Fortinet black logo

Administration Guide

Home FortiProxy 7.2.0 Administration Guide
7.2.0
7.4.3
7.4.2
7.4.1
7.4.0
7.2.10
7.2.9
7.2.8
7.2.7
7.2.0
7.0.17
7.0.0
2.0.0
1.2.0
1.1.0
1.0.0

IPS Signatures

IPS Signatures

The FortiProxy predefined signatures cover common attacks. If you use an unusual or specialized application or an uncommon platform, add custom signatures based on the security alerts released by the application and platform vendors.

You can create custom IPS signatures and custom application signatures to further extend protection. For example, you can use custom IPS signatures to protect unusual or specialized applications or even custom platforms from known and unknown attacks.

All custom signatures follow a particular syntax. Each begins with a header and is followed by one or more keywords. A custom signature definition is limited to a maximum length of 512 characters. A definition can be a single line or span multiple lines connected by a backslash (\) at the end of each line.

A custom signature definition begins with a header, followed by a set of keyword/value pairs enclosed by parenthesis [( )]. The keyword and value pairs are separated by a semicolon (;) and consist of a keyword and a value separated by a space. The following is the basic format of a definition:

HEADER (KEYWORD VALUE;)

You can use as many keyword/value pairs as required within the 512-character limit.

To view the available custom IPS signatures, go to Security Profiles > IPS Signatures. Custom IPS signatures are listed under a separate heading inthe table.

To create a custom IPS signature, see Create or edit an IPS signature.


                                            
Highlight of on-hold IPS signatures

                                            
IPS signatures that are on hold (administrator-added delay for activation time) are highlighted in the GUI as follows:

                                            
    
                                                
  • On-hold signatures are grayed out with an hourglass icon beside the signature name.
    • 
                                                
  • The signature tooltip displays the on hold expiry time.
    • 
                                                
  • Users can still use on-hold signatures in an IPS sensor profile; however, the profile will not block matching traffic. It will monitor it instead (logging in effect) until the on hold time expires.
    • 
                                            

                                            
After a hold time is configured in the CLI, go to Security Profiles > IPS Signatures. Hover over the grayed-out entry to view the tooltip, which includes the action and hold time expiry. 

                                            
The same tooltip is available on the Edit IPS Sensor (Security Profiles > Intrusion Prevention) page when creating or editing the IPS signatures. In the Add Signatures pane when the Type is Signature, on-hold signatures  are only displayed as on hold if override-signature-hold-by-id is enabled.

                                        

                                    



        

            

                

                                                                     Previous
                                    


                

                                                                    Next 
                                    

            

            
        

    

            


                    

                        


                        

                                                        
        
        

        
                        

        
    
                    

                

            

        

    






        

        
                


                                        

                                            
IPS Signatures

                                            
The FortiProxy predefined signatures cover common attacks. If you use an unusual or specialized application or an uncommon platform, add custom signatures based on the security alerts released by the application and platform vendors.

                                            
You can create custom IPS signatures and custom application signatures  to further extend protection. For example, you can use custom IPS signatures to protect unusual or specialized applications or even custom platforms from known and unknown attacks. 

                                            
All custom signatures follow a particular syntax. Each begins with a header and is followed by one or more keywords. A custom signature definition is limited to a maximum length of 512 characters. A definition can be a single line or span multiple lines connected by a backslash (\) at the end of each line.

                                            
A custom signature definition begins with a header, followed by a set of keyword/value pairs enclosed by parenthesis [( )]. The keyword and value pairs are separated by a semicolon (;) and consist of a keyword and a value separated by a space. The following is the basic format of a definition:

                                            
 HEADER (KEYWORD VALUE;)

                                            
 

                                            
You can use as many keyword/value pairs as required within the 512-character limit. 

                                            
To view the available custom IPS signatures, go to Security Profiles > IPS Signatures. Custom IPS signatures are listed under a separate heading inthe table.

                                            

                                                
                                            

                                            
To create a custom IPS signature, see Create or edit an IPS signature.

                                            
Highlight of on-hold IPS signatures

                                            
IPS signatures that are on hold (administrator-added delay for activation time) are highlighted in the GUI as follows:

                                            
    
                                                
  • On-hold signatures are grayed out with an hourglass icon beside the signature name.
    • 
                                                
  • The signature tooltip displays the on hold expiry time.
    • 
                                                
  • Users can still use on-hold signatures in an IPS sensor profile; however, the profile will not block matching traffic. It will monitor it instead (logging in effect) until the on hold time expires.
    • 
                                            

                                            
After a hold time is configured in the CLI, go to Security Profiles > IPS Signatures. Hover over the grayed-out entry to view the tooltip, which includes the action and hold time expiry. 

                                            
The same tooltip is available on the Edit IPS Sensor (Security Profiles > Intrusion Prevention) page when creating or editing the IPS signatures. In the Add Signatures pane when the Type is Signature, on-hold signatures  are only displayed as on hold if override-signature-hold-by-id is enabled.

                                        

                                    



        

            

                

                                                                     Previous
                                    


                

                                                                    Next