Intrusion Protection Settings And Controls; When To Use Intrusion Protection; Signatures - Fortinet FortiGate Series Administration Manual

Signatures

Intrusion Protection settings and controls

When to use Intrusion Protection

Signatures
532
Using Intrusion Protection, you can configure the FortiGate unit to check for and
automatically download updated attack definition files containing the latest signatures, or
download the updated attack definition file manually. Alternately, you can configure the
FortiGate unit to allow push updates of the latest attack definition files as soon as they are
available from the FortiGuard Distribution Network.
You can also create custom attack signatures for the FortiGate unit to use in addition to an
extensive list of predefined attack signatures.
Whenever the Intrusion Protection system detects or prevents an attack, it generates an
attack log message. You can configure the FortiGate unit to add the message to the attack
log and send an alert email to administrators, as well as schedule how often it should send
this alert email. You can also reduce the number of log messages and alerts by disabling
signatures for attacks that will not affect your network. For example, you do not need to
enable signatures to detect web attacks when there is no web server to protect.
You can also use the packet logging feature to analyze packets for false positive
detection.
For more information about FortiGate logging and alert email, see
page 709.
You can configure the Intrusion Protection system and then select IPS sensors in
individual firewall protection profiles.
For information about creating IPS sensors, see
For information about accessing and modifying the protection profile IPS sensor selection,
see "IPS options" on page
sensors" on page 545.
Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings
are configured separately in each VDOM. All sensors and custom signatures will appear
only in the VDOM in which they were created.
Intrusion Protection is best for large networks or for networks protecting highly sensitive
information. Using IPS effectively requires monitoring and analysis of the attack logs to
determine the nature and threat level of an attack. An administrator can adjust the
threshold levels to ensure a balance between performance and intrusion prevention.
Small businesses and home offices without network administrators may be overrun with
attack log messages and not have the networking background required to configure the
thresholds and other IPS settings.
However, the other protection features in the FortiGate unit, such as antivirus (including
grayware), spam filters, and web filters offer excellent protection for all networks.
The FortiGate Intrusion Protection system can use signatures once you have grouped the
required signatures in an IPS sensor, and then selected the IPS sensor in the protection
profile. If required, you can override the default settings of the signatures specified in an
IPS sensor. The FortiGate unit provides a number of pre-built IPS sensors, but you should
check their settings before using them, to ensure they meet your network requirements.
"Configuring IPS sensors" on page
492. For information about creating DoS Sensors, see
FortiGate Version 4.0 MR1 Administration Guide
Intrusion Protection
"Log&Report" on
538.
"DoS
01-410-89802-20090903
http://docs.fortinet.com/ • Feedback