Updating predefined IPS signatures

The FortiGuard Service periodically updates the pre-defined signatures and adds new signatures to counter emerging threats as they appear.

Because the signatures included in filters are defined by specifying signature attributes, new signatures matching existing filter specifications will automatically be included in those filters. For example, if you have a filter that includes all signatures for the Windows operating system, your filter will automatically incorporate new Windows signatures as they are added.

Viewing and searching predefined IPS signatures

Go to Security Profiles > Intrusion Protection > IPS Signatures to view the list of existing IPS signatures. You may find signatures by paging manually through the list, apply filters, or by using the search field.

Searching manually

Signatures are displayed in a paged list, with 50 signatures per page. The bottom of the screen shows the current page and the total number of pages. You can enter a page number and press enter, to skip directly to that page. Previous Page and Next Page buttons move you through the list, one page at a time. The First Page and Last Page button take you to the beginning or end of the list.

Applying filters

You can enter criteria for one of more columns, and only the signatures matching all the conditions you specify will be listed.

To apply filters

1. Go to Security Profiles > Intrusion Protection > IPS Signatures.
2. Select column by which to filter.
3. Select the funnel/filter icon and enter the value or values to filter by.
4. Use additional columns as needed to refine search.

The available options vary by column. For example, Enable allows you to choose between two options, while OS has multiple options, and you may select multiple items together. Filtering by name allows you to enter a text string and all signature names containing the string will be displayed.

IPS processing in an HA cluster

IPS processing in an HA cluster is no different than with a single FortiGate unit, from the point of view of the network user. The difference appears when a secondary unit takes over from the primary, and what happens depends on the HA mode.

Active-passive

In an active-passive HA cluster, the primary unit processes all traffic just as it would in a stand-alone configuration. Should the primary unit fail, a secondary unit will assume the role of the primary unit and begin to process network traffic. By default, the state of active communication sessions are not shared with secondary units and will not survive the fail-over condition. Once the sessions are reestablished however, traffic processing will continue as normal.

If your network requires that active sessions are taken over by the new primary unit, select Enable Session Pick-up in your HA configuration. Because session information must be sent to all subordinate units on a regular basis, session pick-up is a resource-intensive feature and is not enabled by default.

Active-active

The fail-over process in an active-active cluster is similar to an active-passive cluster. When the primary unit fails, a secondary unit takes over and traffic processing continues. The load-balancing schedule used to distribute sessions to the cluster members is used by the new primary unit to redistribute sessions among the remaining subordinate units. If session pick-up is not enabled, the sessions active on the failed primary are lost, and the sessions redistributed among the secondary units may also be lost. If session pick-up is enabled, all sessions are handled according to their last-known state.

Configure IPS options

There are a number of CLI commands that influence how IPS functions.

Hardware Acceleration

In order to provide control over the hardware’s processing of IPS there are commands to configure and control the hardware accelleration of IPS. There are two settings that can be chosen, one for the network processor and one for the content processor.

Network processor acceleration can be disabled or set to enable basic acceleration.

Content processor acceleration can be disabled or set to either basic or advanced acceleration.

These Settings are only found in the CLI:

config ips global set np-accel-mode {none | basic} set cp-accel-mode {none | basic | advanced}

end

Extended IPS Database.

Some models have access to an extended IPS Database. The extended database may affect the performance of the FortiGate unit so depending on the model of the FortiGate unit the extended database package may not be enabled by default. For example, the D-series Desktop model have this option disabled by default. This feature can only be enbled through the CLI.

config ips global set database extended end

Configuring the IPS engine algorithm

The IPS engine is able to search for signature matches in two ways. One method is faster but uses more memory, the other uses less memory but is slower. Use the algorithm CLI command to select one method:

config ips global set algorithm {super | high | low | engine-pick}

end

Specify high to use the faster more memory intensive method or low for the slower memory efficient method. The setting super improves the performance for FortiGate units with more than 4GB of memory. The default setting is engine-pick, which allows the IPS engine to choose the best method on the fly.

Configuring the IPS engine-count

FortiGate units with multiple processors can run more than one IPS engine concurrently. The engine-count CLI command allows you to specify how many IPS engines are used at the same time:

config ips global set engine-count <int>

end

The recommended and default setting is 0, which allows the FortiGate unit to determine the optimum number of IPS engines.

Configuring fail-open

If the IPS engine fails for any reason, it will fail open by default. This applies for inspection of all the protocols inspected by FortiOS IPS protocol decoders, including but not limited to HTTP, HTTPS, FTP, SMTP, POP3, IMAP, etc. This means that traffic continues to flow without IPS scanning. If IPS protection is more important to your network than the uninterrupted flow if network traffic, you can disable this behavior using the fail-open CLI command:

config ips global set fail-open {enable | disable}

end

The default setting is enable.

Configuring the session count accuracy

The IPS engine can keep track of the number of open session in two ways. An accurate count uses more resources than a less accurate heuristic count.

config ips global set session-limit-mode {accurate | heuristic}

end

The default is heuristic.

Configuring the IPS buffer size

Set the size of the IPS buffer.

config ips global set socket-size <int>

end

The acceptable range is from 1 to 64 megabytes. The default size varies by model.

Configuring protocol decoders

The FortiGate Intrusion Protection system uses protocol decoders to identify the abnormal traffic patterns that do not meet the protocol requirements and standards. For example, the HTTP decoder monitors traffic to identify any HTTP packets that do not meet the HTTP protocol standards.

To change the ports a decoder examines, you must use the CLI. In this example, the ports examined by the DNS decoder are changed from the default 53 to 100, 200, and 300.

config ips decoder dns_decoder set port_list “100,200,300”

end

You cannot assign specific ports to decoders that are set to auto by default. These decoders can detect their traffic on any port. Specifying individual ports is not necessary.

Configuring security processing modules

FortiGate Security Processing Modules, such as the CE4, XE2, and FE8, can increase overall system performance by accelerating some security and networking processing on the interfaces they provide. They also allow the FortiGate unit to offload the processing to the security module, thereby freeing up its own processor for other tasks. The security module performs its own IPS and firewall processing, but you can configure it to favor IPS in hostile high-traffic environments.

If you have a security processing module, use the following CLI commands to configure it to devote more resources to IPS than firewall. This example shows the CLI commands required to configure a security module in slot 1 for increased IPS performance.

config system amc-slot edit sw1 set optimization-mode fw-ips set ips-weight balanced  set ips-p2p disable set ips-fail-open enable set fp-disable none set ipsec-inb-optimization enable set syn-proxy-client-timer 3 set syn-proxy-server-timer 3

end

In addition to offloading IPS processing, security processing modules provide a hardware accelerated SYN proxy to defend against SYN flood denial of service attacks. When using a security module, configure your DoS anomaly check for tcp_syn_flood with the Proxy action. The Proxy action activates the hardware accelerated SYN proxy.

IPS signature rate count threshold

The IPS signature threshold can allow configuring a signature so that it will not be triggered until a rate count threshold is met. This provides a more controlled recording of attack activity. For example, if multiple login attempts produce a failed result over a short period of time then an alert would be sent and perhaps traffic blocked. This would be a more rational response than sending an alert every time a login failed. The syntax for this configuration is as follows:

config ips sensor edit default config entries edit <Filter ID number> set rule <*id> set rate-count <integer between 1 – 65535> set rate-duration <integer between 1 – 65535>

The value of the rate-duration is an integer for the time in seconds. set rate-mode <continuous | periodical>

The rate-mode refers to how the count threshold is met.

If the setting is “continuous”, and the action is set to block, as soon as the rate-count is reached the action is engaged. For example, if the count is 10, as soon as the signature is triggered 10 times the traffic would be blocked.

If the setting is “periodical”, the FortiGate allows up to the value of the rate-count incidents where the signature is triggered during the rate-duration. For example, if the rate count is 100 and the duration is 60, the signature would need to be triggered 100 times in 60 seconds for the action to be engaged.

set rate-track <dest-ip | dhcp-client-mac | dns-domain | none | src-ip>

This setting allow the tracking of one of the protocol fields within the packet. end end

Enable IPS packet logging

Packet logging saves the network packets containing the traffic matching an IPS signature to the attack log. The FortiGate unit will save the logged packets to wherever the logs are configured to be stored, whether memory, internal hard drive, a FortiAnalyzer unit, or the FortiGuard Analysis and Management Service.

You can enable packet logging in the filters. Use caution in enabling packet logging in a filter. Filters configured with few restrictions can contain thousands of signatures, potentially resulting in a flood of saved packets. This would take up a great deal of space, require time to sort through, and consume considerable system resources to process. Packet logging is designed as a focused diagnostic tool and is best used with a narrow scope.

To enable packet logging for a filter

1. Create a filter in an IPS sensor. For more information, see “Creating an IPS filter” on page 58.
2. Before saving the filter, select Enable All for Packet Logging.
3. Select the IPS sensor in the security policy that allows the network traffic the FortiGate unit will examine for the signature.

For information on viewing and saving logged packets, see “Monitoring Security Profiles  activity” on page 169.

IPS examples

Configuring basic IPS protection

Small offices, whether they are small companies, home offices, or satellite offices, often have very simple needs. This example details how to enable IPS protection on a FortiGate unit located in a satellite office. The satellite office contains only Windows clients.

Creating an IPS sensor

Most IPS settings are configured in an IPS sensor. IPS sensors are selected in firewall policies. This way, you can create multiple IPS sensors, and tailor them to the traffic controlled by the security policy in which they are selected. In this example, you will create one IPS sensor.

To create an IPS sensor— web-based manager

1. Go to Security Profiles > Intrusion Protection > IPS Sensors.
2. Select the Create New icon in the top of the Edit IPS Sensor window.
3. In the Name field, enter basic_ips.
4. In the Comments field, enter IPS protection for Windows clients.
5. Select OK.
6. Select the Create New drop-down to add a new component to the sensor and for the Sensor Type choose Filter
7. In the Filter Options choose the following:
   1. For Severity: select all of the options
   2. For Target: select Client
   3. For OS: select Windows
8. For the Action leave as the default.
9. Select OK to save the filter.

10.Select OK to save the IPS sensor.

To create an IPS sensor — CLI config ips sensor edit basic_ips set comment “IPS protection for Windows clients” config entries edit 1 set location client set os windows

end end

Selecting the IPS sensor in a security policy

An IPS sensor directs the FortiGate unit to scan network traffic only when it is selected in a security policy. When an IPS sensor is selected in a security policy, its settings are applied to all the traffic the security policy handles.

To select the IPS sensor in a security policy — web-based manager

1. Go to Policy > Policy > Policy.
2. Select a policy.
3. Select the Edit
4. Enable the IPS
5. Select the basic_ips profile from the list.
6. Select OK to save the security policy.

To select the IPS sensor in a security policy — CLI config firewall policy edit 1 set utm-status enable set ips-sensor basic_ips

end

All traffic handled by the security policy you modified will be scanned for attacks against Windows clients. A small office may have only one security policy configured. If you have multiple policies, consider enabling IPS scanning for all of them.

Using IPS to protect your web server

Many companies have web servers and they must be protected from attack. Since web servers must be accessible, protection is not as simple as blocking access. IPS is one tool your FortiGate unit has to allow you to protect your network.

In this example, we will configure IPS to protect a web server. As shown in Figur e 10 on  page 69, a FortiGate unit protects a web server and an internal network. The internal network will have its own policies and configuration but we will concentrate on the web server in this example.

The FortiGate unit is configured with:

• a virtual IP to give the web server a unique address accessible from the Internet.
• a security policy to allow access to the web server from the Internet using the virtual IP.

To protect the web server using intrusion protection, you need to create an IPS sensor, populate it with filters, then enable IPS scanning in the security policy.

To create an IPS sensor

1. Go to Security Profiles > Intrusion Protection > IPS Sensors and select Create New.
2. Enter web_server as the name of the new IPS sensor.
3. Select OK.

The new IPS sensor is created but it has no filters, and therefore no signatures are included.

The web server operating system is Linux, so you need to create a filter for all Linux server signatures.

To create the Linux server filter

1. Go to Security Profiles > Intrusion Protection > IPS Sensors and select the web_server IPS sensor and select the Edit
2. Select Add Filter.
3. Enter Linux Server as the name of the new filter.
4. For Target, select Specify and choose server.
5. In the Filter Options choose the following:
   1. For Severity: select all of the options
   2. For Target: select server
   3. For OS: select Linux
6. Select OK.

 

The filter is saved and the IPS sensor page reappears. In the filter list, find the Linux Server filter and look at the value in the Count column. This shows how many signatures match the current filter settings. You can select the View Rules icon to see a listing of the included signatures.

To edit the security policy

1. Go to Policy > Policy > Policy, select security policy that allows access to the web server, and select the Edit
2. Enable IPS option and choose the web_server IPS sensor from the list.
3. Select OK.

Since IPS is enabled and the web_server IPS sensor is specified in the security policy controlling the web server traffic, the IPS sensor examines the web server traffic for matches to the signatures it contains.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!