Fortinet FortiGate Series Administration Manual page 408

Using one-arm sniffer policies to detect network attacks
408
If virtual domains are enabled on the FortiGate unit, sniffer policies are configured
separately for each virtual domain; you must access the VDOM before you can configure
its policies. To access a VDOM, go to System > VDOM, and in the row corresponding to
the VDOM whose policies you want to configure, select Enter.
You can add, delete, edit, and re-order policies in the sniffer policy list. Sniffer policy order
affects policy matching. As with firewall policies and DoS policies, sniffer policies are
checked against traffic in the order in which they appear in the sniffer policy list, one at a
time, from top to bottom. When a matching policy is discovered, it is used and further
checking for sniffer policy matches are stopped. If no match is found the packet is
dropped.
To view the sniffer policy list, go to Firewall > Policy > Sniffer Policy.
Figure 219: The Sniffer policy list
Enable or Disable a Policy
Create New
Column Settings
Section View
Global View
Filter icon
Status
ID
Source
Destination
Service
DoS
Sensor
Filter
Add new a sniffer policy. Select the down arrow beside Create New to
add a new section to the list to visually group the policies.
Customize the table view. You can select the columns to hide or
display and specify the column displaying order in the table. See
"Using column settings to control the columns displayed" on page
Select to display firewall policies organized by interface.
Select to list all firewall policies in order according to a sequence
number.
Edit column filters to filter or sort the policy list according to the criteria
you specify. For more information, see
manager lists" on page 99.
When selected, the DoS policy is enabled. Clear the checkbox to
disable the policy. See "Enabling and disabling policies" on page
A unique identifier for each policy. Policies are numbered in the order
they are created.
The source address or address group to which the policy applies. For
more information, see "Firewall Address" on page
The destination address or address group to which the policy applies.
For more information, see "Firewall Address" on page
The service to which the policy applies. For more information, see
"Firewall Service" on page 427.
The DoS sensor selected in this policy.
The IPS sensor selected in this policy.
FortiGate Version 4.0 MR1 Administration Guide
Firewall Policy
Delete
Edit
Insert Policy before
Move To
"Adding filters to web-based
389.
421.
421.
01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
103.