Deployment
1. GUI
Quick-Enabling IPS
Refer to the section of Predefined Profiles in Introduction.
General configuration steps
For best results in configuring IPS scanning, follow the procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.
- Create an IPS Profile.
-
Add signatures and /or filters.
These can be:
- Pattern based
- Rate based
- In the L4 VS Security Option, Click to select IPS, and choose the IPS Profile from the list.
All the network traffic goes through this L4 VS by this security option -IPS- will be processed according to the configuration of the deployed IPS Profile, these configuration you specify in the IPS Profile.
Creating an IPS Profile
You need to create an IPS profile before specific signatures or filters can be chosen. The signatures can be added to a new profile before it is saved. However, it is good practice to keep in mind that the profile and its included filters are separate things, and that they are created separately. (Predefined Profiles)
To create a new IPS Profile
- Go to Security Profiles > Intrusion Prevention.
- Select the Create New icon in the top of the Edit IPS Profile window.
- Enter the name of the new IPS Profile.
- Optionally, enter a comment. The comment will appear in the IPS Profile list.
- Select OK.
A newly created Profile is empty and contains no filters or signatures. You need to add one or more filters or signatures before the Profile will be of any use.
Adding IPS signatures to a Profile
- Go to Security > Intrusion Prevention.
- Select the IPS Profile to which you want to add the signature and click the pencil icon.
- Under IPS Signatures, select Add Signature.
- Select one or more signatures from the list and click Apply to add them to the sensor.
- After the selected signature has been added to the IPS Signatures, the drop-down list of Action, which is on the right side of the signature, has Default, Pass and Block, is changeable.
- Click Apply on the bottom of the IPS Profile page
Adding an IPS filter to a Profile
While individual signatures can be added to a Profile, a filter allows you to add multiple signatures to a Profile by specifying the characteristics of the signatures to be added.
To create a new pattern based signature and filter
- Go to Security Profiles > Intrusion Prevention.
- Select the IPS Profile to which you want to add the signature and click the pencil icon.
- Under IPS Filters, select Add Filter.
-
Configure the filter that you require. Signatures matching all of the characteristics you specify in the filter will be included in the filter. Once finished, select Apply.
Application refers to the application affected by the attack and filter options include over 25 applications.
OS refers to the Operating System affected by the attack. The options include BSD, Linux, MacOS, Other, Solaris, and Windows.
Protocol refers to the protocol that is the vector for the attack; filter options include over 35 protocols, including "other."
Severity refers to the level of threat posed by the attack. The options include Critical, High, Medium, Low, and Info.
Target refers to the type of device targeted by the attack. The options include client and server.
Action
Description
Pass
Select Pass to allow traffic to continue to its destination.
Note: to see what the default for a signature is, go to the IPS Signatures page and enable the column Action, then find the row with the signature name in it.
Block
Select Block to drop traffic matching any signatures included in the filter.
Default
Select Default to use the default action of the signature.
- After the selected signature has been added to the IPS Signatures, the drop-down list of Action, which is on the right side of the Filter, has Default, Pass and Block, is changeable
- Click Apply on the bottom of the IPS Profile page
Adding rate based signatures
These are a subset of the signatures that are found in the database. This group of signatures is for vulnerabilities that are normally only considered a serious threat when the targeted connections come in multiples, like DoS attacks.
Adding a rate based signature is straight-forward. Select the enable button in the Rate Based Signature table that corresponds with the desired signature.
Predefined IPS Profile
FortiADC has 8 predefined IPS Profiles for the convenience and fast-set-up of users to enable IPS more quickly. Each predefined profile is created under the attributes of each signature. For users demanding a wide protection but not yet ready to create a particular customized profile, predefined IPS profiles are highly recommended. They will be routinely updated resulted from a periodical database update by the FortiGuard Service. These Profiles are available by directly selecting from Security -> IPS in L4 VS options. They can be considered a Quick-Enabling-IPS.
Enabling IPS
Currently, the IPS Scanning only supports L4VS traffic
- The IPS Profile contains filters, signature entries, or both. These specify which signatures are included in the IPS Profile.
When an IPS Profile is selected in a security option, all network traffic matching the policy will be checked for the signatures in the IPS Profile.
Configuring Engine Count
In consideration of performance differences on different platform, and for other various demands, the Engine-Count of IPS in FortiADC can be configured. The more Engine-Count that a FortiADC has, the better the IPS performs. However, this will require more CPU and memory.
The default value of the Engine-count is 1.
Eg: 4-Engine for a 4-Core device.
CLI Syntax
config global
config system ips
set engine-count {1-256}
next
end
Enabling IPS
Currently, IPS Scanning only supports L4VS traffic
● The IPS Profile contains filters, signature entries, or both. These specify which signatures are included in the IPS Profile.
When an IPS Profile is selected in a security option, and all network traffic matching the policy will be checked for the signatures in the IPS Profile.
2. CLI
Config IPS Profile
config security ips profile
edit <profile>
set comment {comment}
config entries
edit {id}
set rule {id1 id2 ….}
set status {disable | enable | default}
set log {disable | enable}
set action {pass | block | default}
set location {loc1 loc2…}
set severity {sev1 serv2…}
set protocol {proto1 proto2…}
set application {app1 app2…}
set os {os1 os2…}
set rate-count {count}
set rate-duration {duration}
set rate-mode {periodical | continuous}
set rate-track {field}
next
end
IPS profile option in VS
config load-balance virtual-server
set type l4-load-balance
set ips-profile {name}
next
end
get security ips info rule
FortiADC-VM (root) # get security ips info rule
rule-name: "MS.SMB.Client.Memory.Allocation.Code.Execution"
rule-id: 20900
rev: 2.855
date: 1398326400
action: block
status: enable
log: disable
severity: 4.critical
service: TCP, NBSS
location: client
os: Windows
application: Other
rate-count: 0
rate-duration: 0
rate-track: none
rate-mode: continuous
vuln_type: Resource Management Errors
cve: 20100269
rule-name: "MS.Windows.MPEG.Layer3.Audio.Decoder.Stack.Overflow"
rule-id: 20903
rev: 3.095
date: 1398240000
action: block
status: enable
log: disable
severity: 4.critical
service: TCP, HTTP, FTP, SMTP, POP3, IMAP, NNTP
location: server, client
os: Windows
application: MediaPlayer
rate-count: 0
rate-duration: 0
rate-track: none
rate-mode: continuous
vuln_type: Buffer Errors
cve: 20100480
Quick Creating a new l4 VS with IPS
- Create a new L4 VS.
- Go to Server Load Balance and click Virtual Server.
- Click Create New > Advanced Mode.
- Create a L4 VS named as Test VS, for example.
- Create a new IPS Profile.
- Go to Network Security and click Intrusion Prevention.
- Click Create New to create a customized IPS Profile, named as Test IPS for example.
- Select the necessary IPS Signatures / filters / Rete based Signatures
- Apply
-
Enable the IPS Profile for L4 VS.
IPS does not support NAT46.
- Go back to the L4 VS - Test VS.
- Click the pencil icon and click Security.
- The created IPS profile can be selected in the drop down list.
