Author Archives: Norris Carden

About Norris Carden

Norris Carden has been a Fortinet Partner since 2006 and is currently Chief Security Office for Security Forethought. Norris has worked as part of corporate information security teams and as an independent consultant. He managed a global network for a manufacturing company, and worked for Fortune 100 companies. His focus turned almost exclusively to security in 2003 when he began two years of graduate study in Information Security. Norris gained the Certified Information Security Systems Professional (CISSP) designation in 2005 and Certified Information Systems Auditor (CISA) designation in 2007. His experience with firewalls and perimeter security dates back to 1998 when Norris implemented a Firewall on Windows NT 4.0. Since then Norris has experience with firewalls from Cisco, Checkpoint, Palo Alto, Netscreen and WatchGuard. His experience with FortiGate and Unified Threat Management began in 2006. Norris was one of 28 engineers invited by Fortinet to the Xtreme Team USA in October of 2015 and attended the Xtreme Team USA again in 2016. Norris also has experience in security architecture review, vulnerability assessments, disaster planning, encryption, IT audit, network design and data center relocation.

Tuning IPS on a desktop FortiGate

A desktop FortiGate does not have the same horsepower as a full size model and sometimes traffic can cause the IPS to spike the CPU for several seconds. However IPS is still a very valuable tool for protecting your network. This client has no internal systems exposed to the Internet, so the IPS is only looking at outbound traffic.

Here was the default IPS global config on the client’s FortiGate 90D:

FortiGate90D # config ips global
FortiGate90D (global) # show
config ips global
set traffic-submit enable
end

Here are the complete IPS global options and how they were set:

FortiGate90D (global) # get
fail-open : disable
database : regular
traffic-submit : enable
anomaly-mode : continuous
session-limit-mode : heuristic
intelligent-mode : enable
socket-size : 32 (MB)
engine-count : 0
algorithm : engine-pick
sync-session-ttl : disable
cp-accel-mode : advanced
skype-client-public-ipaddr:
deep-app-insp-timeout: 86400
deep-app-insp-db-limit: 100000
exclude-signatures : industrial

IPS can usually identify an intrusion within the first 2-3 MB of data, so that 32MB setting is more than necessary. We also want to ensure that IPS doesn’t overwhelm the desktop FortiGate, so we’ll set the algorithm to low.

Here are the changes made and the resulting config:

FortiGate90D (global) # set socket-size 2
FortiGate90D (global) # set algorithm low
FortiGate90D (global) # show
config ips global
set traffic-submit enable
set socket-size 2
set algorithm low
end

FortiGate90D (global) # end
ips socket buffer size is set to 2

Finally the IPS needs to restart so that the changes take effect:

FortiGate90D # diag test application ipsmonitor 99
restarting ipsmonitor

Our monitoring now shows that the IPS engine is no longer causing as many CPU spikes as before.

Fortinet Guru article by Norris Carden, NSE4
Security 
Forethought 


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!