Managing IPS signature updates as an IPS administrator

FortiGate receives IPS signature package updates from the FortiGuard Distribution Server (FDS).

The FDS can either be the Fortinet Global FDS service or a FortiManager acting as the FDS. In this example, the FortiManager is acting as the FDS. For information on configuring FortiManager as the FDS, see the Configuring Devices to use the Built in FDS.

The following example also assumes that an IPS restricted administrator is logged in and completing the steps. For more information on restricted administrators, see Intrusion prevention restricted administrator.

This example provides a methodology for managing the release of IPS signature package updates to managed FortiGate devices based on the following steps:

1. View signature details on FortiGuard

2. Configure and install signature overrides

3. Monitor logs for hits to signatures

This example does not present a definitive method, but instead outlines an approach that can be used to build one that aligns with your requirements

View signature details on FortiGuard

To view signature information on FortiGuard:

1. Log in to FortiManager as a restricted IPS administrator.

2. Go to Intrusion Prevention > FortiGuard Package.

3. Confirm that the initial To Be Deployed Version has been specified for the relevant IPS Signature Database.
   In this example, the initial version is set to 28.00871, but the Latest Version available from FortiGuard is 28.00872.
   

4. Click on the hyperlink for the Latest Version to open the FortiGuard IPS Updates site.
   

5. Select the chosen version from the dropdown list, and click FILTER. This displays all of the changes and additions that were made since the last package.

   • This assumes that a regular release schedule is maintained and that the Latest Version is only 1 version ahead of the To Be Deployed Version.

     

6. Review the signatures that are tagged as New, Modified, or Removed, and evaluate how these signatures may affected protected services.

   1. Individual signatures can be clicked to view additional details about the signature.

   2. Review the Affected OS, Affected App, and Default Action fields, and whether the signature is Active or not to determine whether it will be applicable to protected services.

   3. If the signature is applicable, review the Description, Risk score and CVE information where available.

   4. An alternative approach is to use an override for all newly added signatures in order to monitor their behavior in production for a specified number of days before removing the override and using the default settings applicable to their signatures. The processes defined here are the same for this approach.
      

7. After completing the review of the signature package changes, return to the FortiManager and if required, create overrides for specific signatures in the new package.

   The new IPS signatures are available to view in FortiManager even though they have not been released to the FortiGates. This allows for administrators to specify overrides before releasing the signatures.

Configure and install signature overrides

To configure signatures on FortiManager:

1. Go to Intrusion Prevention > Profiles and edit the appropriate IPS Profile(s).

2. Click Create New under the IPS Signatures and Filters section.
   

3. Change the Type to Signature, and click Add Signature.
   

4. Find the required signature(s) by Name or ID, available from the FortiGuard IPS website. Check the box(es) and click Use Selected Signature.
   

5. Modify the behavior of the FortiGate with this signature as required, and click OK.
   

   Action	The default action is available on FortiGuard. If the desired approach is to monitor the impact of this signature on production traffic, set this to Monitor.
   Packet Logging	Determines whether the FortiGate should packet capture the traffic triggering this signature. This is recommended when using IPS as it provides context as to what triggered the event that pure traffic logs do not.
   Status	The default status of the signature is available on FortiGuard. If the signature is set to Disable by default, then an override such as described here would only be beneficial if admins wanted to enable a wider range of signatures for an OS/application/protocol/etc. than the defaults but want to monitor the behavior. In that instance, the Status should be set to Enable, otherwise Default is acceptable as the signature is already enabled.
   Exempt IPs	This is where administrators can exclude client or server IPs from triggering a signature. This is useful for handling false positive behavior.

6. By default, the new profile entries are added to the bottom of the list. As profiles use a top-down/first match approach, the override needs to be located above the general IPS rules in the list. Select the box next to the new entry and click Move Up until it is at the desired point in the rule set. Click OK to finish.
   

7. This change will need to be installed on the target FortiGates before the IPS package is released. Click Install Wizard, select only the profile(s) with the override applied, and complete the install wizard process to push the changes to the required FortiGate(s).
   

8. With the overrides installed, it is time to modify the To Be Deployed Version in the FortiGuard Package menu. Select the IPS Signature Database appropriate to the deployment and click the Change button.
   

9. Select the reviewed version from the dropdown list for Change to Version, then click OK.
   Repeat for all appropriate IPS Signature Database options.
   

10. At this point, the FortiGates being serviced by the FortiManager FDS service will be able to download the approved IPS package from FortiManager. This will occur on the schedule based on the defined settings on the FortiGate.
    

11. Once the profile changes have been installed and the IPS packages released, it is recommended to monitor the FortiGate logs to identify any hits against the overridden signatures.

Monitor logs for hits to signatures

To monitor FortiGate logs for hits to overridden signatures:

1. Log in to FortiAnalyzer and go to Log View > FortiGate, then select the Security: Intrusion Prevention menu.
   

2. In the Filter, select Attack ID and specify the ID of the first overridden IPS signature.
   

3. Repeat these steps adding relevant Attack IDs into the filter based on the override signatures and specify an OR operator between them by clicking the AND between the filters.
   

4. Review the results to evaluate whether any matches are genuine or potential false positives.
   The results displayed are for any events matching the signature's attack ID included in the filter.
   

5. Double-clicking the result(s) will provide a more detailed log.
   
   
   The following is a non-exhaustive list of considerations:

   Attack Name & Attack ID	Use the hyperlink(s) to open the FortiGuard page(s) related to the signature and review the attack information.
   Source & Destination	Evaluate where the traffic is coming from and going to.
   Data Archive	This is the packet capture of the traffic that triggered the signature.

6. By combining the details of the attack from FortiGuard and the PCAP with knowledge of the destination service/application, administrators can determine whether the event is a false positive or not. In this example:

   1. The PCAP file shows a GET request where the URI includes "/admin.cgi/sd.css".

   2. The Destination IP is known Apache web server.

   3. The FortiGuard site provides insight into the exploit as being "The Vulnerability is due to insufficient sanitizing of user supplied inputs in "admin.cgi" script of the application".

   In this example, the Apache web server is known to store the files related to the website in "/var/www/html", with a subdirectory "/admin.cgi" used to store the site's CSS file "sd.css" (“/var/www/html/admin.cgi/sd.css"). This is how the web application has been designed by the administrator and is not a vulnerability, therefore this event represents a false-positive and the server will need to be added to the exemption list.

7. Depending on the review of the log events, there are different options of what to do next:
   

   No log events related to any of the overridden signature	Delete the overrides from the IPS Profile(s) and install the profile changes: Go to Intrusion Prevention > Profiles, Edit the profile(s), and select the overridden signatures in the rule list. Click Delete, then click OK. Use the Install Wizard to push the profile changes to the required FortiGates.
   Events detected that have been identified as true positive matches	Delete the overrides from the IPS Profile(s) and install the profile changes: Go to Intrusion Prevention > Profiles, Edit the profile(s), and select the overridden signatures in the rule list. Click Delete, then click OK. Use the Install Wizard to push the profile changes to the required FortiGates.
   c. Events detected that have been identified as false positive matches	Modify the override to set match the Action, Packet Logging and Status defined in the main IPS rule: Review the main IPS rule settings, in this example they are: Action – Default, Packet Logging – Enabled, Status – Enabled. Select the required overridden signature that has triggered false positives, and click Edit. Configure the settings to match the main IPS rule, in this example it will be Action – Default, Packet Logging – Enabled, Status – Enabled. Click Edit IP Exemption, then click Create New. Specify appropriate Source IP/Netmask and Destination IP/Netmask – in this example it would require the LAN IP range for Source IP/Netmask and the Apache web server IP for Destination IP/Netmask, then click OK. Review the configuration for the signature override and if all is correct click OK. Modify/remove any additional override signatures as required and click OK. Use the Install Wizard to push the profile changes to the required FortiGates. Clients connecting to that Apache web server will no longer trigger the Ubiquiti vulnerability as the site is not vulnerable it just so happens the directory structure aligns with triggering the signature.