Fortinet FortiGate FortiGate-1000A Administration Manual page 302

Anomaly
302
Figure 157:Editing the portscan IPS anomaly
Figure 158:Editing the syn_fin IPS anomaly
Name The anomaly name.
Enable Select the Enable box to enable the anomaly or clear the Enable box to
disable the anomaly.
Logging Select the Logging box to enable logging for the anomaly or clear the
Logging box to disable logging for the anomaly.
Action Select an action for the FortiGate unit to take when traffic triggers this
anomaly.
Pass When a packet triggers a signature, the FortiGate unit generates an
alert and allows the packet through the firewall without further action.
If logging is disabled and action is set to Pass, the signature is
effectively disabled.
Drop When a packet triggers a signature, the FortiGate unit generates an
alert and drops the packet. The firewall session is not touched.
Fortinet recommends using an action other than Drop for TCP
connection based attacks.
Reset When a packet triggers a signature, the FortiGate unit generates an
alert and drops the packet. The FortiGate unit sends a reset to both the
client and the server and drops the firewall session from the firewall
session table.
This is used for TCP connections only. If set for non-TCP connection
based attacks, the action will behave as Clear Session. If the Reset
action is triggered before the TCP connection is fully established, it acts
as Clear Session.
Reset When a packet triggers a signature, the FortiGate unit generates an
Client alert and drops the packet. The FortiGate unit sends a reset to the client
and drops the firewall session from the firewall session table.
This is used for TCP connections only. If set for non-TCP connection
based attacks, the action will behave as Clear Session. If the Reset
Client action is triggered before the TCP connection is fully established,
it acts as Clear Session.
01-28011-0254-20051115
IPS
Fortinet Inc.