit IPS Sensor window or by going to the list window.
  3. Under IPS Signatures, select Add Signatures.
  4. Select one or more signatures from the list and select Use Selected Signatures to add them to the sensor.
  5. Optionally right-click on each signature to change the Action (Pass, Monitor, Block, Reset, Default or Quarantine) and enable or disable Packet Logging.

Adding an IPS filter to a sensor

While individual signatures can be added to a sensor, a filter allows you to add multiple signatures to a sensor by specifying the characteristics of the signatures to be added.

To create a new pattern based signature and filter

  1. Go to Security Profiles > Intrusion Prevention.
  2. Select the IPS sensor to which you want to add the filter using the drop-down list in the top row of the Edit IPS Sensor window or by going to the list window.
  3. Under IPS Filters, select Add Filter.
  4. Configure the filter that you require. Signatures matching all of the characteristics you specify in the filter will be included in the filter. Once finished, select Use Filters.
  5. Application refers to the application affected by the attack and filter options include over 25 applications.

    OS refers to the Operating System affected by the attack. The options include BSD, Linux, MacOS, Other, Solaris, and Windows.

    Protocol refers to the protocol that is the vector for the attack; filter options include over 35 protocols, including "other."

    Severity refers to the level of threat posed by the attack. The options include Critical, High, Medium, Low, and Info.

    Target refers to the type of device targeted by the attack. The options include client and server.

  6. Once you have selected the filters you wish to add, right-click the filters and choose an action for when a signature is triggered:

    Action

    Description

    Pass

    Select Pass to allow traffic to continue to its destination.

    Note: to see what the default for a signature is, go to the IPS Signatures page and enable the column Action, then find the row with the signature name in it.

    Monitor

    Select Monitor to allow traffic to continue to its destination and log the activity. The log will appear under Log & Report but will only be visible in the GUI in the event of an intrusion.

    Block

    Select Block to drop traffic matching any the signatures included in the filter.

    Reset

    Select Reset to reset the session whenever the signature is triggered. In the CLI this action is referred to as Reject.

    Default

    Select Default to use the default action of the signature.

    Quarantine

    The quarantine based on the attacker’s IP Address - Traffic from the Attacker’s IP address is refused until the expiration time from the trigger is reached. You may set the Quarantine Duration to any number of Days, Hours, or Minutes.

    Packet Logging

    Select to enable packet logging for the filter.

    When you enable packet logging on a filter, the unit saves a copy of the packets that match any signatures included in the filter. The packets can be analyzed later.

    For more information about packet filtering, see "Configuring packet logging options".

  7. Select Apply.

    The filter is created and added to the filter list.

Adding rate based signatures

These are a subset of the signatures that are found in the database that are normally set to monitor. This group of signatures is for vulnerabilities that are normally only considered a serious threat when the targeted connections come in multiples, a little like DoS attacks.

Adding a rate based signature is straight forward. Select the enable button in the Rate Based Signature table that corresponds with the desired signature.

Customized signatures

Customized signatures must be created before they can be added to the sensor.

Botnet C&C protection

You can set Botnet C&C protection to Block outgoing connections to Botnet sites or just record log messages (Monitor) when an outgoing Botnet connection attempt is detected.

The latest botnet database is available from FortiGuard. To see the version of the database and display its contents, go to System > FortiGuard and view the lists for Botnet IPs and Botnet Domains. You can look up more details about Botnet IPs and Domains on the FortiGuard site.

Updating predefined IPS signatures

The FortiGuard Service periodically updates the predefined signatures and adds new signatures to counter emerging threats as they appear.

To ensure that your system is providing the most protection available, these updates can be scheduled as often as on an hourly basis. To configure this feature, go to System > FortiGuard. Under AntiVirus & IPS Updates, enable Scheduled Updates. From here you can set the updates to occur on a consistent weekly, daily, or even hourly basis.

Because the signatures included in filters are defined by specifying signature attributes, new signatures matching existing filter specifications will automatically be included in those filters. For example, if you have a filter that includes all signatures for the Windows operating system, your filter will automatically incorporate new Windows signatures as they are added.

Viewing and searching predefined IPS signatures

Go to Security Profiles > Intrusion Prevention. Select [View IPS Signatures] to view the list of existing IPS signatures. You may find signatures by paging manually through the list, apply filters, or by using the search field.

Searching manually

Signatures are displayed in a paged list, with 50 signatures per page. The bottom of the screen shows the current page and the total number of pages. You can enter a page number and press enter, to skip directly to that page. Previous Page and Next Page buttons move you through the list, one page at a time. The First Page and Last Page button take you to the beginning or end of the list.

Searching CVE-IDs

A CVE-ID column displaying CVE-IDs can be optionally added to the IPS Signatures list, however the column is only available if the IPS package contains CVE-IDs for signatures. CVE-IDs can be numerically filtered by selecting the CVE-ID column's arrows.

Applying filters

You can enter criteria for one of more columns, and only the signatures matching all the conditions you specify will be listed.

To apply filters
  1. Go to Security Profiles > Intrusion Prevention. Select [View IPS Signatures] .
  2. Select column by which to filter.
  3. Select the funnel/filter icon and enter the value or values to filter by.
  4. Use additional columns as needed to refine search.

The available options vary by column. For example, Enable allows you to choose between two options, while OS has multiple options, and you may select multiple items together. Filtering by name allows you to enter a text string and all signature names containing the string will be displayed.