Configuring Predefined Signatures; Fine Tuning Ips Predefined Signatures For Enhanced System Performance - Fortinet Fortigate-5000 series Administration Manual

Intrusion Protection

Configuring predefined signatures

Fine tuning IPS predefined signatures for enhanced system performance

FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102
Table 36: Actions to select for each predefined signature (Continued)
Reset Server When a packet triggers a signature, the FortiGate unit generates an
alert and drops the packet. The FortiGate unit sends a reset to the
server and drops the firewall session from the firewall session table.
This is used for TCP connections only. If set for non-TCP connection
based attacks, the action will behave as Clear Session. If the Reset
Server action is triggered before the TCP connection is fully
established, it acts as Clear Session.
Drop Session When a packet triggers a signature, the FortiGate unit generates an
alert and drops the packet. For the remainder of this packet's firewall
session, all follow-up packets are dropped.
Pass Session When a packet triggers a signature, the FortiGate unit generates an
alert and allows the packet through the firewall. For the remainder of
this packet's session, the IPS is bypassed by all follow-up packets.
Clear Session When a packet triggers a signature, the FortiGate unit generates an
alert and the session to which the packet belongs is removed from the
session table immediately. No reset is sent.
For TCP, all follow-up packets could be dropped.
For UDP, all follow-up packets could trigger the firewall to create a
new session.
For each signature, configure the action the FortiGate IPS takes when it detects
an attack. The FortiGate IPS can pass, drop, reset or clear packets or sessions.
Enable or disable packet logging. Select a severity level to be applied to the
signature.
Figure 231:Configure Predefined IPS Signatures
Action Select an action from the list. Action can be Pass, Drop, Reset, Reset
Client, Reset Server, Drop Session, Clear Session, or Pass Session.
See Table 36
Packet Log Enable packet logging.
Severity Select a severity level from the dropdown list. Severity level can be
Information, Low, Medium, High, or Critical. Severity level is set for
individual signatures.
By default, the FortiGate unit will have most of the predefined signatures enabled
and will log all of them. If left on the default settings, the FortiGate will provide your
system with the best protection available. By fine tuning the signatures and log
settings you can still provide the best protection available but also free up
valuable FortiGate resources. Fine tuning allows you to turn off features that you
are not using. By turning off signatures and logs that you do not use, you allow the
FortiGate unit to perform tasks faster thus improving overall system performance.
Not all systems require you to scan for all signatures of the IPS suite all the time.
for descriptions of the actions.
Predefined signatures
353