Fortinet white logo
Fortinet white logo

Administration Guide

Configuring an IPS sensor

Configuring an IPS sensor

You can configure IPS sensors to be used in policies in the GUI.

To configure an IPS sensor:
  1. Go to Security Profiles > Intrusion Prevention.

  2. Click Create New.

  3. Configure the following settings:

    Name

    Enter a unique name for the sensor.

    Comments

    Enter a comment (optional).

    Block malicious URLS Enable to block malicious URLs based on a local malicious URL database on the FortiGate to assist in the detection of drive-by exploits. See Malicious URL database for drive-by exploits detection.
    IPS Signature and Filters Select a signature or filter to assign to the sensor. See Configuring signatures and filters.
    Botnet C&C
    Scan Outgoing Connections to Botnet Sites

    Define the botnet scanning across traffic that matches the policy:

    • Disable: Do not scan connections to botnet servers.

    • Block: Block connections to botnet servers.

    • Monitor: Log connections to botnet servers.

    See IPS with botnet C&C IP blocking.

  4. Click OK.

Note

For information on configuring IPS sensors in the CLI, see IPS configuration options.

Configuring signatures and filters

Signatures and filters can be configured and added to IPS sensors. A filter is a collection of signature attributes. Any signatures that meet all of the attributes specified in a filter are automatically included in the IPS sensor. See IPS signature filter options.

To configure a Signature entry of type Filter:
  1. Go to Security Profiles > Intrusion Prevention.

  2. Click Create New.

  3. Configure the IPS sensor settings.

  4. In IPS Signatures and Filters, click Create New. The Add Signatures pane is displayed.

  5. Configure the settings as follows:

    Type Select Filter.
    Action

    Click the dropdown menu and select the action when a signature is triggered:

    • Allow: Allow traffic to continue to its destination.

    • Monitor: Allow traffic to continue to its destination and log the activity.

    • Block: Drop traffic that matches the signature.

    • Reset: Reset the session whenever the signature is triggered.

    • Default: Use the default action of the signature. Search for the signature in the IPS Signature pane to view the default Action.

    • Quarantine: Block the matching traffic. Enable packet logging. Quarantine the attacker.

    Packet logging

    Enable packet logging to save a copy of the packets when they match the signature. Packet copies can be analyzed later.

    Packet logging is not supported on all FortiGate devices. FortiAnalyzer logging or a hard disk are required to support this feature; see the Feature Platform Matrix.

    Status

    Define the signature status:

    • Enable: Enable the signature.

    • Disable: Disable the signature.

    • Default: Use the default status of the signature. Search for the signature in the IPS Signature pane to view the default Status.

    Filter

    Select the + to open the Select Entries field and select filter entries. There are different entry categories:

    • Target: Refers to the type of device targeted by the attack.

    • Severity: Refers to the level of the threat posed by the attack.

    • Protocol: Refers to the protocol that is the vector for the attack.

    • OS: Refers to the Operating System affected by the attack.

    • Application: Refers to the application affected by the attack.

  6. Select one or more signatures from the IPS Signatures pane.

  7. Click OK. The signature is added to the IPS sensor.

  8. Click OK.

Individual signatures, custom or predefined IPS signatures can be selected for an IPS sensor. If you need only one signature, or you want to manually select multiple signatures that don’t fall into the criteria for an IPS filter, adding a signature entry to an IPS sensor is the easiest way.

To configure a Signature entry of type Signature:
  1. Go to Security Profiles > Intrusion Prevention.

  2. Click Create New.

  3. Configure the IPS sensor settings.

  4. In IPS Signatures and Filters, click Create New. The Add Signatures pane is displayed.

  5. Configure the settings as follows:

    Type Select Signature.
    Action

    Click the dropdown menu and select the action when a signature is triggered:

    • Allow: Allow traffic to continue to its destination.

    • Monitor: Allow traffic to continue to its destination and log the activity.

    • Block: Drop traffic that matches the signature.

    • Reset: Reset the session whenever the signature is triggered.

    • Default: Use the default action of the signature. Search for the signature in the IPS Signature pane to view the default Action.

    • Quarantine: Block the matching traffic. Enable packet logging. Quarantine the attacker.

    Packet Logging

    Enable packet logging to save a copy of the packets when they match the signature. Packet copies can be analyzed later.

    Packet logging is not supported on all FortiGate devices. FortiAnalyzer logging or a hard disk are required to support this feature; see the Feature Platform Matrix.

    Status

    Define the signature status:

    • Enable: Enable the signature.

    • Disable: Disable the signature.

    • Default: Use the default status of the signature. Search for the signature in the IPS Signature pane to view the default Status.

    Rate-based settings

    Default

    Use the default rate-based settings.

    Specify

    Specify the rate-based settings:

    • Threshold: Enter the threshold. See IPS signature rate count threshold.

    • Duration (seconds): Enter the duration in seconds.

    • Track By: Select the tracking method as Any, Source IP, or Destination IP.

    Exempt IPs

    Add IP addresses that are exempt from the signature rules.

    Click Edit IP Exemptions and click Create New. Edit the Source IP/Netmask and the Destination IP/Netmask to define the IP address for exemption. Click OK to add it to Exempt IPs.

  6. Select one or more signatures from the IPS Signatures pane.

  7. Click OK. The signature is added to the IPS sensor.

  8. Click OK.

Configuring an IPS sensor

Configuring an IPS sensor

You can configure IPS sensors to be used in policies in the GUI.

To configure an IPS sensor:
  1. Go to Security Profiles > Intrusion Prevention.

  2. Click Create New.

  3. Configure the following settings:

    Name

    Enter a unique name for the sensor.

    Comments

    Enter a comment (optional).

    Block malicious URLS Enable to block malicious URLs based on a local malicious URL database on the FortiGate to assist in the detection of drive-by exploits. See Malicious URL database for drive-by exploits detection.
    IPS Signature and Filters Select a signature or filter to assign to the sensor. See Configuring signatures and filters.
    Botnet C&C
    Scan Outgoing Connections to Botnet Sites

    Define the botnet scanning across traffic that matches the policy:

    • Disable: Do not scan connections to botnet servers.

    • Block: Block connections to botnet servers.

    • Monitor: Log connections to botnet servers.

    See IPS with botnet C&C IP blocking.

  4. Click OK.

Note

For information on configuring IPS sensors in the CLI, see IPS configuration options.

Configuring signatures and filters

Signatures and filters can be configured and added to IPS sensors. A filter is a collection of signature attributes. Any signatures that meet all of the attributes specified in a filter are automatically included in the IPS sensor. See IPS signature filter options.

To configure a Signature entry of type Filter:
  1. Go to Security Profiles > Intrusion Prevention.

  2. Click Create New.

  3. Configure the IPS sensor settings.

  4. In IPS Signatures and Filters, click Create New. The Add Signatures pane is displayed.

  5. Configure the settings as follows:

    Type Select Filter.
    Action

    Click the dropdown menu and select the action when a signature is triggered:

    • Allow: Allow traffic to continue to its destination.

    • Monitor: Allow traffic to continue to its destination and log the activity.

    • Block: Drop traffic that matches the signature.

    • Reset: Reset the session whenever the signature is triggered.

    • Default: Use the default action of the signature. Search for the signature in the IPS Signature pane to view the default Action.

    • Quarantine: Block the matching traffic. Enable packet logging. Quarantine the attacker.

    Packet logging

    Enable packet logging to save a copy of the packets when they match the signature. Packet copies can be analyzed later.

    Packet logging is not supported on all FortiGate devices. FortiAnalyzer logging or a hard disk are required to support this feature; see the Feature Platform Matrix.

    Status

    Define the signature status:

    • Enable: Enable the signature.

    • Disable: Disable the signature.

    • Default: Use the default status of the signature. Search for the signature in the IPS Signature pane to view the default Status.

    Filter

    Select the + to open the Select Entries field and select filter entries. There are different entry categories:

    • Target: Refers to the type of device targeted by the attack.

    • Severity: Refers to the level of the threat posed by the attack.

    • Protocol: Refers to the protocol that is the vector for the attack.

    • OS: Refers to the Operating System affected by the attack.

    • Application: Refers to the application affected by the attack.

  6. Select one or more signatures from the IPS Signatures pane.

  7. Click OK. The signature is added to the IPS sensor.

  8. Click OK.

Individual signatures, custom or predefined IPS signatures can be selected for an IPS sensor. If you need only one signature, or you want to manually select multiple signatures that don’t fall into the criteria for an IPS filter, adding a signature entry to an IPS sensor is the easiest way.

To configure a Signature entry of type Signature:
  1. Go to Security Profiles > Intrusion Prevention.

  2. Click Create New.

  3. Configure the IPS sensor settings.

  4. In IPS Signatures and Filters, click Create New. The Add Signatures pane is displayed.

  5. Configure the settings as follows:

    Type Select Signature.
    Action

    Click the dropdown menu and select the action when a signature is triggered:

    • Allow: Allow traffic to continue to its destination.

    • Monitor: Allow traffic to continue to its destination and log the activity.

    • Block: Drop traffic that matches the signature.

    • Reset: Reset the session whenever the signature is triggered.

    • Default: Use the default action of the signature. Search for the signature in the IPS Signature pane to view the default Action.

    • Quarantine: Block the matching traffic. Enable packet logging. Quarantine the attacker.

    Packet Logging

    Enable packet logging to save a copy of the packets when they match the signature. Packet copies can be analyzed later.

    Packet logging is not supported on all FortiGate devices. FortiAnalyzer logging or a hard disk are required to support this feature; see the Feature Platform Matrix.

    Status

    Define the signature status:

    • Enable: Enable the signature.

    • Disable: Disable the signature.

    • Default: Use the default status of the signature. Search for the signature in the IPS Signature pane to view the default Status.

    Rate-based settings

    Default

    Use the default rate-based settings.

    Specify

    Specify the rate-based settings:

    • Threshold: Enter the threshold. See IPS signature rate count threshold.

    • Duration (seconds): Enter the duration in seconds.

    • Track By: Select the tracking method as Any, Source IP, or Destination IP.

    Exempt IPs

    Add IP addresses that are exempt from the signature rules.

    Click Edit IP Exemptions and click Create New. Edit the Source IP/Netmask and the Destination IP/Netmask to define the IP address for exemption. Click OK to add it to Exempt IPs.

  6. Select one or more signatures from the IPS Signatures pane.

  7. Click OK. The signature is added to the IPS sensor.

  8. Click OK.