Ips Options - Fortinet FortiGate Series Administration Manual

Configuring a protection profile

IPS options

492
The appearance of a client comforting message (for example, a progress bar) is client-
dependent. In some instances, there will be no visual client comforting cue.
During client comforting, if the file being downloaded is found to be infected, then the
FortiGate unit caches the URL and drops the connection. The client does not receive any
notification of what happened because the download to the client had already started.
Instead the download stops, and the user is left with a partially downloaded file.
If the user tries to download the same file again within a short period of time, then the
cached URL is matched and the download is blocked. The client receives the Infection
cache message replacement message as a notification that the download has been
blocked. The number of URLs in the cache is limited by the size of the cache.
Caution: Client comforting can send unscanned and therefore potentially infected content
to the client. You should only enable client comforting if you are prepared to accept this
risk. Keeping the client comforting interval high and the amount low will reduce the amount
of potentially infected data that is downloaded.
FTP and HTTP client comforting steps
The following steps show how client comforting works for an FTP or HTTP download of a
10 Mbyte file with the client comforting interval set to 20 seconds and the client comforting
amount set to 512 bytes.
1 The FTP or HTTP client requests the file.
2 The FortiGate unit buffers the file from the server. The connection is slow, so after 20
seconds about one half of the file has been buffered.
3 The FortiGate unit continues buffering the file from the server, and also sends 512
bytes to the client.
4 After 20 more seconds, the FortiGate unit sends the next 512 bytes of the buffered file
to the client.
5 When the file has been completely buffered, the client has received the following
amount of data:
ca * (T/ci) bytes == 512 * (40/20) == 512 * 2 == 1024 bytes,
where ca is the client comforting amount, T is the buffering time and ci is the client
comforting interval.
6 FTP client: If the file does not contain a virus, the FortiGate unit sends the rest of the
file to the client. If the file is infected, the FortiGate unit closes the data connection and
sends the FTP Virus replacement message to the client.
HTTP client: If the file does not contain a virus, the FortiGate unit sends the rest of the
file to the client. If the file is infected, the FortiGate unit closes the data connection but
cannot send a message to the client.
You can use the IPS options in a protection profile to enable IPS for the protection profile
and add an IPS sensor. To add an IPS sensor, go to Firewall > Protection Profile. Select
Create New to add a protection profile, or the Edit icon beside an existing protection
profile. Then select the Expand Arrow beside IPS, select the check box to enable IPS,
select an IPS Sensor, and select OK.
For more information on IPS, see "Intrusion Protection" on page
FortiGate Version 4.0 MR1 Administration Guide
Firewall Protection Profile
531.
01-410-89802-20090903
http://docs.fortinet.com/ • Feedback