Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
All Products
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Web Application Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • Web Application / API Protection
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions
    • All Products

    Administration Guide

    Home FortiGate / FortiOS 7.6.6 Administration Guide
    7.6.6
    7.6.6
    7.6.5
    7.6.4
    7.6.3
    7.6.2
    7.6.1
    7.6.0
    7.4.11
    7.4.10
    7.4.9
    7.4.8
    7.4.7
    7.4.6
    7.4.5
    7.4.4
    7.4.3
    7.4.2
    7.4.1
    7.4.0
    7.2.13
    7.2.12
    7.2.11
    7.2.10
    7.2.9
    7.2.8
    7.2.7
    7.2.6
    7.2.5
    7.2.4
    7.2.3
    7.2.2
    7.2.1
    7.2.0
    7.0.19
    7.0.18
    7.0.17
    7.0.16
    7.0.15
    7.0.14
    7.0.13
    7.0.12
    7.0.11
    7.0.10
    7.0.9
    7.0.8
    7.0.7
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.4.0

    Support Ethernet layer protocols in the IPS engine

    Support Ethernet layer protocols in the IPS engine

    The IPS engine has been enhanced to detect industrial Ethernet protocols such as LLDP, GOOSE, EtherCAT, and PROFINET RT. Device detection starts to detect and log the Ethernet devices through the L2 protocol. Additionally, the IPS sensor detects the Ethernet protocol and logs the traffic.

    Custom signature rules have been enhanced with three new rule options for ethertype, mac_src, and mac_dst.

    The L2 protocol to be detected by the custom signature is specified by the administrator through the Ethertype hexadecimal value for the ethertype option.

    In Examples 2 and 3 below, the ethertype value of 0x88cc is used to detect LLDP protocol traffic.

    The following examples are explored:

    Example 1: Ethernet protocol device detection on the interface

    Note

    Device detection requires new signatures included in both the IoT Detection package and OT Detection package, which will be available in future FortiGuard updates.

    In this example, the IPS engine detects Ethernet devices, such as those using the LLDP protocol, which contains device information.

    To apply Ethernet protocol device detection on the interface:

    1. Enable device detection and passive gathering of identity information about the host:

      config system interface
    edit "port15"
        set vdom "root"
        set type physical
        set device-identification enable
        set snmp-index 17
    next
end

    2. Apply the interface to the firewall interface policy:

      config firewall interface-policy
    edit 1
        set interface "port15"
        set srcaddr "all"
        set dstaddr "all"
        set service "ALL"
    next
end

    3. Generate traffic from the client.

    4. Review the application control log for device detection on Ethernet protocol LLDP:

      # diagnose log filter category 4
# diagnose log display 
1: date=2025-03-20 time=18:46:52 eventtime=1742521612517801102 tz="-0700" logid="1059028738" type="utm" subtype="app-ctrl" eventtype="signature" level="warning" vd="root" ethertype=35020 srcmac="00:0c:29:c6:ae:bf" dstmac="e0:23:ff:83:2d:2d" appid=10008004 srcintf="port15" srcintfrole="undefined" dstintf="port15" dstintfrole="undefined" policyid=1 poluuid="c5ed61a0-0445-51f0-1e08-ea9d568326bd" policytype="interface-policy" action="pass" appcat="IoT" app="LLDP.Device.Test" msg="IoT: LLDP.Device.Test" clouddevice="Vendor=HP, Product=ProCurve Swtich, Model=ProCurve Swtich 2600-8-PWR, Version=H.08.89" apprisk="low"

      The ethertype field has been added in the device detection log. The src_mac and dst_mac log fields have been added instead of the source and destination IP addresses. These three new fields are not included for regular application control logs.

    Example 2: Ethernet protocol detection with custom IPS signatures on the interface policy

    In this example, the IPS sensor is able to detect Ethernet protocols by matching signatures in the NIDS database or by using custom-defined signatures.

    To apply Ethernet protocol detection with custom IPS signatures on the interface policy:

    1. Create a new custom signature for LLDP protocol with source MAC address and destination MAC address defined:

      config ips custom
    edit "LLDP-test"
        set signature "F-SBID( --attack_id 6312;  --name \"LLDP-test-mac\"; --default_action drop;  --ethertype 0x88cc; --mac_src 00:0c:29:c6:ae:bf; --mac_dst e0:23:ff:83:2d:2d; --severity high; --status disable; )"
    next
end

    2. Create a new IPS sensor and allow the new custom signatures to pass:

      config ips sensor
    edit "l2-test"
        config entries
            edit 1
                set rule 6312
                set status enable
                set action pass 
            next
        end
    next
end

      The rule identifies the IPS signatures to add to the sensor.

    3. Enable the IPS sensor in a firewall interface policy and apply the new IPS sensor:

      config firewall interface-policy
    edit 1
        set interface "port15"
        set srcaddr "all"
        set dstaddr "all"
        set service "ALL"
        set ips-sensor-status enable
        set ips-sensor "l2-test"
    next
end

    4. Generate traffic from the client.

    5. Review the IPS sensor log for the Ethernet protocol LLDP custom signature:

      # diagnose log filter category 4
# diagnose log display 
1: date=2025-03-21 time=10:16:03 eventtime=1742577362746522425 tz="-0700" logid="0419016402" type="utm" subtype="ips" eventtype="signature" level="warning" vd="root" ethertype=35020 srcmac="00:0c:29:c6:ae:bf" dstmac="e0:23:ff:83:2d:2d" srcintf="port15" srcintfrole="undefined" dstintf="port15" dstintfrole="undefined" policyid=1 poluuid="8fcb4bf0-0675-51f0-fa7a-9fec94e8115c" policytype="interface-policy" action="dropped" attack="\"LLDP-test\"" attackid=6312 profile="l2-test" incidentserialno=75497498 msg="custom: \"LLDP-test\"" crscore=30 craction=8192 crlevel="high"

      A new log ID has been created for the L2 detection logs.

      The ethertype field has been added in the device detection log. The src_mac and dst_mac log fields have been added instead of the source and destination IP addresses. These new fields are not included in a regular IPS sensor log.

    Example 3: Ethernet protocol detection with custom IPS signatures on the sniffer policy

    Ethernet protocol detection is supported in sniffer policies. In this example, the software switch with spanning is set for the sniffer detection.

    To apply Ethernet protocol detection with custom IPS signatures on the sniffer policy:

    1. Create a new software switch with the destination and source ports for spanning configured:

      config system switch-interface
    edit "test-sw"
        set vdom "root"
        set member "port2" "port15"
        set span enable
        set span-dest-port "port2"
        set span-source-port "port15"
    next
end

    2. Enable one arm sniffer on the destination interface:

      config system interface
    edit "port2"
        set vdom "root"
        set ips-sniffer-mode enable
        set type physical
        set snmp-index 4
    next
end

    3. Create a new custom signature for LLDP protocol with source MAC address and destination MAC address defined:

      config ips custom
    edit "LLDP-test"
        set signature "F-SBID( --attack_id 6312;  --name \"LLDP-test-mac\"; --default_action drop;  --ethertype 0x88cc; --mac_src 00:0c:29:c6:ae:bf; --mac_dst 01:80:c2:00:00:0e; --severity high; --status disable; )"
    next
end

    4. Configure the IPS sensor:

      config ips sensor
    edit "g-sniffer-profile"
        set comment "Monitor IPS attacks."
        config entries
            edit 2
                set rule 29844
                set status enable
                set action block
            next
            edit 1
                set rule 6312
                set status enable
                set action pass
            next
        end
    next
end

    5. Apply the interface to the firewall sniffer policy:

      config firewall sniffer
    edit 1
        set non-ip enable
        set interface "port2"
        set ips-sensor-status enable
        set ips-sensor "g-sniffer-profile"
    next
end
      Note

      Confirm that non-IP address packet sniffing is also enabled. If it is not enabled, L2 traffic will not be detected.

    6. Generate Ethernet traffic and mirror it to the designated interface port.

    7. Review new log for sniffer policy Ethernet protocol detection:

      # diagnose log filter category 4
# diagnose log display 
1: date=2025-04-14 time=17:28:21 eventtime=1744676901127125507 tz="-0700" logid="0419016402" type="utm" subtype="ips" eventtype="signature" level="warning" vd="root" ethertype=35020 srcmac="00:0c:29:c6:ae:bf" dstmac="01:80:c2:00:00:0e" srcintf="port2" srcintfrole="undefined" dstintf="port2" dstintfrole="undefined" policyid=1 poluuid="39650ea6-011e-51f0-c237-d19ed520eaf1" policytype="sniffer" action="detected" attack="LLDP-test-mac" attackid=6312 profile="g-sniffer-profile" incidentserialno=216006666 msg="custom: LLDP-test-mac" crscore=30 craction=8192 crlevel="high"

      The Ethernet protocol detection does not support traffic logging; only an IPS log will be generated if the sniffer policy is matched.

    Previous
    Next

    Support Ethernet layer protocols in the IPS engine

    Support Ethernet layer protocols in the IPS engine

    The IPS engine has been enhanced to detect industrial Ethernet protocols such as LLDP, GOOSE, EtherCAT, and PROFINET RT. Device detection starts to detect and log the Ethernet devices through the L2 protocol. Additionally, the IPS sensor detects the Ethernet protocol and logs the traffic.

    Custom signature rules have been enhanced with three new rule options for ethertype, mac_src, and mac_dst.

    The L2 protocol to be detected by the custom signature is specified by the administrator through the Ethertype hexadecimal value for the ethertype option.

    In Examples 2 and 3 below, the ethertype value of 0x88cc is used to detect LLDP protocol traffic.

    The following examples are explored:

    Example 1: Ethernet protocol device detection on the interface

    Note

    Device detection requires new signatures included in both the IoT Detection package and OT Detection package, which will be available in future FortiGuard updates.

    In this example, the IPS engine detects Ethernet devices, such as those using the LLDP protocol, which contains device information.

    To apply Ethernet protocol device detection on the interface:

    1. Enable device detection and passive gathering of identity information about the host:

      config system interface
    edit "port15"
        set vdom "root"
        set type physical
        set device-identification enable
        set snmp-index 17
    next
end

    2. Apply the interface to the firewall interface policy:

      config firewall interface-policy
    edit 1
        set interface "port15"
        set srcaddr "all"
        set dstaddr "all"
        set service "ALL"
    next
end

    3. Generate traffic from the client.

    4. Review the application control log for device detection on Ethernet protocol LLDP:

      # diagnose log filter category 4
# diagnose log display 
1: date=2025-03-20 time=18:46:52 eventtime=1742521612517801102 tz="-0700" logid="1059028738" type="utm" subtype="app-ctrl" eventtype="signature" level="warning" vd="root" ethertype=35020 srcmac="00:0c:29:c6:ae:bf" dstmac="e0:23:ff:83:2d:2d" appid=10008004 srcintf="port15" srcintfrole="undefined" dstintf="port15" dstintfrole="undefined" policyid=1 poluuid="c5ed61a0-0445-51f0-1e08-ea9d568326bd" policytype="interface-policy" action="pass" appcat="IoT" app="LLDP.Device.Test" msg="IoT: LLDP.Device.Test" clouddevice="Vendor=HP, Product=ProCurve Swtich, Model=ProCurve Swtich 2600-8-PWR, Version=H.08.89" apprisk="low"

      The ethertype field has been added in the device detection log. The src_mac and dst_mac log fields have been added instead of the source and destination IP addresses. These three new fields are not included for regular application control logs.

    Example 2: Ethernet protocol detection with custom IPS signatures on the interface policy

    In this example, the IPS sensor is able to detect Ethernet protocols by matching signatures in the NIDS database or by using custom-defined signatures.

    To apply Ethernet protocol detection with custom IPS signatures on the interface policy:

    1. Create a new custom signature for LLDP protocol with source MAC address and destination MAC address defined:

      config ips custom
    edit "LLDP-test"
        set signature "F-SBID( --attack_id 6312;  --name \"LLDP-test-mac\"; --default_action drop;  --ethertype 0x88cc; --mac_src 00:0c:29:c6:ae:bf; --mac_dst e0:23:ff:83:2d:2d; --severity high; --status disable; )"
    next
end

    2. Create a new IPS sensor and allow the new custom signatures to pass:

      config ips sensor
    edit "l2-test"
        config entries
            edit 1
                set rule 6312
                set status enable
                set action pass 
            next
        end
    next
end

      The rule identifies the IPS signatures to add to the sensor.

    3. Enable the IPS sensor in a firewall interface policy and apply the new IPS sensor:

      config firewall interface-policy
    edit 1
        set interface "port15"
        set srcaddr "all"
        set dstaddr "all"
        set service "ALL"
        set ips-sensor-status enable
        set ips-sensor "l2-test"
    next
end

    4. Generate traffic from the client.

    5. Review the IPS sensor log for the Ethernet protocol LLDP custom signature:

      # diagnose log filter category 4
# diagnose log display 
1: date=2025-03-21 time=10:16:03 eventtime=1742577362746522425 tz="-0700" logid="0419016402" type="utm" subtype="ips" eventtype="signature" level="warning" vd="root" ethertype=35020 srcmac="00:0c:29:c6:ae:bf" dstmac="e0:23:ff:83:2d:2d" srcintf="port15" srcintfrole="undefined" dstintf="port15" dstintfrole="undefined" policyid=1 poluuid="8fcb4bf0-0675-51f0-fa7a-9fec94e8115c" policytype="interface-policy" action="dropped" attack="\"LLDP-test\"" attackid=6312 profile="l2-test" incidentserialno=75497498 msg="custom: \"LLDP-test\"" crscore=30 craction=8192 crlevel="high"

      A new log ID has been created for the L2 detection logs.

      The ethertype field has been added in the device detection log. The src_mac and dst_mac log fields have been added instead of the source and destination IP addresses. These new fields are not included in a regular IPS sensor log.

    Example 3: Ethernet protocol detection with custom IPS signatures on the sniffer policy

    Ethernet protocol detection is supported in sniffer policies. In this example, the software switch with spanning is set for the sniffer detection.

    To apply Ethernet protocol detection with custom IPS signatures on the sniffer policy:

    1. Create a new software switch with the destination and source ports for spanning configured:

      config system switch-interface
    edit "test-sw"
        set vdom "root"
        set member "port2" "port15"
        set span enable
        set span-dest-port "port2"
        set span-source-port "port15"
    next
end

    2. Enable one arm sniffer on the destination interface:

      config system interface
    edit "port2"
        set vdom "root"
        set ips-sniffer-mode enable
        set type physical
        set snmp-index 4
    next
end

    3. Create a new custom signature for LLDP protocol with source MAC address and destination MAC address defined:

      config ips custom
    edit "LLDP-test"
        set signature "F-SBID( --attack_id 6312;  --name \"LLDP-test-mac\"; --default_action drop;  --ethertype 0x88cc; --mac_src 00:0c:29:c6:ae:bf; --mac_dst 01:80:c2:00:00:0e; --severity high; --status disable; )"
    next
end

    4. Configure the IPS sensor:

      config ips sensor
    edit "g-sniffer-profile"
        set comment "Monitor IPS attacks."
        config entries
            edit 2
                set rule 29844
                set status enable
                set action block
            next
            edit 1
                set rule 6312
                set status enable
                set action pass
            next
        end
    next
end

    5. Apply the interface to the firewall sniffer policy:

      config firewall sniffer
    edit 1
        set non-ip enable
        set interface "port2"
        set ips-sensor-status enable
        set ips-sensor "g-sniffer-profile"
    next
end
      Note

      Confirm that non-IP address packet sniffing is also enabled. If it is not enabled, L2 traffic will not be detected.

    6. Generate Ethernet traffic and mirror it to the designated interface port.

    7. Review new log for sniffer policy Ethernet protocol detection:

      # diagnose log filter category 4
# diagnose log display 
1: date=2025-04-14 time=17:28:21 eventtime=1744676901127125507 tz="-0700" logid="0419016402" type="utm" subtype="ips" eventtype="signature" level="warning" vd="root" ethertype=35020 srcmac="00:0c:29:c6:ae:bf" dstmac="01:80:c2:00:00:0e" srcintf="port2" srcintfrole="undefined" dstintf="port2" dstintfrole="undefined" policyid=1 poluuid="39650ea6-011e-51f0-c237-d19ed520eaf1" policytype="sniffer" action="detected" attack="LLDP-test-mac" attackid=6312 profile="g-sniffer-profile" incidentserialno=216006666 msg="custom: LLDP-test-mac" crscore=30 craction=8192 crlevel="high"

      The Ethernet protocol detection does not support traffic logging; only an IPS log will be generated if the sniffer policy is matched.

    Previous
    Next