IPS configuration options
Besides configuring an IPS filter or selecting IPS signatures for an IPS sensor, you can configure additional IPS options for each sensor or globally for all sensors. This topic introduces the following available configuration options:
- Malicious URL database for drive-by exploits detection
- IPS signature rate count threshold
- Botnet C&C
- Hardware acceleration for flow-based security profiles (NTurbo and IPSA)
- Extended IPS database
- IPS engine-count
- Industrial signature database
- Fail-open
- IPS buffer size
- Session count accuracy
- Protocol decoders
To configure IPS sensors, signatures, and filters in the GUI, see Configuring an IPS sensor. |
Malicious URL database for drive-by exploits detection
This feature uses a local malicious URL database on the FortiGate to assist in detection of drive-by exploits, such as adware that allows automatic downloading of a malicious file when a page loads without the user's detection. The database contains all malicious URLs active in the last one month, and all drive-by exploit URLs active in the last three months. The number of URLs controlled are in the one million range.
This feature can be enabled from an IPS sensor in the GUI by going to Security Profiles > Intrusion Prevention and editing or creating an IPS Sensor, then enabling Block malicious URLs. See Configuring an IPS sensor.
To enable the blocking of malicious URLs in the CLI:
config ips sensor edit <profile> set block-malicious-url {enable | disable} next end
Blocking malicious URLs is not supported on some FortiGate models, such as FortiGate 51E, 50E, or 30E. |
IPS signature rate count threshold
You can use the IPS signature rate-based settings to specify a rate count threshold that must be met before the signature is triggered. A rate count threshold provides a more controlled recording of attack activity. For example, if multiple login attempts produce a failed result over a short period of time, then an alert would be sent and traffic might be blocked, which is a more manageable response than sending an alert every time a login fails.
This can be configured from the GUI by going to Security Profiles > Intrusion Prevention. Create or edit an IPS sensor. Within the sensor, edit the IPS signatures and filters. Only IPS signatures have the rate-based settings option. IPS filters do not. See Configuring an IPS sensor.
Some settings are only available in the CLI.
To configure the IPS signature rate-based settings in the CLI:
config ips sensor edit <sensor> config entries edit <filter ID number> set rule <ids> set rate-count <integer> set rate-duration <integer> set rate-mode {continuous | periodical} set rate-track {none | src-ip | dest-ip | dhcp-client-mac | dns-domain} next end next end
rule <ids> |
The predefined or custom IPS signatures to add to the sensor. |
rate-count <integer> |
The count of the rate (0 - 65535, default = 0). The rate-count must be configured before the other rate settings can be set. |
rate-duration <integer> |
Duration of the rate, in seconds (0 - 65535, default = 60) |
rate-mode {continuous | periodical} |
How the count threshold is met.
|
rate-track {none | src-ip | dest-ip | dhcp-client-mac | dns-domain} |
Track one of the protocol fields within the packet (default = none). |
Botnet C&C
See IPS with botnet C&C IP blocking for information on configuring settings in the CLI.
Hardware acceleration for flow-based security profiles (NTurbo and IPSA)
Some FortiGate models support a feature call NTurbo that can offload flow-based firewall sessions to network processors. See also NTurbo offloads flow-based processing in the Hardware Acceleration Guide. For IPSA enhanced pattern matching, see IPSA offloads flow-based advanced pattern matching in the Hardware Acceleration Guide.
Some FortiGate models also support offloading enhanced pattern matching for flow-based security profiles to CP8 or CP9 content processors.
To configure NTurbo and IPSA:
config ips global set np-accel-mode {none | basic} set cp-accel-mode {none | basic | advanced} end
If the np-accel-mode
option is available, your FortiGate supports NTurbo. The none
option disables NTurbo, and basic
(the default) enables NTurbo.
If the cp-accel-mode
option is available, your FortiGate supports IPSA. The none
option disables IPSA, and basic
enables basic IPSA, and advanced
enables enhanced IPSA, which can offload more types of pattern matching than basic IPSA. The advanced
option is only available on FortiGate models with two or more CP8 processors, or one or more CP9 processors.
Extended IPS database
Some models have access to an extended IPS Database. Because the extended database may affect FortiGate performance, the extended database package may be disabled by default on some models, such as desktop models.
You can only enable the extended IPS database by using the CLI.
To enable the extended IPS database:
config ips global set database extended end
FortiGate models with the CP9 SPU receive the IPS full extended database, and the other physical FortiGate models receive a slim version of the extended database. The slim-extended DB is a smaller version of the full extended DB that contains top active IPS signatures. It is designed for customers who prefer performance.
Customers with non-CP9 SPU models need to upgrade to a CP9 SPU model (physical FortiGate) in order to get full IPS signature coverage. All FortiGate models 200 (E and F) and higher have a CP9 SPU. See Determining the content processor in your FortiGate unit in the FortiOS Hardware Acceleration Guide to check if your device has a CP9 SPU. |
FortiGate VMs with eight or more vCPUs can be configured to have a minimum of eight cores to be eligible to run the full extended database. Any FortiGate VM with less than eight cores will receive a slim version of the extended database.
IPS engine-count
FortiGate units with multiple processors can run one or more IPS engine concurrently. The engine-count
CLI command allows you to specify how many IPS engines to use at the same time.
To specify the number of concurrent IPS engines running:
config ips global set engine-count <int> end
The recommended and default setting is |
Industrial signature database
Industrial signatures are defined to protect Industrial Control Systems (ICS), Operational Technology (OT) and SCADA systems, which are critical infrastructure used by manufacturing industries. An Industrial Security Service license is required to use this signature database. These signatures are excluded by default, but can be configured in the CLI.
Enabling the industrial signatures database may impact IPS performance, since this increases the number of signatures to scan. To optimize IPS performance, enable only IPS signature packages that are needed. |
To configure industrial signatures:
config ips global set exclude-signatures {none | industrial} end
Fail-open
A fail-open scenario is triggered when IPS raw socket buffer is full. Therefore IPS engine has no space in memory to create more sessions and needs to decide whether to drop the sessions or bypass the sessions without inspection.
To enable fail-open mode:
config ips global set fail-open {enable | disable} end
The default setting is disable
, so sessions are dropped by IPS engine when the system enters fail-open mode.
When enabled, the IPS engine fails open, and it affects all protocols inspected by FortiOS IPS protocol decoders, including but not limited to HTTP, HTTPS, FTP, SMTP, POP3, IMAP, and so on. When the IPS engine fails open, traffic continues to flow without IPS scanning.
Sessions offloaded to Nturbo do not support fail-open. When Nturbo data path is overloaded, traffic is dropped regardless of fail-open setting. |
IPS buffer size
If system enters fail-open mode frequently, it is possible to increase the IPS socket buffer size to allow more data buffering, which reduces the chances of overloading the IPS engine. You can set the size of the IPS buffer.
To set the socket buffer size:
config ips global set socket-size <int> end
The default socket size and maximum configurable value varies by model. In short, socket-size determines how much data the kernel passes to the IPS engine each time the engine samples packets.
Take caution when modifying the default value. If the socket-size is too large, the higher memory used by the IPS engine may cause the system to enter conserve mode more frequently. If set too low, the system may enter IPS fail-open mode too frequently. |
Session count accuracy
The IPS engine can track the number of open session in two ways. An accurate count uses more resources than a less accurate heuristic count.
To configure the IPS open session count mode:
config ips global set session-limit-mode {accurate | heuristic} end
The default is heuristic
.
Protocol decoders
The FortiGate Intrusion Prevention system uses protocol decoders to identify the abnormal traffic patterns that do not meet the protocol requirements and standards. For example, the HTTP decoder monitors traffic to identify any HTTP packets that do not meet the HTTP protocol standards.
To change the ports a decoder examines, you must use the CLI.
To configure protocol decoder ports:
config ips decoder dns_decoder config parameter "port_list" set value "100,200,300" end end
In this example, the ports examined by the DNS decoder were changed from the default 53 to 100, 200, and 300.
You cannot assign specific ports to decoders that are set to auto by default. These decoders can detect their traffic on any port. Specifying individual ports is not necessary.