Configuring an IPS sensor
You can configure IPS sensors to be used in policies in the GUI.
To configure an IPS sensor:
-
Go to Security Profiles > Intrusion Prevention.
-
Click Create New.
-
Configure the following settings:
Name Enter a unique name for the sensor.
Comments Enter a comment (optional).
Block malicious URLS Enable to block malicious URLs based on a local malicious URL database on the FortiGate to assist in the detection of drive-by exploits. See Malicious URL database for drive-by exploits detection. IPS Signature and Filters Select a signature or filter to assign to the sensor. See Configuring signatures and filters. Botnet C&C Scan Outgoing Connections to Botnet Sites Define the botnet scanning across traffic that matches the policy:
-
Disable: Do not scan connections to botnet servers.
-
Block: Block connections to botnet servers.
-
Monitor: Log connections to botnet servers.
-
-
Click OK.
For information on configuring IPS sensors in the CLI, see IPS configuration options. |
Configuring signatures and filters
Signatures and filters can be configured and added to IPS sensors. A filter is a collection of signature attributes. Any signatures that meet all of the attributes specified in a filter are automatically included in the IPS sensor. See IPS signature filter options.
To configure a Signature entry of type Filter:
-
Go to Security Profiles > Intrusion Prevention.
-
Click Create New.
-
Configure the IPS sensor settings.
-
In IPS Signatures and Filters, click Create New. The Add Signatures pane is displayed.
-
Configure the settings as follows:
Type Select Filter. Action Click the dropdown menu and select the action when a signature is triggered:
-
Allow: Allow traffic to continue to its destination.
-
Monitor: Allow traffic to continue to its destination and log the activity.
-
Block: Drop traffic that matches the signature.
-
Reset: Reset the session whenever the signature is triggered.
-
Default: Use the default action of the signature. Search for the signature in the IPS Signature pane to view the default Action.
-
Quarantine: Block the matching traffic. Enable packet logging. Quarantine the attacker.
Packet logging Enable packet logging to save a copy of the packets when they match the signature. Packet copies can be analyzed later.
Packet logging is not supported on all FortiGate devices. FortiAnalyzer logging or a hard disk are required to support this feature; see the Feature Platform Matrix.
Status Define the signature status:
-
Enable: Enable the signature.
-
Disable: Disable the signature.
-
Default: Use the default status of the signature. Search for the signature in the IPS Signature pane to view the default Status.
Filter Select the + to open the Select Entries field and select filter entries. There are different entry categories:
-
Target: Refers to the type of device targeted by the attack.
-
Severity: Refers to the level of the threat posed by the attack.
-
Protocol: Refers to the protocol that is the vector for the attack.
-
OS: Refers to the Operating System affected by the attack.
-
Application: Refers to the application affected by the attack.
-
-
Select one or more signatures from the IPS Signatures pane.
-
Click OK. The signature is added to the IPS sensor.
-
Click OK.
Individual signatures, custom or predefined IPS signatures can be selected for an IPS sensor. If you need only one signature, or you want to manually select multiple signatures that don’t fall into the criteria for an IPS filter, adding a signature entry to an IPS sensor is the easiest way.
To configure a Signature entry of type Signature:
-
Go to Security Profiles > Intrusion Prevention.
-
Click Create New.
-
Configure the IPS sensor settings.
-
In IPS Signatures and Filters, click Create New. The Add Signatures pane is displayed.
-
Configure the settings as follows:
Type Select Signature. Action Click the dropdown menu and select the action when a signature is triggered:
-
Allow: Allow traffic to continue to its destination.
-
Monitor: Allow traffic to continue to its destination and log the activity.
-
Block: Drop traffic that matches the signature.
-
Reset: Reset the session whenever the signature is triggered.
-
Default: Use the default action of the signature. Search for the signature in the IPS Signature pane to view the default Action.
-
Quarantine: Block the matching traffic. Enable packet logging. Quarantine the attacker.
Packet Logging Enable packet logging to save a copy of the packets when they match the signature. Packet copies can be analyzed later.
Packet logging is not supported on all FortiGate devices. FortiAnalyzer logging or a hard disk are required to support this feature; see the Feature Platform Matrix.
Status Define the signature status:
-
Enable: Enable the signature.
-
Disable: Disable the signature.
-
Default: Use the default status of the signature. Search for the signature in the IPS Signature pane to view the default Status.
Rate-based settings Default
Use the default rate-based settings.
Specify
Specify the rate-based settings:
-
Threshold: Enter the threshold. See IPS signature rate count threshold.
-
Duration (seconds): Enter the duration in seconds.
-
Track By: Select the tracking method as Any, Source IP, or Destination IP.
Exempt IPs
Add IP addresses that are exempt from the signature rules.
Click Edit IP Exemptions and click Create New. Edit the Source IP/Netmask and the Destination IP/Netmask to define the IP address for exemption. Click OK to add it to Exempt IPs.
-
-
Select one or more signatures from the IPS Signatures pane.
-
Click OK. The signature is added to the IPS sensor.
-
Click OK.