Inhaltszusammenfassung zur Seite Nr. 1
USER GUIDE
FortiGate
IPS User Guide
Version 3.0 MR7
www.fortinet.com
Inhaltszusammenfassung zur Seite Nr. 2
FortiGate IPS User Guide Version 3.0 MR7 September 16, 2008 01-30007-0080-20080916 © Copyright 2008 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc. Trademarks Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC, FortiBIOS
Inhaltszusammenfassung zur Seite Nr. 3
Contents Contents Introduction ........................................................................................ 5 The FortiGate IPS............................................................................................... 5 About this document......................................................................................... 6 Document conventions.................................................................................. 6 Fortinet documentation .......................
Inhaltszusammenfassung zur Seite Nr. 4
Creating custom signatures........................................................................... 23 Custom signature fields .............................................................................. 23 Custom signature syntax ............................................................................ 24 Example custom signatures........................................................................ 33 Protocol decoders ..................................................................
Inhaltszusammenfassung zur Seite Nr. 5
Introduction The FortiGate IPS Introduction This section introduces you to the FortiGate Intrusion Prevention System (IPS) and the following topics: • The FortiGate IPS • About this document • Fortinet documentation • Customer service and technical support The FortiGate IPS Spam and viruses are not the only threats facing enterprises and small businesses. Sophisticated, automated attack tools are prevalent on the Internet today, making intrusion detection and prevention vital to securing corp
Inhaltszusammenfassung zur Seite Nr. 6
About this document Introduction About this document Document conventions The following document conventions are used in this guide: • In the examples, private IP addresses are used for both private and public IP addresses. • Notes and Cautions are used to provide important information: Note: Highlights useful additional information. Caution: Warns you about commands or procedures that could have unexpected or ! undesirable results including loss of data or damage to equipment. Typographic co
Inhaltszusammenfassung zur Seite Nr. 7
Introduction Fortinet documentation • FortiGate Installation Guide Describes how to install a FortiGate unit. Includes a hardware reference, default configuration information, installation procedures, connection procedures, and basic configuration procedures. Choose the guide for your product model number. • FortiGate Administration Guide Provides basic information about how to configure a FortiGate unit, including how to define FortiGate protection profiles and firewall policies; how to app
Inhaltszusammenfassung zur Seite Nr. 8
Customer service and technical support Introduction Fortinet Knowledge Center Additional Fortinet technical documentation is available from the Fortinet Knowledge Center. The knowledge center contains troubleshooting and how-to articles, FAQs, technical notes, and more. Visit the Fortinet Knowledge Center at http://kc.forticare.com. Comments on Fortinet technical documentation Please send information about any errors or omissions in this document, or any Fortinet technical documentation, t
Inhaltszusammenfassung zur Seite Nr. 9
IPS overview and general configuration The FortiGate IPS IPS overview and general configuration This section contains the following topics: • The FortiGate IPS • Network performance • Monitoring the network and dealing with attacks • Using IPS sensors in a protection profile The FortiGate IPS An IPS is an Intrusion Prevention System for networks. While early systems focused on intrusion detection, the continuing rapid growth of the Internet, and the potential for the theft of sensitive data,
Inhaltszusammenfassung zur Seite Nr. 10
Network performance IPS overview and general configuration To create an IPS sensor, go to Intrusion Protection > IPS Sensor. See “IPS sensors” on page 39 for details. To access the protection profile IPS sensor selection, go to Firewall > Protection Profile, select Edit or Create New, and select IPS. To create a DoS Sensor, go to Intrusion Protection > DoS Sensor. See “DoS sensors” on page 45 for details. When to use IPS IPS is best for large networks or for networks protecting highly sensi
Inhaltszusammenfassung zur Seite Nr. 11
IPS overview and general configuration Monitoring the network and dealing with attacks Controlling sessions Use this command to ignore sessions after a set amount of traffic has passed. The default is 204800 bytes. config ips global set ignore-session-bytes end Setting the buffer size Set the size of the IPS buffer. The size of the buffer is model-dependent. config ips global set socket-size end Monitoring the network and dealing with attacks After configuring I
Inhaltszusammenfassung zur Seite Nr. 12
Monitoring the network and dealing with attacks IPS overview and general configuration 5 Select and configure authentication if required and enter the email addresses that will receive the alert email. 6 Enter the time interval to wait before sending log messages for each logging severity level. Note: If more than one log message is collected before an interval is reached, the messages are combined and sent out as one alert email. 7 Select Apply. To access log messages from memory or on the l
Inhaltszusammenfassung zur Seite Nr. 13
IPS overview and general configuration Monitoring the network and dealing with attacks Anomaly The following log message is generated when an attack anomaly is detected: Message ID: 73001 Severity: Alert Message: attack_id= src= dst= src_port= dst_port= interface= src_int= dst_int= status={clear_session | detected | dropped | reset} proto= service= msg=
Inhaltszusammenfassung zur Seite Nr. 14
Using IPS sensors in a protection profile IPS overview and general configuration Using IPS sensors in a protection profile IPS can be combined with other FortiGate features – antivirus, spam filtering, web filtering, and web category filtering – to create protection profiles. Protection profiles are then added to individual user groups and then to firewall policies, or added directly to firewall policies. This section describes: • Creating a protection profile that uses IPS sensors • Adding p
Inhaltszusammenfassung zur Seite Nr. 15
IPS overview and general configuration Using IPS sensors in a protection profile Adding protection profiles to user groups When creating a user group, select a protection profile that applies to that group. Then, when configuring a firewall policy that includes user authentication, select one or more user groups to authenticate. Each user group selected for authentication in the firewall policy can have a different protection profile, and therefore different IPS settings, applied to it. For
Inhaltszusammenfassung zur Seite Nr. 16
Using IPS sensors in a protection profile IPS overview and general configuration FortiGate IPS User Guide Version 3.0 MR7 16 01-30007-0080-20080916
Inhaltszusammenfassung zur Seite Nr. 17
Predefined signatures IPS predefined signatures Predefined signatures This section describes: • IPS predefined signatures • Viewing the predefined signature list IPS predefined signatures Predefined signatures are arranged in alphabetical order. By default, some signatures are disabled to prevent interference with common traffic, but logging is enabled for all signatures. Use the IPS sensor to customize the predefined signatures and apply appropriate sensors to different protection profiles.
Inhaltszusammenfassung zur Seite Nr. 18
Viewing the predefined signature list Predefined signatures By default, the signatures are sorted by name. To sort the table by another column, select the required column header name. Column Select to customize the signature information displayed in the table. You can also readjust the column order. Settings Clear All Filters If you have applied filtering to the predefined signature list display, select this option to clear all filters and display all the signatures. Name The name of the sig
Inhaltszusammenfassung zur Seite Nr. 19
Predefined signatures Viewing the predefined signature list You should also review exactly how you use the information provided by the logging feature. If you find that you do not review the information, it is best to turn off IPS logging. Logging is best used to provide actionable intelligence. To create an IPS sensor 1 Go to Intrusion Protection > IPS Sensor. 2 Create a sensor and add IPS filters to it. FortiGate IPS User Guide Version 3.0 MR7 01-30007-0080-20080916 19
Inhaltszusammenfassung zur Seite Nr. 20
Viewing the predefined signature list Predefined signatures FortiGate IPS User Guide Version 3.0 MR7 20 01-30007-0080-20080916