Configuring Pre-Defined And Custom Overrides - Fortinet FortiGate Series Administration Manual

Intrusion Protection

Configuring pre-defined and custom overrides

FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
Target Select All, or select Specify and then the type of systems targeted by the attack.
The choices are server or client.
OS Select All, or select Specify and then select one or more operating systems that
are vulnerable to the attack.
Signatures with an OS attribute of All affect all operating systems. These
signatures will be automatically included in any filter regardless of whether a
single, multiple, or all operating systems are specified.
Protocol Select All, or select Specify to list what network protocols are used by the attack.
Use the Right Arrow to move the ones you want to include in the filter from the
Available to the Selected list, or the Left Arrow to remove previously selected
protocols from the filter.
Application Select All, or select Specify to list the applications or application suites vulnerable
to the attack. Use the Right Arrow to move the ones you want to include in the
filter from the Available to the Selected list, or the Left Arrow to remove previously
selected protocols from the filter.
Quarantine Select to enable NAC quarantine for this filter. For more information about NAC
quarantine, see
Attackers (to
The FortiGate unit deals with the attack according to the IPS sensor or DoS
Banned Users
sensor configuration regardless of this setting.
List)
Method Select Attacker's IP address to block all traffic sent from the attacker's IP
address. The attacker's IP address is also added to the banned user list. The
target's address is not affected.
Select Attacker and Victim IP Addresses to block all traffic sent from the
attacker's IP address to the target (victim's) IP address. Traffic from the attacker's
IP address to addresses other than the victim's IP address is allowed. The
attacker's and target's IP addresses are added to the banned user list as one
entry.
Select Attack's Incoming Interface to block all traffic from connecting to the
FortiGate interface that received the attack. The interface is added to the banned
user list.
Expires You can select whether the attacker is banned indefinitely or for a specified
number of days, hours, or minutes.
Signature Configure whether the filter overrides the following signature settings or accepts
the settings in the signatures.
Settings
Enable Select from the options to specify what the FortiGate unit will do with the
signatures included in the filter: enable all, disable all, or enable or disable each
according to the individual default values shown in the signature list.
Logging Select from the options to specify whether the FortiGate unit will create log entries
for the signatures included in the filter: enable all, disable all, or enable or disable
logging for each according to the individual default values shown in the signature
list.
Action Select from the options to specify what the FortiGate unit will do with traffic
containing a signature match: pass all, block all, reset all, or block or pass traffic
according to the individual default values shown in the signature list.
The signatures included in the filter are only those matching every attribute specified.
When created, a new filter has every attribute set to all which causes every signature to be
included in the filter. If the severity is changed to high, and the target is changed to server,
the filter includes only signatures checking for high priority attacks targeted at servers.
Pre-defined and custom overrides are configured and work mainly in the same way as
filters. Unlike filters, each override defines the behavior of one signature.
Overrides can be used in two ways:
• To change the behavior of a signature already included in a filter. For example, to
protect a web server, you could create a filter that includes and enables all signatures
related to servers. If you wanted to disable one of those signatures, the simplest way
would be to create an override and mark the signature as disabled.
"NAC quarantine and the Banned User list" on page
IPS sensors
678.
541