Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Handbook

    6.0.0
    6.0.0

    Examples

    Examples

    Configuring basic Intrusion Prevention

    Small offices, whether they are small companies, home offices, or satellite offices, often have very simple needs. This example details how to enable IPS on a FortiGate unit located in a satellite office. The satellite office contains only Windows clients.

    Creating an IPS sensor

    Most IPS settings are configured in an IPS sensor. IPS sensors are selected in firewall policies. This way, you can create multiple IPS sensors, and tailor them to the traffic controlled by the security policy in which they are selected. In this example, you will create one IPS sensor.

    To create an IPS sensor— GUI
    1. Go to Security Profiles > Intrusion Prevention.
    2. Select the Create New icon in the top of the Edit IPS Sensor window.
    3. In the Name field, enter basic_ips.
    4. In the Comments field, enter IPS for Windows clients.
    5. Select OK.
    6. Select the Create New drop-down to add a new component to the sensor and for the Sensor Type choose Filter Based.
    7. In the Filter Options choose the following:
      1. For Severity: select all of the options
      2. For Target: select Client only.
      3. For OS: select Windows only.
    8. For the Action leave as the default.
    9. Select OK to save the filter.
    10. Select OK to save the IPS sensor.
    To create an IPS sensor — CLI

    config ips sensor

    edit basic_ips

    set comment "IPS for Windows clients"

    config entries

    edit 1

    set location client

    set os windows

    end

    end

    end

    end

    Selecting the IPS sensor in a security policy

    An IPS sensor directs the FortiGate unit to scan network traffic only when it is selected in a security policy. When an IPS sensor is selected in a security policy, its settings are applied to all the traffic the security policy handles.

    To select the IPS sensor in a security policy — GUI
    1. Go to Policy & Objects > IPv4 Policy.
    2. Select a policy.
    3. Select the Edit icon.
    4. Enable the IPS option under Security Profiles.
    5. Select the preferred IPS sensor from the dropdown menu.
    6. Select OK to save the security policy.
    To select the IPS sensor in a security policy — CLI

    config firewall policy

    edit 1

    set utm-status enable

    set ips-sensor basic_ips

    end

    The IPS sensor in this example is basic_ips. All traffic handled by the security policy you modified will be scanned for attacks against Windows clients. A small office may have only one security policy configured. If you have multiple policies, consider enabling IPS scanning for all of them.

    Using IPS to protect your web server

    Many companies have web servers and they must be protected from attack. Since web servers must be accessible, protection is not as simple as blocking access. IPS is one tool your FortiGate unit has to allow you to protect your network.

    In this example, we will configure IPS to protect a web server. As shown below, a FortiGate unit protects a web server and an internal network. The internal network will have its own policies and configuration but we will concentrate on the web server in this example.

    A simple network configuration

    The FortiGate unit is configured with:

    • a virtual IP to give the web server a unique address accessible from the Internet.
    • a security policy to allow access to the web server from the Internet using the virtual IP.

    To protect the web server using intrusion prevention, you need to create an IPS sensor, populate it with filters, then enable IPS scanning in the security policy.

    To create an IPS sensor
    1. Go to Security Profiles > Intrusion Prevention.
    2. Select Create New.
    3. Enter web_server as the name of the new IPS sensor.
    4. Select OK.

    The new IPS sensor is created but it has no filters, and therefore no signatures are included.

    The web server operating system is Linux, so you need to create a filter for all Linux server signatures.

    To create the Linux server filter
    1. Go to Security Profiles > Intrusion Prevention.
    2. Select the web_server IPS sensor and select the Edit icon.
    3. In the Pattern Based Signatures and Filters section, select Create New.
    4. For Sensor Type, select Filter Based.
    5. For Filter Options.
    6. In the Filter Options choose the following:
      1. For Severity: select all of the options
      2. For Target: select server only.
      3. For OS: select Linux only.
    7. Select OK.

    The filter is saved and the IPS sensor page reappears. In the filter list, find the Linux Server filter and look at the value in the Count column. This shows how many signatures match the current filter settings. You can select the View Rules icon to see a listing of the included signatures.

    To edit the security policy
    1. Go to Policy & Objects > IPv4 Policy select security policy that allows access to the web server, and select the Edit icon.
    2. Enable IPS option and choose the web_server IPS sensor from the list.
    3. Select OK.

    Since IPS is enabled and the web_server IPS sensor is specified in the security policy controlling the web server traffic, the IPS sensor examines the web server traffic for matches to the signatures it contains.

    Create and test a packet logging IPS sensor

    In this example, you create a new IPS sensor and include a filter that detects the EICAR test file and saves a packet log when it is found. This is an ideal first experience with packet logging because the EICAR test file can cause no harm, and it is freely available for testing purposes.

    Create an IPS senor
    1. Go to Security Profiles > Intrusion Prevention.
    2. Select Create New.
    3. Name the new IPS sensor EICAR_test.
    4. Select OK.
    Create an entry
    1. Select the Create New.
    2. For Sensor Type choose Specify Signatures.
    3. Rather than search through the signature list, use the name filter by selecting the search icon over the header of the Signature column.
    4. Enter EICAR in the Search field.
    5. Highlight the Eicar.Virus.Test.File signature by clicking on it.
    6. Select Block as the Action for the EICAR test sensor in the IPS Signatures table.
    7. Enable Packet Logging.
    8. Select OK to save the IPS sensor.
    Add the IPS sensor to the security policy allowing Internet access
    1. Go to Policy & Objects > IPv4 Policy.
    2. Select the security policy that allows you to access the Internet.
    3. Select the Edit icon.
    4. Go to Security Profiles and enable IPS and choose EICAR test from the available IPS sensors..
    5. Enable Log Allowed Traffic and select All Sessions.
    6. Select OK.

    With the IPS sensor configured and selected in the security policy, the FortiGate unit blocks any attempt to download the EICAR test file.

    Test the IPS sensor
    1. Using your web browser, go to http://www.eicar.org/anti_virus_test_file.htm.
    2. Scroll to the bottom of the page and select eicar.com from the row labeled as using the standard HTTP protocol.
    3. The browser attempts to download the requested file and,
    • If the file is successfully downloaded, the custom signature configuration failed at some point. Check the custom signature, the IPS sensor, and the firewall profile.
    • If the download is blocked with a high security alert message explaining that you’re not permitted to download the file, the EICAR test file was blocked by the FortiGate unit antivirus scanner before the IPS sensor could examine it. Disable antivirus scanning and try to download the EICAR test file again.
    • If no file is downloaded and the browser eventually times out, the custom signature successfully detected the EICAR test file and blocked the download.
    Viewing the packet log
    1. Go to Log & Report > Forward Traffic.
    2. Locate the log entry that recorded the blocking of the EICAR test file block. The Message field data will be tools: EICAR.AV.Test.File.Download.
    3. Select the View Packet Log icon in the Packet Log column.
    4. The packet log viewer is displayed.

    Configuring a Fortinet Security Processing module

    The Example Corporation has a web site that is the target of SYN floods. While they investigate the source of the attacks, it’s very important that the web site remain accessible. To enhance the ability of the company’s FortiGate-100D to deal with SYN floods, the administrator will install an ASM-CE4 Fortinet Security Processing module and have all external access to the web server come though it.

    The security processing modules not only accelerate and offload network traffic from the FortiGate unit’s processor, but they also accelerate and offload security and content scanning. The ability of the security module to accelerate IPS scanning and DoS protection greatly enhances the defense capabilities of the FortiGate-100D.

    Assumptions

    As shown in other examples and network diagrams throughout this document, the Example Corporation has a pair of FortiGate-100D units in an HA cluster. To simplify this example, the cluster is replaced with a single FortiGate-100D.

    An ASM-CE4 is installed in the FortiGate-100D.

    The network is configured as shown below.

    Network configuration

    The Example Corporation network needs minimal changes to incorporate the ASM-CE4. Interface amc-sw1/1 of the ASM-CE4 is connected to the Internet and interface amc‑sw1/1 is connected to the web server.

    Since the main office network is connected to port2 and the Internet is connected to port1, a switch is installed to allow both port1 and amc-sw1/1 to be connected to the Internet.

    The FortiGate-100D network configuration

    The switch used to connect port1 and amc-sw1/1 to the Internet must be able to handle any SYN flood, all of the legitimate traffic to the web site, and all of the traffic to and from the Example Corporation internal network. If the switch can not handle the bandwidth, or if the connection to the service provider can not provide the required bandwidth, traffic will be lost.

    Security module configuration

    The Fortinet security modules come configured to give equal priority to content inspection and firewall processing. The Example Corporation is using a ASM-CE4 module to defend its web server against SYN flood attacks so firewall processing is a secondary consideration.

    Use these CLI commands to configure the security module in ASM slot 1 to devote more resources to content processing, including DoS and IPS, than to firewall processing.

    config system amc-slot

    edit sw1

    set optimization-mode fw-ips

    set ips-weight balanced

    set ips-p2p disable

    set ips-fail-open enable

    set fp-disable none

    set ipsec-inb-optimization enable

    set syn-proxy-client-timer 3

    set syn-proxy-server-timer 3

    end

    These settings do not disable firewall processing. Rather, when the security module nears its processing capacity, it will chose to service content inspection over firewall processing.

    Previous
    Next

    Examples

    Examples

    Configuring basic Intrusion Prevention

    Small offices, whether they are small companies, home offices, or satellite offices, often have very simple needs. This example details how to enable IPS on a FortiGate unit located in a satellite office. The satellite office contains only Windows clients.

    Creating an IPS sensor

    Most IPS settings are configured in an IPS sensor. IPS sensors are selected in firewall policies. This way, you can create multiple IPS sensors, and tailor them to the traffic controlled by the security policy in which they are selected. In this example, you will create one IPS sensor.

    To create an IPS sensor— GUI
    1. Go to Security Profiles > Intrusion Prevention.
    2. Select the Create New icon in the top of the Edit IPS Sensor window.
    3. In the Name field, enter basic_ips.
    4. In the Comments field, enter IPS for Windows clients.
    5. Select OK.
    6. Select the Create New drop-down to add a new component to the sensor and for the Sensor Type choose Filter Based.
    7. In the Filter Options choose the following:
      1. For Severity: select all of the options
      2. For Target: select Client only.
      3. For OS: select Windows only.
    8. For the Action leave as the default.
    9. Select OK to save the filter.
    10. Select OK to save the IPS sensor.
    To create an IPS sensor — CLI

    config ips sensor

    edit basic_ips

    set comment "IPS for Windows clients"

    config entries

    edit 1

    set location client

    set os windows

    end

    end

    end

    end

    Selecting the IPS sensor in a security policy

    An IPS sensor directs the FortiGate unit to scan network traffic only when it is selected in a security policy. When an IPS sensor is selected in a security policy, its settings are applied to all the traffic the security policy handles.

    To select the IPS sensor in a security policy — GUI
    1. Go to Policy & Objects > IPv4 Policy.
    2. Select a policy.
    3. Select the Edit icon.
    4. Enable the IPS option under Security Profiles.
    5. Select the preferred IPS sensor from the dropdown menu.
    6. Select OK to save the security policy.
    To select the IPS sensor in a security policy — CLI

    config firewall policy

    edit 1

    set utm-status enable

    set ips-sensor basic_ips

    end

    The IPS sensor in this example is basic_ips. All traffic handled by the security policy you modified will be scanned for attacks against Windows clients. A small office may have only one security policy configured. If you have multiple policies, consider enabling IPS scanning for all of them.

    Using IPS to protect your web server

    Many companies have web servers and they must be protected from attack. Since web servers must be accessible, protection is not as simple as blocking access. IPS is one tool your FortiGate unit has to allow you to protect your network.

    In this example, we will configure IPS to protect a web server. As shown below, a FortiGate unit protects a web server and an internal network. The internal network will have its own policies and configuration but we will concentrate on the web server in this example.

    A simple network configuration

    The FortiGate unit is configured with:

    • a virtual IP to give the web server a unique address accessible from the Internet.
    • a security policy to allow access to the web server from the Internet using the virtual IP.

    To protect the web server using intrusion prevention, you need to create an IPS sensor, populate it with filters, then enable IPS scanning in the security policy.

    To create an IPS sensor
    1. Go to Security Profiles > Intrusion Prevention.
    2. Select Create New.
    3. Enter web_server as the name of the new IPS sensor.
    4. Select OK.

    The new IPS sensor is created but it has no filters, and therefore no signatures are included.

    The web server operating system is Linux, so you need to create a filter for all Linux server signatures.

    To create the Linux server filter
    1. Go to Security Profiles > Intrusion Prevention.
    2. Select the web_server IPS sensor and select the Edit icon.
    3. In the Pattern Based Signatures and Filters section, select Create New.
    4. For Sensor Type, select Filter Based.
    5. For Filter Options.
    6. In the Filter Options choose the following:
      1. For Severity: select all of the options
      2. For Target: select server only.
      3. For OS: select Linux only.
    7. Select OK.

    The filter is saved and the IPS sensor page reappears. In the filter list, find the Linux Server filter and look at the value in the Count column. This shows how many signatures match the current filter settings. You can select the View Rules icon to see a listing of the included signatures.

    To edit the security policy
    1. Go to Policy & Objects > IPv4 Policy select security policy that allows access to the web server, and select the Edit icon.
    2. Enable IPS option and choose the web_server IPS sensor from the list.
    3. Select OK.

    Since IPS is enabled and the web_server IPS sensor is specified in the security policy controlling the web server traffic, the IPS sensor examines the web server traffic for matches to the signatures it contains.

    Create and test a packet logging IPS sensor

    In this example, you create a new IPS sensor and include a filter that detects the EICAR test file and saves a packet log when it is found. This is an ideal first experience with packet logging because the EICAR test file can cause no harm, and it is freely available for testing purposes.

    Create an IPS senor
    1. Go to Security Profiles > Intrusion Prevention.
    2. Select Create New.
    3. Name the new IPS sensor EICAR_test.
    4. Select OK.
    Create an entry
    1. Select the Create New.
    2. For Sensor Type choose Specify Signatures.
    3. Rather than search through the signature list, use the name filter by selecting the search icon over the header of the Signature column.
    4. Enter EICAR in the Search field.
    5. Highlight the Eicar.Virus.Test.File signature by clicking on it.
    6. Select Block as the Action for the EICAR test sensor in the IPS Signatures table.
    7. Enable Packet Logging.
    8. Select OK to save the IPS sensor.
    Add the IPS sensor to the security policy allowing Internet access
    1. Go to Policy & Objects > IPv4 Policy.
    2. Select the security policy that allows you to access the Internet.
    3. Select the Edit icon.
    4. Go to Security Profiles and enable IPS and choose EICAR test from the available IPS sensors..
    5. Enable Log Allowed Traffic and select All Sessions.
    6. Select OK.

    With the IPS sensor configured and selected in the security policy, the FortiGate unit blocks any attempt to download the EICAR test file.

    Test the IPS sensor
    1. Using your web browser, go to http://www.eicar.org/anti_virus_test_file.htm.
    2. Scroll to the bottom of the page and select eicar.com from the row labeled as using the standard HTTP protocol.
    3. The browser attempts to download the requested file and,
    • If the file is successfully downloaded, the custom signature configuration failed at some point. Check the custom signature, the IPS sensor, and the firewall profile.
    • If the download is blocked with a high security alert message explaining that you’re not permitted to download the file, the EICAR test file was blocked by the FortiGate unit antivirus scanner before the IPS sensor could examine it. Disable antivirus scanning and try to download the EICAR test file again.
    • If no file is downloaded and the browser eventually times out, the custom signature successfully detected the EICAR test file and blocked the download.
    Viewing the packet log
    1. Go to Log & Report > Forward Traffic.
    2. Locate the log entry that recorded the blocking of the EICAR test file block. The Message field data will be tools: EICAR.AV.Test.File.Download.
    3. Select the View Packet Log icon in the Packet Log column.
    4. The packet log viewer is displayed.

    Configuring a Fortinet Security Processing module

    The Example Corporation has a web site that is the target of SYN floods. While they investigate the source of the attacks, it’s very important that the web site remain accessible. To enhance the ability of the company’s FortiGate-100D to deal with SYN floods, the administrator will install an ASM-CE4 Fortinet Security Processing module and have all external access to the web server come though it.

    The security processing modules not only accelerate and offload network traffic from the FortiGate unit’s processor, but they also accelerate and offload security and content scanning. The ability of the security module to accelerate IPS scanning and DoS protection greatly enhances the defense capabilities of the FortiGate-100D.

    Assumptions

    As shown in other examples and network diagrams throughout this document, the Example Corporation has a pair of FortiGate-100D units in an HA cluster. To simplify this example, the cluster is replaced with a single FortiGate-100D.

    An ASM-CE4 is installed in the FortiGate-100D.

    The network is configured as shown below.

    Network configuration

    The Example Corporation network needs minimal changes to incorporate the ASM-CE4. Interface amc-sw1/1 of the ASM-CE4 is connected to the Internet and interface amc‑sw1/1 is connected to the web server.

    Since the main office network is connected to port2 and the Internet is connected to port1, a switch is installed to allow both port1 and amc-sw1/1 to be connected to the Internet.

    The FortiGate-100D network configuration

    The switch used to connect port1 and amc-sw1/1 to the Internet must be able to handle any SYN flood, all of the legitimate traffic to the web site, and all of the traffic to and from the Example Corporation internal network. If the switch can not handle the bandwidth, or if the connection to the service provider can not provide the required bandwidth, traffic will be lost.

    Security module configuration

    The Fortinet security modules come configured to give equal priority to content inspection and firewall processing. The Example Corporation is using a ASM-CE4 module to defend its web server against SYN flood attacks so firewall processing is a secondary consideration.

    Use these CLI commands to configure the security module in ASM slot 1 to devote more resources to content processing, including DoS and IPS, than to firewall processing.

    config system amc-slot

    edit sw1

    set optimization-mode fw-ips

    set ips-weight balanced

    set ips-p2p disable

    set ips-fail-open enable

    set fp-disable none

    set ipsec-inb-optimization enable

    set syn-proxy-client-timer 3

    set syn-proxy-server-timer 3

    end

    These settings do not disable firewall processing. Rather, when the security module nears its processing capacity, it will chose to service content inspection over firewall processing.

    Previous
    Next