Fortinet black logo

Administration Guide

Home FortiSASE Administration Guide

Intrusion prevention

Intrusion prevention

Intrusion Prevention System (IPS) technology protects your network from cybercriminal attacks by actively seeking and blocking external threats before they can reach potentially vulnerable network devices.

FortiSASE uses signature-based defense against known attacks or vulnerability exploits. These often involve an attacker attempting to gain access to your network. The attacker must communicate with the host in an attempt to gain access, and this communication includes commands or sequences of commands and variables. The IPS signatures include these command sequences, allowing FortiSASE to detect and stop the attack.

The following table describes the IPS profiles that you can select in FortiSASE:

Recommended

Critical

Monitor

Protect client or server traffic

All (client and server)

All (client and server)

All (client and server)

Severity of the signatures

All severity levels:

  • Info
  • Low
  • Medium
  • High
  • Critical
  • Low
  • Medium
  • High
  • Critical

All severity levels:

  • Info
  • Low
  • Medium
  • High
  • Critical

Protocols to be protected

All

All

All

Operating systems to be protected

All:

  • Windows
  • Linux
  • BSD
  • Solaris
  • macOS

All:

  • Windows
  • Linux
  • BSD
  • Solaris
  • macOS

All:

  • Windows
  • Linux
  • BSD
  • Solaris
  • macOS

Applications to be protected

All

All

All

Action taken with traffic in which signatures are detected

Pass or drop matching traffic, depending on the signature default action, which FortiGuard IPS determines
  • For signatures with medium, high, and critical severity: block or drop matching traffic.
  • For signatures with low severity: pass or drop matching traffic, depending on the signature default action, which FortiGuard IPS determines

Monitor, namely, pass or allow matching traffic while logging (monitoring) it.

Enable/disable logging of signatures included in filter

Enable

Enable

Enable

FortiSASE uses the IPS extended database for protection.

For a comprehensive list of protocols and applications protected by FortiGuard IPS signatures that FortiSASE uses, see the IPS database searchable by CVE lookup, ID lookup, or other keywords at Intrusion Prevention Service.

You can also configure custom IPS rules that use custom IPS signatures. To create custom IPS signatures using appropriate signature syntax, see Creating IPS and application control signatures.

To select an IPS profile and configure custom IPS rules to apply to traffic:
  1. Go to Configuration > Security and switch to the Profiles tab from the toolbar.
  2. In the Intrusion Prevention widget, click Customize.
  3. Select a profile to apply to the traffic:

    Profile

    Description

    Recommended (default)

    Scans traffic for all known threats and applies the recommended action.

    Critical

    Scans traffic for critical threats and blocks them.

    Monitor

    Scans traffic for threats but does not apply any action. Primarily used for logging.

  4. Create custom IPS rules:
    1. In the Custom IPS rules section, click Create.
    2. In the slide-in, click + on Signatures.
    3. In the Select Entries slide-in, click + to create custom IPS signature and specify Tag, (optional) Comments, and Signature using the IPS syntax guide. See Creating IPS and application control signatures.
    4. Click OK.
  5. Click OK on the Confirm prompt to select the newly created entry.
  6. Specify the desired Action of Allow, Monitor, or Block for the signature.
  7. Click OK. The signature created is visible with the desired action inside the Custom IPS rules section.
  8. Click OK.
  9. (Optional) Create custom IPS signatures from the Profile resources tab.
Note

The custom IPS rules are evaluated first before the configured IPS profile (i.e. recommended, critical, and monitor).

You can use custom IPS rules to manage false positives by configuring a custom IPS signature with Action set to Allow or Monitor and using it in the rule.
To create, edit, and delete a custom IPS signature:
  1. Go to Configuration > Security.
  2. Select the Profile resources tab from the toolbar.
  3. Select Custom IPS signatures to see all custom IPS signatures created across different security profile groups.
  4. Do one of the following:
    • To create an IPS signature, click Create. In the slide-in, specify Tag, Comments, and Signature using Creating IPS and application control signatures. Click OK. The newly created IPS signature is available to use in the Intrusion Prevention widget across different security profiles.
    • To edit an IPS signature, select the desired IPS signature and click Edit. After making the required edits, click OK.
    • To delete, select the desired IPS signature available in the Custom IPS signatures list and click Delete. On the Confirm delete prompt, click OK.
Previous
Next

Intrusion prevention

Intrusion Prevention System (IPS) technology protects your network from cybercriminal attacks by actively seeking and blocking external threats before they can reach potentially vulnerable network devices.

FortiSASE uses signature-based defense against known attacks or vulnerability exploits. These often involve an attacker attempting to gain access to your network. The attacker must communicate with the host in an attempt to gain access, and this communication includes commands or sequences of commands and variables. The IPS signatures include these command sequences, allowing FortiSASE to detect and stop the attack.

The following table describes the IPS profiles that you can select in FortiSASE:

Recommended

Critical

Monitor

Protect client or server traffic

All (client and server)

All (client and server)

All (client and server)

Severity of the signatures

All severity levels:

  • Info
  • Low
  • Medium
  • High
  • Critical
  • Low
  • Medium
  • High
  • Critical

All severity levels:

  • Info
  • Low
  • Medium
  • High
  • Critical

Protocols to be protected

All

All

All

Operating systems to be protected

All:

  • Windows
  • Linux
  • BSD
  • Solaris
  • macOS

All:

  • Windows
  • Linux
  • BSD
  • Solaris
  • macOS

All:

  • Windows
  • Linux
  • BSD
  • Solaris
  • macOS

Applications to be protected

All

All

All

Action taken with traffic in which signatures are detected

Pass or drop matching traffic, depending on the signature default action, which FortiGuard IPS determines
  • For signatures with medium, high, and critical severity: block or drop matching traffic.
  • For signatures with low severity: pass or drop matching traffic, depending on the signature default action, which FortiGuard IPS determines

Monitor, namely, pass or allow matching traffic while logging (monitoring) it.

Enable/disable logging of signatures included in filter

Enable

Enable

Enable

FortiSASE uses the IPS extended database for protection.

For a comprehensive list of protocols and applications protected by FortiGuard IPS signatures that FortiSASE uses, see the IPS database searchable by CVE lookup, ID lookup, or other keywords at Intrusion Prevention Service.

You can also configure custom IPS rules that use custom IPS signatures. To create custom IPS signatures using appropriate signature syntax, see Creating IPS and application control signatures.

To select an IPS profile and configure custom IPS rules to apply to traffic:
  1. Go to Configuration > Security and switch to the Profiles tab from the toolbar.
  2. In the Intrusion Prevention widget, click Customize.
  3. Select a profile to apply to the traffic:

    Profile

    Description

    Recommended (default)

    Scans traffic for all known threats and applies the recommended action.

    Critical

    Scans traffic for critical threats and blocks them.

    Monitor

    Scans traffic for threats but does not apply any action. Primarily used for logging.

  4. Create custom IPS rules:
    1. In the Custom IPS rules section, click Create.
    2. In the slide-in, click + on Signatures.
    3. In the Select Entries slide-in, click + to create custom IPS signature and specify Tag, (optional) Comments, and Signature using the IPS syntax guide. See Creating IPS and application control signatures.
    4. Click OK.
  5. Click OK on the Confirm prompt to select the newly created entry.
  6. Specify the desired Action of Allow, Monitor, or Block for the signature.
  7. Click OK. The signature created is visible with the desired action inside the Custom IPS rules section.
  8. Click OK.
  9. (Optional) Create custom IPS signatures from the Profile resources tab.
Note

The custom IPS rules are evaluated first before the configured IPS profile (i.e. recommended, critical, and monitor).

You can use custom IPS rules to manage false positives by configuring a custom IPS signature with Action set to Allow or Monitor and using it in the rule.
To create, edit, and delete a custom IPS signature:
  1. Go to Configuration > Security.
  2. Select the Profile resources tab from the toolbar.
  3. Select Custom IPS signatures to see all custom IPS signatures created across different security profile groups.
  4. Do one of the following:
    • To create an IPS signature, click Create. In the slide-in, specify Tag, Comments, and Signature using Creating IPS and application control signatures. Click OK. The newly created IPS signature is available to use in the Intrusion Prevention widget across different security profiles.
    • To edit an IPS signature, select the desired IPS signature and click Edit. After making the required edits, click OK.
    • To delete, select the desired IPS signature available in the Custom IPS signatures list and click Delete. On the Confirm delete prompt, click OK.
Previous
Next