Fortinet white logo
Fortinet white logo

Administration Guide

Matching multiple parameters on application control signatures

Matching multiple parameters on application control signatures

Application control signatures that support parameters (such as SCADA protocols) can have multiple parameters grouped together and matched at the same time. Multiple application parameter groups can be added to an override. Traffic will be flagged if it matches at least one parameter group.

This example uses the Modbus_Func05.Write.Single.Coil.Validation signature. This is an industrial signature, so ensure that no signatures are excluded:

config ips global
    set exclude-signatures none
end
To configure an application sensor with multiple parameters in the GUI:
  1. Go to Security Profiles > Application Control and click Create New, or edit an existing sensor.

  2. In the Application and Filter Overrides table, click Create New.

  3. Search for Modbus_Func05.Write.Single.Coil.Validation and press Enter. A gear icon beside the signature name indicates it has configurable application parameters.

  4. In the search results, select Modbus_Func05.Write.Single.Coil.Validation and click Add Selected.

  5. Click the Selected tab. In the Application Parameters section, click Create New.

  6. Edit the parameter values as needed.

  7. Click OK.

  8. Add more signatures if needed.

  9. Click OK.

To configure an application sensor with multiple parameters in the CLI:
config application list 
    edit "test"
        set other-application-log enable
        config entries
            edit 1

                set application 48885
                config parameters
                    edit 1
                        config members
                            edit 1
                                set name "UnitID"
                                set value "0:255"
                            next
                            edit 2
                                set name "Address"
                                set value "0:65535"
                            next
                            edit 3
                                set name "Value"
                                set value "0,65280"
                            next
                        end
                    next
                end
            next
            edit 2
                set category 2 6
            next
        end
    next 
end

Matching multiple parameters on application control signatures

Matching multiple parameters on application control signatures

Application control signatures that support parameters (such as SCADA protocols) can have multiple parameters grouped together and matched at the same time. Multiple application parameter groups can be added to an override. Traffic will be flagged if it matches at least one parameter group.

This example uses the Modbus_Func05.Write.Single.Coil.Validation signature. This is an industrial signature, so ensure that no signatures are excluded:

config ips global
    set exclude-signatures none
end
To configure an application sensor with multiple parameters in the GUI:
  1. Go to Security Profiles > Application Control and click Create New, or edit an existing sensor.

  2. In the Application and Filter Overrides table, click Create New.

  3. Search for Modbus_Func05.Write.Single.Coil.Validation and press Enter. A gear icon beside the signature name indicates it has configurable application parameters.

  4. In the search results, select Modbus_Func05.Write.Single.Coil.Validation and click Add Selected.

  5. Click the Selected tab. In the Application Parameters section, click Create New.

  6. Edit the parameter values as needed.

  7. Click OK.

  8. Add more signatures if needed.

  9. Click OK.

To configure an application sensor with multiple parameters in the CLI:
config application list 
    edit "test"
        set other-application-log enable
        config entries
            edit 1

                set application 48885
                config parameters
                    edit 1
                        config members
                            edit 1
                                set name "UnitID"
                                set value "0:255"
                            next
                            edit 2
                                set name "Address"
                                set value "0:65535"
                            next
                            edit 3
                                set name "Value"
                                set value "0,65280"
                            next
                        end
                    next
                end
            next
            edit 2
                set category 2 6
            next
        end
    next 
end