Fortinet black logo

Administration Guide

Home FortiManager 6.4.2 Administration Guide

Intrusion Prevention

6.4.2
7.4.2
7.4.1
7.4.0
7.2.5
7.2.4
7.2.3
7.2.2
7.2.1
7.2.0
7.0.12
7.0.11
7.0.10
7.0.9
7.0.8
7.0.7
7.0.6
7.0.5
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.4.14
6.4.13
6.4.12
6.4.11
6.4.10
6.4.9
6.4.8
6.4.7
6.4.6
6.4.5
6.4.4
6.4.3
6.4.2
6.4.1
6.4.0
6.2.12
6.2.11
6.2.10
6.2.9
6.2.8
6.2.7
6.2.6
6.2.6
6.2.5
6.2.3
6.2.2
6.2.1
6.2.0
6.0.12
6.0.11
6.0.10
6.0.9
6.0.8
6.0.7
6.0.6
6.0.5
6.0.4
6.0.3
6.0.2
6.0.1
6.0.0
5.6.11
5.6.10
5.6.9
5.6.8
5.6.7
5.6.6
5.6.5
5.6.4
5.6.3
5.6.2
5.6.1
5.6.0
5.4.7
5.4.6
5.4.5
5.4.4
5.4.3
5.4.2
5.4.1
5.4.0
5.2.10
5.2.7
5.2.6
5.2.4
5.2.3
5.2.2
5.2.1
5.2.0
5.0.12
5.0.11
5.0.10
5.0.9
5.0.8
5.0.7
5.0.6
5.0.5
5.0.4
5.0.3
5.0.2
4.3.8
4.3.7
4.3.6
4.3.5
4.3.4
4.3.3
4.3.2
4.3.1
4.3.0
4.2.9
4.2.8
4.2.7
4.2.6
4.2.5
4.2.4
4.2.3
4.2.2
4.2.1
4.2.0
4.1.0
4.0.3
4.0.2
4.0.1
4.0.0
Copy Link
Copy Doc ID 15ff1fbc-d112-11ea-8b7d-00505692583a:146476
Download PDF

Intrusion Prevention

Use intrusion prevention to detect and block network-based attacks.

To create a profile:
  1. Log in as a Restricted Administrator.
  2. In the tree menu, select Intrusion Prevention, and then select a profile category.
  3. In the toolbar, click Create New.
  4. Configure the profile settings, and click OK.
Tooltip

To clone an existing profile, right-click the profile in the content pane, and select Clone.
To edit a profile:
  1. Log in as a Restricted Administrator.
  2. In the tree menu, select Intrusion Prevention, and then select a profile category.
  3. In the content pane, select a profile, and take one of the following actions:
    • In the toolbar, click Edit.
    • Right-click the profile, and select Edit.
  4. Edit the settings, and click OK.

Name

The profile name.

Comment

Optionally, enter a description of the profile.

IPS Signatures

Click Add Signatures to add IPS signatures to the table. The signatures list can be filtered to simplify adding them.

To add or edit a signature's IP exemptions, select a signature then click Edit IP Exemptions.

Right-click on a signature to change the action (Pass, Monitor, Block, Reset, Default, or Quarantine), and to enable or disable Packet Logging.

The CVE ID filter allows you to filter IPS signatures based on CVE IDs or with a CVE wildcard, ensuring that any signatures tagged with that CVE are automatically included.

You can delay new signatures to avoid false positives. Signatures that are on hold will be set to Monitor rather than being disabled. If the signature is matched, the message Signature is on hold, is appended to the log.

IPS Filters

Click Add Filter to add IPS filters to the table. The filters list can be searched and filtered to simplify adding them.

Right-click on a signature to change the action (Pass, Monitor, Block, Reset, Default, or Quarantine), and to enable or disable Packet Logging.

Rate Based Signatures

Enable the required rate based signatures, then configure its options: Threshold, Duration, Track By, Action, and Block Duration.

Advanced Options

Enable or disable blocking malicious URLs.
To add an IPS CVE filter:
  1. Log in as a Restricted Administrator.
  2. Go to Intrusion Prevention > Profiles.
  3. Create a new profile or select the profile you want to update.
  4. In the IPS Signatures and Filters section, create a new filter or select a filter to update. The Create New IPS Signatures and Filters dialog box is displayed.
  5. Add the CVE filter.
    1. Click the Filter icon.
    2. Click Add Filter > CVE ID.
    3. Enter the CVE ID, then click Use Filters, and click OK.
  6. Click OK.
To delay an IPS signature activation:
  1. Log in as a Restricted Administrator.
  2. Go to Device Manager > Device & Groups.
  3. Select a managed device.
  4. In the toolbar, click CLI Configuration. To display the menu, see CLI Configurations menu.
  5. In configurations menu, go to System > IPS. The system ips dialog box is displayed.
  6. Ensure override-signature-hold-by-id is enabled.
  7. In the signature-hold-time field, enter the number of days or hours hold and monitor the IPS signatures. For example, 1d12h
Previous
Next

Intrusion Prevention

Use intrusion prevention to detect and block network-based attacks.

To create a profile:
  1. Log in as a Restricted Administrator.
  2. In the tree menu, select Intrusion Prevention, and then select a profile category.
  3. In the toolbar, click Create New.
  4. Configure the profile settings, and click OK.
Tooltip

To clone an existing profile, right-click the profile in the content pane, and select Clone.
To edit a profile:
  1. Log in as a Restricted Administrator.
  2. In the tree menu, select Intrusion Prevention, and then select a profile category.
  3. In the content pane, select a profile, and take one of the following actions:
    • In the toolbar, click Edit.
    • Right-click the profile, and select Edit.
  4. Edit the settings, and click OK.

Name

The profile name.

Comment

Optionally, enter a description of the profile.

IPS Signatures

Click Add Signatures to add IPS signatures to the table. The signatures list can be filtered to simplify adding them.

To add or edit a signature's IP exemptions, select a signature then click Edit IP Exemptions.

Right-click on a signature to change the action (Pass, Monitor, Block, Reset, Default, or Quarantine), and to enable or disable Packet Logging.

The CVE ID filter allows you to filter IPS signatures based on CVE IDs or with a CVE wildcard, ensuring that any signatures tagged with that CVE are automatically included.

You can delay new signatures to avoid false positives. Signatures that are on hold will be set to Monitor rather than being disabled. If the signature is matched, the message Signature is on hold, is appended to the log.

IPS Filters

Click Add Filter to add IPS filters to the table. The filters list can be searched and filtered to simplify adding them.

Right-click on a signature to change the action (Pass, Monitor, Block, Reset, Default, or Quarantine), and to enable or disable Packet Logging.

Rate Based Signatures

Enable the required rate based signatures, then configure its options: Threshold, Duration, Track By, Action, and Block Duration.

Advanced Options

Enable or disable blocking malicious URLs.
To add an IPS CVE filter:
  1. Log in as a Restricted Administrator.
  2. Go to Intrusion Prevention > Profiles.
  3. Create a new profile or select the profile you want to update.
  4. In the IPS Signatures and Filters section, create a new filter or select a filter to update. The Create New IPS Signatures and Filters dialog box is displayed.
  5. Add the CVE filter.
    1. Click the Filter icon.
    2. Click Add Filter > CVE ID.
    3. Enter the CVE ID, then click Use Filters, and click OK.
  6. Click OK.
To delay an IPS signature activation:
  1. Log in as a Restricted Administrator.
  2. Go to Device Manager > Device & Groups.
  3. Select a managed device.
  4. In the toolbar, click CLI Configuration. To display the menu, see CLI Configurations menu.
  5. In configurations menu, go to System > IPS. The system ips dialog box is displayed.
  6. Ensure override-signature-hold-by-id is enabled.
  7. In the signature-hold-time field, enter the number of days or hours hold and monitor the IPS signatures. For example, 1d12h
Previous
Next