Fortinet black logo

Administration Guide

Intrusion prevention profiles

Intrusion prevention profiles

Intrusion prevention profiles can be used to manage IPS filters and signatures, block malicious URLs, and configure Botnet C&C scanning.

Profiles can be installed to the FortiGate devices included in ADOMs that are assigned to the restricted administrator account. The administrator can select which devices to install changes to, giving them the ability to test signatures and filters on a subset of devices before installing the changes to all managed devices.

Intrusion prevention profiles include the revision history of changes made to the profile. Using the revision history you can compare two previous versions of the profile, and if needed, revert to a previous revision.

To create a IPS profile:
  1. Log in as a restricted administrator.
  2. In the tree menu, select Intrusion Prevention > Profiles.
  3. In the toolbar, click Create New.
  4. Configure the profile settings, and click OK.

  5. Name

    The profile name.

    Comment

    Optionally, enter a description of the profile.

    IPS Signatures and Filters

    Click Create New and select the Type as either Filter or Signature to add IPS signatures and filters to the table. The table list can be filtered to simplify adding them. You can quickly edit an existing signature or filter by double-clicking it in the list.

    Filters

    When creating filters, the following settings are available: Action (Allow, Monitor, Block, Reset, Default, Quarantine), Packet Logging, Status, and Filter. Click the edit filter icon to create a new filter.

    For information on hold-time and CVE filter options, see Intrusion prevention hold-time and CVE filtering.

    Signatures

    When selecting signatures, the following settings are available: Action (Allow, Monitor, Block, Reset, Default, Quarantine), Packet Logging, Status, Rate-based Setting, Exempt IPs, and Signatures. Click Add Signature to select a new signature.

    As a restricted administrator, custom IPS signatures can be created by navigating to Intrusion Prevention > IPS Signatures in the tree menu. See Intrusion prevention signatures.

    Botnet C&C

    Enable Botnet C&C to scan outgoing connections to botnet sites. Botnet C&C can be set to Block, Disable, or Monitor.

    Advanced Options

    Enable or disable extended logging.

    Revision

    Enter a change note that includes details about the change made to the IPS profile.

    Revision History

    View the revision history for this profile.

    Select View Diff in the toolbar to compare two versions in revision history.

    Select Revert in the toolbar to revert to a previous version based on revision history.

    Tooltip

    To clone an existing profile, right-click the profile in the content pane, and select Clone.

To edit a IPS profile:
  1. Log in as a restricted administrator.
  2. In the tree menu, select Intrusion Prevention > Profiles.
  3. In the content pane, select a profile, and take one of the following actions:
    • In the toolbar, click Edit.
    • Right-click the profile, and select Edit.
  4. Edit the settings, and click OK.
To view where a profile is being used:
  1. Log in as a restricted administrator.
  2. In the tree menu, select Profiles.
  3. In the content pane, select a profile from the list, and click Where Used in the More dropdown menu.
    The dialog window displays the ADOM and policy package/block where the package is currently being used.
To revert a profile to a previous version:
  1. Log in as a restricted administrator.
  2. In the tree menu, select Intrusion Prevention > Profiles.
  3. In the content pane, edit the profile that you want to revert from the list.
    Past changes made to this profile are listed in a table under Revision History.
  4. Select a saved revision from the table and click Revert, and click OK in the window confirming that you want to revert the profile.

Intrusion prevention profiles

Intrusion prevention profiles can be used to manage IPS filters and signatures, block malicious URLs, and configure Botnet C&C scanning.

Profiles can be installed to the FortiGate devices included in ADOMs that are assigned to the restricted administrator account. The administrator can select which devices to install changes to, giving them the ability to test signatures and filters on a subset of devices before installing the changes to all managed devices.

Intrusion prevention profiles include the revision history of changes made to the profile. Using the revision history you can compare two previous versions of the profile, and if needed, revert to a previous revision.

To create a IPS profile:
  1. Log in as a restricted administrator.
  2. In the tree menu, select Intrusion Prevention > Profiles.
  3. In the toolbar, click Create New.
  4. Configure the profile settings, and click OK.

  5. Name

    The profile name.

    Comment

    Optionally, enter a description of the profile.

    IPS Signatures and Filters

    Click Create New and select the Type as either Filter or Signature to add IPS signatures and filters to the table. The table list can be filtered to simplify adding them. You can quickly edit an existing signature or filter by double-clicking it in the list.

    Filters

    When creating filters, the following settings are available: Action (Allow, Monitor, Block, Reset, Default, Quarantine), Packet Logging, Status, and Filter. Click the edit filter icon to create a new filter.

    For information on hold-time and CVE filter options, see Intrusion prevention hold-time and CVE filtering.

    Signatures

    When selecting signatures, the following settings are available: Action (Allow, Monitor, Block, Reset, Default, Quarantine), Packet Logging, Status, Rate-based Setting, Exempt IPs, and Signatures. Click Add Signature to select a new signature.

    As a restricted administrator, custom IPS signatures can be created by navigating to Intrusion Prevention > IPS Signatures in the tree menu. See Intrusion prevention signatures.

    Botnet C&C

    Enable Botnet C&C to scan outgoing connections to botnet sites. Botnet C&C can be set to Block, Disable, or Monitor.

    Advanced Options

    Enable or disable extended logging.

    Revision

    Enter a change note that includes details about the change made to the IPS profile.

    Revision History

    View the revision history for this profile.

    Select View Diff in the toolbar to compare two versions in revision history.

    Select Revert in the toolbar to revert to a previous version based on revision history.

    Tooltip

    To clone an existing profile, right-click the profile in the content pane, and select Clone.

To edit a IPS profile:
  1. Log in as a restricted administrator.
  2. In the tree menu, select Intrusion Prevention > Profiles.
  3. In the content pane, select a profile, and take one of the following actions:
    • In the toolbar, click Edit.
    • Right-click the profile, and select Edit.
  4. Edit the settings, and click OK.
To view where a profile is being used:
  1. Log in as a restricted administrator.
  2. In the tree menu, select Profiles.
  3. In the content pane, select a profile from the list, and click Where Used in the More dropdown menu.
    The dialog window displays the ADOM and policy package/block where the package is currently being used.
To revert a profile to a previous version:
  1. Log in as a restricted administrator.
  2. In the tree menu, select Intrusion Prevention > Profiles.
  3. In the content pane, edit the profile that you want to revert from the list.
    Past changes made to this profile are listed in a table under Revision History.
  4. Select a saved revision from the table and click Revert, and click OK in the window confirming that you want to revert the profile.