Fortinet Document Library

Version:


Table of Contents

5.3.0
Download PDF
Copy Link

Deployment

1. GUI

Quick-Enabling IPS

Refer to the section of Predefined Profiles in Introduction.

General configuration steps

For best results in configuring IPS scanning, follow the procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

  1. Create an IPS Profile.
  2. Add signatures and /or filters.

    These can be:

    • Pattern based
    • Rate based
  3. In the L4 VS Security Option, Click to select IPS, and choose the IPS Profile from the list.

All the network traffic goes through this L4 VS by this security option -IPS- will be processed according to the configuration of the deployed IPS Profile, these configuration you specify in the IPS Profile.

Creating an IPS Profile

You need to create an IPS profile before specific signatures or filters can be chosen. The signatures can be added to a new profile before it is saved. However, it is good practice to keep in mind that the profile and its included filters are separate things, and that they are created separately. (Predefined Profiles)

To create a new IPS Profile

  1. Go to Security Profiles > Intrusion Prevention.
  2. Select the Create New icon in the top of the Edit IPS Profile window.
  3. Enter the name of the new IPS Profile.
  4. Optionally, enter a comment. The comment will appear in the IPS Profile list.
  5. Select OK.

A newly created Profile is empty and contains no filters or signatures. You need to add one or more filters or signatures before the Profile will be of any use.

Adding IPS signatures to a Profile

  1. Go to Security > Intrusion Prevention.
  2. Select the IPS Profile to which you want to add the signature and click the pencil icon.
  3. Under IPS Signatures, select Add Signature.
  4. Select one or more signatures from the list and click Apply to add them to the sensor.
  5. After the selected signature has been added to the IPS Signatures, the drop-down list of Action, which is on the right side of the signature, has Default, Pass and Block, is changeable.
  6. Click Apply on the bottom of the IPS Profile page

Adding an IPS filter to a Profile

While individual signatures can be added to a Profile, a filter allows you to add multiple signatures to a Profile by specifying the characteristics of the signatures to be added.

To create a new pattern based signature and filter

  1. Go to Security Profiles > Intrusion Prevention.
  2. Select the IPS Profile to which you want to add the signature and click the pencil icon.
  3. Under IPS Filters, select Add Filter.
  4. Configure the filter that you require. Signatures matching all of the characteristics you specify in the filter will be included in the filter. Once finished, select Apply.

    Application refers to the application affected by the attack and filter options include over 25 applications.

    OS refers to the Operating System affected by the attack. The options include BSD, Linux, MacOS, Other, Solaris, and Windows.

    Protocol refers to the protocol that is the vector for the attack; filter options include over 35 protocols, including "other."

    Severity refers to the level of threat posed by the attack. The options include Critical, High, Medium, Low, and Info.

    Target refers to the type of device targeted by the attack. The options include client and server.

    Action

    Description

    Pass

    Select Pass to allow traffic to continue to its destination.

    Note: to see what the default for a signature is, go to the IPS Signatures page and enable the column Action, then find the row with the signature name in it.

    Block

    Select Block to drop traffic matching any signatures included in the filter.

    Default

    Select Default to use the default action of the signature.

  5. After the selected signature has been added to the IPS Signatures, the drop-down list of Action, which is on the right side of the Filter, has Default, Pass and Block, is changeable
  6. Click Apply on the bottom of the IPS Profile page

Adding rate based signatures

These are a subset of the signatures that are found in the database. This group of signatures is for vulnerabilities that are normally only considered a serious threat when the targeted connections come in multiples, like DoS attacks.

Adding a rate based signature is straight-forward. Select the enable button in the Rate Based Signature table that corresponds with the desired signature.

Predefined IPS Profile

FortiADC has 8 predefined IPS Profiles for the convenience and fast-set-up of users to enable IPS more quickly. Each predefined profile is created under the attributes of each signature. For users demanding a wide protection but not yet ready to create a particular customized profile, predefined IPS profiles are highly recommended. They will be routinely updated resulted from a periodical database update by the FortiGuard Service. These Profiles are available by directly selecting from Security -> IPS in L4 VS options. They can be considered a Quick-Enabling-IPS.

Enabling IPS

Currently, the IPS Scanning only supports L4VS traffic

  • The IPS Profile contains filters, signature entries, or both. These specify which signatures are included in the IPS Profile.

When an IPS Profile is selected in a security option, all network traffic matching the policy will be checked for the signatures in the IPS Profile.

Configuring Engine Count

In consideration of performance differences on different platform, and for other various demands, the Engine-Count of IPS in FortiADC can be configured. The more Engine-Count that a FortiADC has, the better the IPS performs. However, this will require more CPU and memory.

The default value of the Engine-count is 1.

Eg: 4-Engine for a 4-Core device.

CLI Syntax

config global

config system ips

set engine-count {1-256}

next

end

Enabling IPS

Currently, IPS Scanning only supports L4VS traffic

● The IPS Profile contains filters, signature entries, or both. These specify which signatures are included in the IPS Profile.

When an IPS Profile is selected in a security option, and all network traffic matching the policy will be checked for the signatures in the IPS Profile.

2. CLI

Config IPS Profile

config security ips profile

edit <profile>

set comment {comment}

config entries

edit {id}

set rule {id1 id2 ….}

set status {disable | enable | default}

set log {disable | enable}

set action {pass | block | default}

set location {loc1 loc2…}

set severity {sev1 serv2…}

set protocol {proto1 proto2…}

set application {app1 app2…}

set os {os1 os2…}

set rate-count {count}

set rate-duration {duration}

set rate-mode {periodical | continuous}

set rate-track {field}

next

end

IPS profile option in VS

config load-balance virtual-server

set type l4-load-balance

set ips-profile {name}

next

end

get security ips info rule

FortiADC-VM (root) # get security ips info rule

rule-name: "MS.SMB.Client.Memory.Allocation.Code.Execution"

rule-id: 20900

rev: 2.855

date: 1398326400

action: block

status: enable

log: disable

severity: 4.critical

service: TCP, NBSS

location: client

os: Windows

application: Other

rate-count: 0

rate-duration: 0

rate-track: none

rate-mode: continuous

vuln_type: Resource Management Errors

cve: 20100269

 

rule-name: "MS.Windows.MPEG.Layer3.Audio.Decoder.Stack.Overflow"

rule-id: 20903

rev: 3.095

date: 1398240000

action: block

status: enable

log: disable

severity: 4.critical

service: TCP, HTTP, FTP, SMTP, POP3, IMAP, NNTP

location: server, client

os: Windows

application: MediaPlayer

rate-count: 0

rate-duration: 0

rate-track: none

rate-mode: continuous

vuln_type: Buffer Errors

cve: 20100480

Quick Creating a new l4 VS with IPS

  1. Create a new L4 VS.
  2. Go to Server Load Balance and click Virtual Server.
  3. Click Create New > Advanced Mode.
  4. Create a L4 VS named as Test VS, for example.
  5. Create a new IPS Profile.
  6. Go to Network Security and click Intrusion Prevention.
  7. Click Create New to create a customized IPS Profile, named as Test IPS for example.
  8. Select the necessary IPS Signatures / filters / Rete based Signatures
  9. Apply
  10. Enable the IPS Profile for L4 VS.

    Note

    IPS does not support NAT46.

  11. Go back to the L4 VS - Test VS.
  12. Click the pencil icon and click Security.
  13. The created IPS profile can be selected in the drop down list.

Deployment

1. GUI

Quick-Enabling IPS

Refer to the section of Predefined Profiles in Introduction.

General configuration steps

For best results in configuring IPS scanning, follow the procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

  1. Create an IPS Profile.
  2. Add signatures and /or filters.

    These can be:

    • Pattern based
    • Rate based
  3. In the L4 VS Security Option, Click to select IPS, and choose the IPS Profile from the list.

All the network traffic goes through this L4 VS by this security option -IPS- will be processed according to the configuration of the deployed IPS Profile, these configuration you specify in the IPS Profile.

Creating an IPS Profile

You need to create an IPS profile before specific signatures or filters can be chosen. The signatures can be added to a new profile before it is saved. However, it is good practice to keep in mind that the profile and its included filters are separate things, and that they are created separately. (Predefined Profiles)

To create a new IPS Profile

  1. Go to Security Profiles > Intrusion Prevention.
  2. Select the Create New icon in the top of the Edit IPS Profile window.
  3. Enter the name of the new IPS Profile.
  4. Optionally, enter a comment. The comment will appear in the IPS Profile list.
  5. Select OK.

A newly created Profile is empty and contains no filters or signatures. You need to add one or more filters or signatures before the Profile will be of any use.

Adding IPS signatures to a Profile

  1. Go to Security > Intrusion Prevention.
  2. Select the IPS Profile to which you want to add the signature and click the pencil icon.
  3. Under IPS Signatures, select Add Signature.
  4. Select one or more signatures from the list and click Apply to add them to the sensor.
  5. After the selected signature has been added to the IPS Signatures, the drop-down list of Action, which is on the right side of the signature, has Default, Pass and Block, is changeable.
  6. Click Apply on the bottom of the IPS Profile page

Adding an IPS filter to a Profile

While individual signatures can be added to a Profile, a filter allows you to add multiple signatures to a Profile by specifying the characteristics of the signatures to be added.

To create a new pattern based signature and filter

  1. Go to Security Profiles > Intrusion Prevention.
  2. Select the IPS Profile to which you want to add the signature and click the pencil icon.
  3. Under IPS Filters, select Add Filter.
  4. Configure the filter that you require. Signatures matching all of the characteristics you specify in the filter will be included in the filter. Once finished, select Apply.

    Application refers to the application affected by the attack and filter options include over 25 applications.

    OS refers to the Operating System affected by the attack. The options include BSD, Linux, MacOS, Other, Solaris, and Windows.

    Protocol refers to the protocol that is the vector for the attack; filter options include over 35 protocols, including "other."

    Severity refers to the level of threat posed by the attack. The options include Critical, High, Medium, Low, and Info.

    Target refers to the type of device targeted by the attack. The options include client and server.

    Action

    Description

    Pass

    Select Pass to allow traffic to continue to its destination.

    Note: to see what the default for a signature is, go to the IPS Signatures page and enable the column Action, then find the row with the signature name in it.

    Block

    Select Block to drop traffic matching any signatures included in the filter.

    Default

    Select Default to use the default action of the signature.

  5. After the selected signature has been added to the IPS Signatures, the drop-down list of Action, which is on the right side of the Filter, has Default, Pass and Block, is changeable
  6. Click Apply on the bottom of the IPS Profile page

Adding rate based signatures

These are a subset of the signatures that are found in the database. This group of signatures is for vulnerabilities that are normally only considered a serious threat when the targeted connections come in multiples, like DoS attacks.

Adding a rate based signature is straight-forward. Select the enable button in the Rate Based Signature table that corresponds with the desired signature.

Predefined IPS Profile

FortiADC has 8 predefined IPS Profiles for the convenience and fast-set-up of users to enable IPS more quickly. Each predefined profile is created under the attributes of each signature. For users demanding a wide protection but not yet ready to create a particular customized profile, predefined IPS profiles are highly recommended. They will be routinely updated resulted from a periodical database update by the FortiGuard Service. These Profiles are available by directly selecting from Security -> IPS in L4 VS options. They can be considered a Quick-Enabling-IPS.

Enabling IPS

Currently, the IPS Scanning only supports L4VS traffic

  • The IPS Profile contains filters, signature entries, or both. These specify which signatures are included in the IPS Profile.

When an IPS Profile is selected in a security option, all network traffic matching the policy will be checked for the signatures in the IPS Profile.

Configuring Engine Count

In consideration of performance differences on different platform, and for other various demands, the Engine-Count of IPS in FortiADC can be configured. The more Engine-Count that a FortiADC has, the better the IPS performs. However, this will require more CPU and memory.

The default value of the Engine-count is 1.

Eg: 4-Engine for a 4-Core device.

CLI Syntax

config global

config system ips

set engine-count {1-256}

next

end

Enabling IPS

Currently, IPS Scanning only supports L4VS traffic

● The IPS Profile contains filters, signature entries, or both. These specify which signatures are included in the IPS Profile.

When an IPS Profile is selected in a security option, and all network traffic matching the policy will be checked for the signatures in the IPS Profile.

2. CLI

Config IPS Profile

config security ips profile

edit <profile>

set comment {comment}

config entries

edit {id}

set rule {id1 id2 ….}

set status {disable | enable | default}

set log {disable | enable}

set action {pass | block | default}

set location {loc1 loc2…}

set severity {sev1 serv2…}

set protocol {proto1 proto2…}

set application {app1 app2…}

set os {os1 os2…}

set rate-count {count}

set rate-duration {duration}

set rate-mode {periodical | continuous}

set rate-track {field}

next

end

IPS profile option in VS

config load-balance virtual-server

set type l4-load-balance

set ips-profile {name}

next

end

get security ips info rule

FortiADC-VM (root) # get security ips info rule

rule-name: "MS.SMB.Client.Memory.Allocation.Code.Execution"

rule-id: 20900

rev: 2.855

date: 1398326400

action: block

status: enable

log: disable

severity: 4.critical

service: TCP, NBSS

location: client

os: Windows

application: Other

rate-count: 0

rate-duration: 0

rate-track: none

rate-mode: continuous

vuln_type: Resource Management Errors

cve: 20100269

 

rule-name: "MS.Windows.MPEG.Layer3.Audio.Decoder.Stack.Overflow"

rule-id: 20903

rev: 3.095

date: 1398240000

action: block

status: enable

log: disable

severity: 4.critical

service: TCP, HTTP, FTP, SMTP, POP3, IMAP, NNTP

location: server, client

os: Windows

application: MediaPlayer

rate-count: 0

rate-duration: 0

rate-track: none

rate-mode: continuous

vuln_type: Buffer Errors

cve: 20100480

Quick Creating a new l4 VS with IPS

  1. Create a new L4 VS.
  2. Go to Server Load Balance and click Virtual Server.
  3. Click Create New > Advanced Mode.
  4. Create a L4 VS named as Test VS, for example.
  5. Create a new IPS Profile.
  6. Go to Network Security and click Intrusion Prevention.
  7. Click Create New to create a customized IPS Profile, named as Test IPS for example.
  8. Select the necessary IPS Signatures / filters / Rete based Signatures
  9. Apply
  10. Enable the IPS Profile for L4 VS.

    Note

    IPS does not support NAT46.

  11. Go back to the L4 VS - Test VS.
  12. Click the pencil icon and click Security.
  13. The created IPS profile can be selected in the drop down list.