Fortinet Network Device IPS User Manual
  1. Manuals
  2. Brands
  3. Fortinet Manuals
  4. Software
  5. Network Device IPS
  6. User manual
Fortinet Network Device IPS User Manual

Fortinet Network Device IPS User Manual

Ips user guide
Hide thumbs
Table of Contents

Advertisement

Quick Links

U S E R G U I D E
FortiGate
IPS User Guide
Version 3.0 MR7
www.fortinet.com

Advertisement

Table of Contents
loading

Related Manuals for Fortinet Network Device IPS

Summary of Contents for Fortinet Network Device IPS

  • Page 1 U S E R G U I D E FortiGate IPS User Guide Version 3.0 MR7 www.fortinet.com...
  • Page 2 Version 3.0 MR7 September 16, 2008 01-30007-0080-20080916 © Copyright 2008 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.

  • Page 3: Table Of Contents

    About this document... 6 Document conventions... 6 Fortinet documentation ... 6 Fortinet Knowledge Center ... 8 Comments on Fortinet technical documentation ... 8 Customer service and technical support ... 8 IPS overview and general configuration... 9 The FortiGate IPS... 9 IPS settings and controls ...
  • Page 4 Protocol decoders ... 37 IPS sensors ... 39 DoS sensors ... 45 SYN flood attacks ... 51 ICMP sweep attacks... 55 Index... 59 Creating custom signatures ... 23 Custom signature fields ... 23 Custom signature syntax ... 24 Example custom signatures ... 33 Protocol decoders ...

  • Page 5: Introduction

    • The FortiGate IPS • About this document • Fortinet documentation • Customer service and technical support The FortiGate IPS Spam and viruses are not the only threats facing enterprises and small businesses. Sophisticated, automated attack tools are prevalent on the Internet today, making intrusion detection and prevention vital to securing corporate networks.

  • Page 6: About This Document

    Go to VPN > IPSEC > Phase 1 and select Create New. Program output Welcome! Variables <address_ipv4> The most up-to-date publications and previous releases of Fortinet™ product documentation are available from the Fortinet Technical Documentation web site at http://docs.forticare.com. The following FortiGate product documentation •...
  • Page 7 • FortiGate VLANs and VDOMs User Guide Describes how to configure VLANs and VDOMS in both NAT/Route and Transparent mode. Includes detailed examples. FortiGate IPS User Guide Version 3.0 MR7 01-30007-0080-20080916 Fortinet documentation...

  • Page 8: Fortinet Knowledge Center

    Additional Fortinet technical documentation is available from the Fortinet Knowledge Center. The knowledge center contains troubleshooting and how-to articles, FAQs, technical notes, and more. Visit the Fortinet Knowledge Center at http://kc.forticare.com. Please send information about any errors or omissions in this document, or any Fortinet technical documentation, to techdoc@fortinet.com.

  • Page 9: Ips Overview And General Configuration

    IPS overview and general configuration IPS overview and general configuration This section contains the following topics: • The FortiGate IPS • Network performance • Monitoring the network and dealing with attacks • Using IPS sensors in a protection profile The FortiGate IPS An IPS is an Intrusion Prevention System for networks.

  • Page 10: When To Use Ips

    Network performance When to use IPS Network performance Default signature and anomaly settings Default fail open setting To create an IPS sensor, go to Intrusion Protection > IPS Sensor. See sensors” on page 39 for details. To access the protection profile IPS sensor selection, go to Firewall >...

  • Page 11: Controlling Sessions

    Select and configure the settings for any logging locations to use. Select Apply. Go to Log&Report > Log Config > Alert Email. FortiGate IPS User Guide Version 3.0 MR7 01-30007-0080-20080916 set ignore-session-bytes <byte_integer> set socket-size <ips_buffer_size> http://www.fortinet.com/FortiGuardCenter/ Monitoring the network and dealing with attacks provides a comprehensive...

  • Page 12: Attack Log Messages

    Action: Get more information about the attack and the steps to take from the Fortinet Attack Encyclopedia in the FortiGuard Center. Copy and paste the URL from the log message into your browser to go directly to the signature description in the Attack Encyclopedia.

  • Page 13: The Fortiguard Center

    Meaning: Action: The FortiGuard Center The FortiGuard Center combines the knowledge base of the Fortinet technical team into an easily searchable database. FortiGuard Center includes both virus and attack information. Go to http://www.fortinet.com/FortiGuardCenter/. Search for attacks in the FortiGuard Attack Encyclopedia by any of the criteria...

  • Page 14: Using Ips Sensors In A Protection Profile

    Using IPS sensors in a protection profile Using IPS sensors in a protection profile Creating a protection profile that uses IPS sensors Adding protection profiles to firewall policies IPS can be combined with other FortiGate features – antivirus, spam filtering, web filtering, and web category filtering –...

  • Page 15: Adding Protection Profiles To User Groups

    IPS overview and general configuration Adding protection profiles to user groups When creating a user group, select a protection profile that applies to that group. Then, when configuring a firewall policy that includes user authentication, select one or more user groups to authenticate. Each user group selected for authentication in the firewall policy can have a different protection profile, and therefore different IPS settings, applied to it.
  • Page 16 Using IPS sensors in a protection profile IPS overview and general configuration FortiGate IPS User Guide Version 3.0 MR7 01-30007-0080-20080916...

  • Page 17: Predefined Signatures

    Predefined signatures Predefined signatures This section describes: • IPS predefined signatures • Viewing the predefined signature list IPS predefined signatures Predefined signatures are arranged in alphabetical order. By default, some signatures are disabled to prevent interference with common traffic, but logging is enabled for all signatures.

  • Page 18: Fine Tuning Ips Predefined Signatures For Enhanced System Performance

    Viewing the predefined signature list Fine tuning IPS predefined signatures for enhanced system performance By default, the signatures are sorted by name. To sort the table by another column, select the required column header name. Column Select to customize the signature information displayed in the table. You can also readjust the column order.
  • Page 19 Predefined signatures You should also review exactly how you use the information provided by the logging feature. If you find that you do not review the information, it is best to turn off IPS logging. Logging is best used to provide actionable intelligence. To create an IPS sensor Go to Intrusion Protection >...
  • Page 20 Viewing the predefined signature list Predefined signatures FortiGate IPS User Guide Version 3.0 MR7 01-30007-0080-20080916...

  • Page 21: Custom Signatures

    Custom signatures Custom signatures Custom signatures provide the power and flexibility to customize the FortiGate Intrusion Protection system for diverse network environments. The FortiGate predefined signatures represent common attacks. If you use an unusual or specialized application or an uncommon platform, you can add custom signatures based on the security alerts released by the application and platform vendors.

  • Page 22: Custom Signature Configuration

    Custom signature configuration Custom signature configuration Adding custom signatures using the web-based manager Adding custom signatures using the CLI Create New Select to create a new custom signature. Name The custom signature name. Signature The signature syntax. Delete icon Select to delete the custom signature. Edit icon Select to edit the custom signature.

  • Page 23: Creating Custom Signatures

    Custom signatures Creating custom signatures Custom signatures are added separately to each VDOM. In each VDOM, there can be a maximum of 255 custom signatures. A custom signature definition is limited to a maximum length of 512 characters. A definition can be a single line or span multiple lines connected by a backslash (\) at the end of each line.

  • Page 24: Custom Signature Syntax

    Creating custom signatures Custom signature syntax Table 2: Information keywords Keyword and value Description --attack_id <id_int>; This optional value is used to identify the signature. It cannot be the same value as any other custom rules within the same VDOM. If an attack ID is not specified, the FortiGate automatically assigns an attack ID to the signature.
  • Page 25 Custom signatures Table 4: Content keywords Keyword and value --byte_jump <bytes_to_convert>, <offset>[, relative] [, big] [, little] [, string] [, hex] [, dec] [, oct] [, align]; FortiGate IPS User Guide Version 3.0 MR7 01-30007-0080-20080916 Creating custom signatures Description Use the byte_jump option to extract a number of bytes from a packet, convert them to their numeric representation, and jump the match reference up that many bytes (for further pattern matching or byte...
  • Page 26 Creating custom signatures Table 4: Content keywords (Continued) Keyword and value Description The FortiGate unit compares a byte field against a --byte_test specific value (with operator). This keyword is capable <bytes_to_convert>, of testing binary values or converting representative <operator>, <value>, byte strings to their binary equivalent and testing them.
  • Page 27 Custom signatures Table 4: Content keywords (Continued) Keyword and value --context {uri | header | body | host}; --no_case; --offset <offset_int>; --pattern [!]"<pattern_str>"; FortiGate IPS User Guide Version 3.0 MR7 01-30007-0080-20080916 Creating custom signatures Description Specify the protocol field that the pattern should be looked for.
  • Page 28 Creating custom signatures Table 4: Content keywords (Continued) Keyword and value Description Similar to the pattern keyword, pcre is used to --pcre specify a pattern using Perl-compatible regular [!]"(/<regex>/|m<delim>< expressions (PCRE). A pcre keyword can be followed regex><delim>)[ismxAEGRU by a context keyword to define where to look for the B]";...
  • Page 29 Custom signatures Table 5: IP header keywords Keyword and Value --dst_addr [!]<ipv4>; --ip_id <field_int>; --ip_option {rr | eol | nop | ts | sec | lsrr | ssrr | satid | any}; --ip_tos <field_int>; --ip_ttl [< | >] <ttl_int>; Check the IP time-to-live value against the --protocol {<protocol_int>...
  • Page 30 Creating custom signatures Table 6: TCP header keywords Keyword and Value --ack <ack_int>; --dst_port [!]{<port_int> | :<port_int> | <port_int>: | <port_int>:<port_int>}; --seq <seq_int>; --src_port [!]{<port_int> | :<port_int> | <port_int>: | <port_int>:<port_int>}; Custom signatures Description Check for the specified TCP acknowledge number.
  • Page 31 Custom signatures Table 6: TCP header keywords (Continued) Keyword and Value --tcp_flags <FSRPAU120>[!|*|+] [,<FSRPAU120>]; --window_size [!]<window_int>; FortiGate IPS User Guide Version 3.0 MR7 01-30007-0080-20080916 Creating custom signatures Description Specify the TCP flags to match in a packet. • S: Match the SYN flag. •...

  • Page 32: Other Keywords

    Creating custom signatures Table 7: UDP header keywords Keyword and Value --dst_port [!]{<port_int> | :<port_int> | <port_int>: | <port_int>:<port_int>}; --src_port [!]{<port_int> | :<port_int> | <port_int>: | <port_int>:<port_int>}; Table 8: ICMP keywords Keyword and Value --icmp_code <code_int>; --icmp_id <id_int>; --icmp_seq <seq_int>; --icmp_type <type_int>;...

  • Page 33: Example Custom Signatures

    Custom signatures Table 9: Other keywords (Continued) Keyword and Value --rpc_num <app_int>[, <ver_int> | *][, <proc_int> | *>]; --same_ip; Example custom signatures Custom signature fields and syntax are fully described in this chapter, though using them to build a custom signature can be complex. It’s best to start with a simpler signature.
  • Page 34 Creating custom signatures The FortiGate unit will limit its search for the pattern to the HTTP protocol. Even though the HTTP protocol uses only TCP traffic, the FortiGate will search for HTTP protocol communication in TCP, UDP, and ICMP traffic. This is a needless waste of system resources.
  • Page 35 Custom signatures Example 2: signature to block the SMTP ‘vrfy’ command The SMTP vrfy command can be used to verify the existence of a single email address, or it can be used to list all of the valid email accounts on an email server. A spammer could potentially use this command to obtain a list of all valid email users and direct spam to their inboxes.
  • Page 36 Creating custom signatures Use the --protocol tcp keyword to limit the effect of the custom signature to only TCP traffic. This will save system resources by not unnecessarily scanning UDP and ICMP traffic. F-SBID( --name "Block.SMTP.VRFY.CMD"; --pattern "vrfy"; --service SMTP; --protocol tcp; ) The FortiGate unit will limit its search for the pattern to TCP traffic and ignore the pattern in UDP and ICMP network traffic.

  • Page 37: Protocol Decoders

    Protocol decoders Protocol decoders This section describes: • Protocol decoders • Upgrading the IPS protocol decoder list • Viewing the protocol decoder list Protocol decoders The FortiGate IPS uses protocol decoders to identify the abnormal traffic patterns that do not meet the protocol requirements and standards. For example, the HTTP decoder monitors the HTTP traffic to identify any HTTP packets that do not meet the HTTP protocol standards.

  • Page 38: Viewing The Protocol Decoder List

    Viewing the protocol decoder list Viewing the protocol decoder list To view the decoder list, go to Intrusion Protection > Signature > Protocol Decoder. Figure 6: The protocol decoder list Protocols The protocol decoder names. Port The port number or numbers that the protocol decoder monitors. Protocol decoders FortiGate IPS User Guide Version 3.0 MR7 01-30007-0080-20080916...

  • Page 39: Ips Sensors

    IPS sensors IPS sensors You can group signatures into IPS sensors for easy selection in protection profiles. You can define signatures for specific types of traffic in separate IPS sensors, and then select those sensors in profiles designed to handle that type of traffic.

  • Page 40: Adding An Ips Sensor

    Configuring IPS sensors Adding an IPS sensor Configuring IPS sensors protect_client Includes only the signatures designed to detect attacks against clients; uses the default enable status and action of each signature. protect_email_server Includes only the signatures designed to detect attacks against servers and the SMTP, POP3, or IMAP protocols;...
  • Page 41 IPS sensors To view an IPS sensor, go to Intrusion Protection > IPS Sensor and select the Edit icon of any IPS sensor. The Edit IPS Sensor window is divided into three parts: the sensor attributes, the filters, and the overrides. Figure 9: Edit IPS sensor IPS sensor attributes: Name...

  • Page 42: Configuring Filters

    Configuring IPS sensors Configuring filters Move to icon After selecting this icon, enter the destination position in the window that appears, and select OK. View Rules icon Open a window listing all of the signatures included in the filter. IPS sensor overrides: Add Pre-defined Select to create an override based on a pre-defined signature.

  • Page 43: Configuring Pre-Defined And Custom Overrides

    IPS sensors Name Severity Target Protocol Application Enable Logging Action The signatures included in the filter are only those matching every attribute specified. When created, a new filter has every attribute set to “all” which causes every signature to be included in the filter. If the severity is changed to high, and the target is changed to server, the filter includes only signatures checking for high priority attacks targeted at servers.
  • Page 44 Configuring IPS sensors Note: Before an override can affect network traffic, you must add it to a filter, and you must select the filter in a protection profile applied to a policy. An override does not have the ability to affect network traffic until these steps are taken. To edit a pre-defined or custom override, go to Intrusion Protection >...

  • Page 45: Dos Sensors

    DoS sensors DoS sensors The FortiGate IPS uses a traffic anomaly detection feature to identify network traffic that does not fit known or common traffic patterns and behavior. For example, one type of flooding is the denial of service (DoS) attack that occurs when an attacking system starts an abnormally high number of sessions with a target system.

  • Page 46: Viewing The Dos Sensor List

    Viewing the DoS sensor list Viewing the DoS sensor list Configuring DoS sensors To view the anomaly list, go to Intrusion Protection > DoS Sensor. Figure 12: The DoS sensor list Create New Add a new DoS sensor to the bottom of the list. A unique identifier for each DoS sensor.
  • Page 47 DoS sensors Figure 13: Edit DoS Sensor DoS sensor attributes: Name Comments Anomaly configuration: Name Enable Logging Action Threshold FortiGate IPS User Guide Version 3.0 MR7 01-30007-0080-20080916 Enter or change the DoS sensor name. Enter or change an optional description of the DoS sensor. This description will appear in the DoS sensor list.

  • Page 48: Understanding The Anomalies

    Understanding the anomalies Understanding the anomalies Protected addresses: Each entry in the protected address table includes a source and destination IP address as well as a destination port. The DoS sensor will be applied to traffic matching the three attributes in any table entry. Note: A new DoS sensor has no protected address table entries.
  • Page 49 DoS sensors Anomaly tcp_dst_session udp_flood udp_scan udp_src_session udp_dst_session icmp_flood icmp_sweep icmp_src_session icmp_dst_session FortiGate IPS User Guide Version 3.0 MR7 01-30007-0080-20080916 Description If the number of concurrent TCP connections to one destination IP address exceeds the configured threshold value, the action is executed.
  • Page 50 Understanding the anomalies DoS sensors FortiGate IPS User Guide Version 3.0 MR7 01-30007-0080-20080916...

  • Page 51: Syn Flood Attacks

    SYN flood attacks SYN flood attacks This section describes: • What is a SYN flood attack? • How SYN floods work • The FortiGate IPS Response to SYN flood attacks • Configuring SYN flood protection • Suggested settings for different network conditions What is a SYN flood attack? A SYN flood is a type of Denial of Service (DoS) attack.

  • Page 52: The Fortigate Ips Response To Syn Flood Attacks

    The FortiGate IPS Response to SYN flood attacks The FortiGate IPS Response to SYN flood attacks What is SYN threshold? What is SYN proxy? How IPS works to prevent SYN floods After the handshaking process is complete the connection is open and data exchange can begin between the originator and the receiver, in this case the web browser and the web server.
  • Page 53 SYN flood attacks A true SYN proxy approach requires that all three packets (SYN, SYN/ACK, and ACK) are cached and replayed even before it is known if a TCP connection request is legitimate. The FortiGate IPS pseudo SYN proxy retransmits every TCP packet immediately from the packet source to the packet destination as soon as it records the necessary information for SYN flood detection.

  • Page 54: Configuring Syn Flood Protection

    Configuring SYN flood protection Configuring SYN flood protection Suggested settings for different network conditions To configure the SYN flood protection Go to Intrusion Protection > DoS Sensor. Select Create New. Configure the options for tcp_syn_flood. Select OK. Figure 18: Configuring the syn_flood anomaly The main setting that impacts the efficiency of the pseudo SYN proxy in detecting SYN floods is the threshold value.

  • Page 55: Icmp Sweep Attacks

    ICMP sweep attacks ICMP sweep attacks This section describes: • What is an ICMP sweep? • How ICMP sweep attacks work • The FortiGate IPS response to ICMP sweep attacks • Configuring ICMP sweep protection • Suggested settings for different network conditions What is an ICMP sweep? ICMP (Internet Control Message Protocol) is a part of the IP protocol and is generally used to send error messages describing packet routing problems.

  • Page 56: Predefined Icmp Signatures

    The FortiGate IPS response to ICMP sweep attacks Predefined ICMP signatures Table 11 describes all the ICMP-related predefined signatures and the default settings for each. Note: The predefined signature descriptions in publication date. Predefined signatures may be added or changed with each Attack Definition update.

  • Page 57: Icmp Sweep Anomalies

    ICMP sweep attacks Table 11: Predefined ICMP sweep signatures Signature NMAP.Echo. Request Redirect.Code4. Echo.Request Sniffer.Pro. NetXRay.Echo. Request Superscan.Echo. Request TimeStamp. Request TJPingPro1.1. Echo.Request Traceroute.Traffic Traceroute is a very common network tool Whatsup.Echo. Request ICMP sweep anomalies The FortiGate unit also detects ICMP sweeps that do not have a predefined signature to block them.

  • Page 58: Configuring Icmp Sweep Protection

    Configuring ICMP sweep protection Configuring ICMP sweep protection Suggested settings for different network conditions To configure the ICMP sweep anomaly protection settings Go to Intrusion Protection > DoS Sensor. Select Create New. Configure the options for icmp_sweep, icmp_src_session, and icmp_dst_session. Select OK.

  • Page 59: Index

    39 firewall profiles 14 flooding anomaly type 48 FortiGate documentation commenting on 8 Fortinet customer service 8 Fortinet documentation 6 Fortinet Knowledge Center 8 FortiProtect Attack Encyclopedia 13 FortiProtect center 13 ICMP attack signatures 56 ICMP sweep FortiGate Version 3.0 MR7 IPS User Guide...
  • Page 60 Index technical support 8 FortiGate Version 3.0 MR7 IPS User Guide 01-30007-0080-20080916...
  • Page 61 www.fortinet.com...
  • Page 62 www.fortinet.com...

This manual is also suitable for:

Fortigate 3.0 mr7

Table of Contents