Intrusion prevention
Intrusion Prevention System (IPS) technology protects your network from cybercriminal attacks by actively seeking and blocking external threats before they can reach potentially vulnerable network devices.
FortiSASE uses signature-based defense against known attacks or vulnerability exploits. These often involve an attacker attempting to gain access to your network. The attacker must communicate with the host in an attempt to gain access, and this communication includes commands or sequences of commands and variables. The IPS signatures include these command sequences, allowing FortiSASE to detect and stop the attack.
The following table describes the IPS profiles that you can select in FortiSASE:
|
Recommended |
Critical |
Monitor |
---|---|---|---|
Protect client or server traffic |
All (client and server) |
All (client and server) |
All (client and server) |
Severity of the signatures |
All severity levels:
|
|
All severity levels:
|
Protocols to be protected |
All |
All |
All |
Operating systems to be protected |
All:
|
All:
|
All:
|
Applications to be protected |
All |
All |
All |
Action taken with traffic in which signatures are detected |
Pass or drop matching traffic, depending on the signature default action, which FortiGuard IPS determines |
|
Monitor, namely, pass or allow matching traffic while logging (monitoring) it. |
Enable/disable logging of signatures included in filter |
Enable |
Enable |
Enable |
FortiSASE uses the IPS extended database for protection.
For a comprehensive list of protocols and applications protected by FortiGuard IPS signatures that FortiSASE uses, see the IPS database searchable by CVE lookup, ID lookup, or other keywords at Intrusion Prevention Service.
You can also configure custom IPS rules that use custom IPS signatures. To create custom IPS signatures using appropriate signature syntax, see Creating IPS and application control signatures.
To select an IPS profile and configure custom IPS rules to apply to traffic:
- Go to Configuration > Security and switch to the Profiles tab from the toolbar.
- In the Intrusion Prevention widget, click Customize.
- Select a profile to apply to the traffic:
Profile
Description
Recommended (default)
Scans traffic for all known threats and applies the recommended action.
Critical
Scans traffic for critical threats and blocks them.
Monitor
Scans traffic for threats but does not apply any action. Primarily used for logging.
- Create custom IPS rules:
- In the Custom IPS rules section, click Create.
- In the slide-in, click + on Signatures.
- In the Select Entries slide-in, click + to create custom IPS signature and specify Tag, (optional) Comments, and Signature using the IPS syntax guide. See Creating IPS and application control signatures.
- Click OK.
- Click OK on the Confirm prompt to select the newly created entry.
- Specify the desired Action of Allow, Monitor, or Block for the signature.
- Click OK. The signature created is visible with the desired action inside the Custom IPS rules section.
- Click OK.
- (Optional) Create custom IPS signatures from the Profile resources tab.
The custom IPS rules are evaluated first before the configured IPS profile (i.e. recommended, critical, and monitor). You can use custom IPS rules to manage false positives by configuring a custom IPS signature with Action set to Allow or Monitor and using it in the rule. |
To create, edit, and delete a custom IPS signature:
- Go to Configuration > Security.
- Select the Profile resources tab from the toolbar.
- Select Custom IPS signatures to see all custom IPS signatures created across different security profile groups.
- Do one of the following:
- To create an IPS signature, click Create. In the slide-in, specify Tag, Comments, and Signature using Creating IPS and application control signatures. Click OK. The newly created IPS signature is available to use in the Intrusion Prevention widget across different security profiles.
- To edit an IPS signature, select the desired IPS signature and click Edit. After making the required edits, click OK.
- To delete, select the desired IPS signature available in the Custom IPS signatures list and click Delete. On the Confirm delete prompt, click OK.