FortiOS 6 – Intrusion prevention

Leave a reply

Customizable replacement message when IPS blocks traffic

You can edit a replacement message that will appear specifically for IPS sensor blocked Internet access. Go to System > Replacement Messages, select Extended View and find IPS Sensor Block Page under the Security heading.

Configure IPS options

Hardware acceleration for flow-based security profiles (NTurbo and IPSA)

Some FortiGate models support a feature call NTurbo that can offload flow-based firewall sessions to NP4 or NP6 network processors. Some FortiGate models also support offloading enhanced pattern matching for flowbased security profiles to CP8 or CP9 content processors. You can use the following command to configure NTurbo and IPSA:

config ips global set np-accel-mode {none | basic} set cp-accel-mode {none | basic | advanced}

end

If the np-accel-mode option is available, your FortiGate supports NTurbo: none disables NTurbo and basic (the default) enables NTurbo. If the cp-accel-mode option is available your FortiGate supports IPSA: none disables IPSA, basic enables basic IPSA and advanced enables enhanced IPSA which can offload more types of pattern matching than basic IPSA. advanced is only available on FortiGate models with two or more CP8 processors or one or more CP9 processors.

See the Hardware Acceleration handbook chapter for more information about NTurbo and IPSA.

Extended IPS database

Some models have access to an extended IPS Database. The extended database may affect the performance of the FortiGate unit so depending on the model of the FortiGate unit the extended database package may not be enabled by default. For example, the D-series Desktop model have this option disabled by default.

This feature can only be enbled through the CLI.

config ips global set database extended

end

Configuring the IPS engine algorithm

The IPS engine is able to search for signature matches in two ways. One method is faster but uses more memory, the other uses less memory but is slower. Use the algorithm CLI command to select one method:

config ips global set algorithm {super | high | low | engine-pick}

end

Specify high to use the faster more memory intensive method or low for the slower memory efficient method. The setting super improves the performance for FortiGate units with more than 4GB of memory. The default setting is engine-pick, which allows the IPS engine to choose the best method on the fly.

Configuring the IPS engine-count

FortiGate units with multiple processors can run more than one IPS engine concurrently. The engine-count CLI command allows you to specify how many IPS engines are used at the same time:

config ips global set engine-count <int> end

Configure IPS options

The recommended and default setting is 0, which allows the FortiGate unit to determine the optimum number of IPS engines.

Configuring fail-open

IPS is likely more important to your network than uninterrupted flow of network traffic, so the fail-open behaviour of the IPS engine is disabled by default. If you would like to enable the fail-open option, use the following syntax. When enabled, if the IPS engine fails for any reason, it will fail open. This applies for inspection of all the protocols inspected by FortiOS IPS protocol decoders, including but not limited to HTTP, HTTPS, FTP, SMTP, POP3, IMAP, etc. This means that traffic continues to flow without IPS scanning. To enable:

config ips global set fail-open {enable | disable}

end

The default setting is disable.

Configuring the session count accuracy

The IPS engine can keep track of the number of open session in two ways. An accurate count uses more resources than a less accurate heuristic count.

config ips global set session-limit-mode {accurate | heuristic}

end

The default is heuristic.

Configuring IPS intelligence

Starting with FortiOS 5.2, intelligent-mode is a new adaptive detection method. This command is enabled the default and it means that the IPS engine will perform adaptive scanning so that, for some traffic, the FortiGate can quickly finish scanning and offload the traffic to NPU or kernel. It is a balanced method which could cover all known exploits. When disabled, the IPS engine scans every single byte.

config ips global set intelligent-mode {enable|disable}

end

Configuring the IPS buffer size

Set the size of the IPS buffer.

config ips global set socket-size <int>

end

The acceptable range is from 1 to 64 megabytes. The default size varies by model. In short, socket-size determines how much data the kernel passes to the IPS engine each time the engine samples packets.

Configure IPS options

Configuring protocol decoders

The FortiGate Intrusion Prevention system uses protocol decoders to identify the abnormal traffic patterns that do not meet the protocol requirements and standards. For example, the HTTP decoder monitors traffic to identify any HTTP packets that do not meet the HTTP protocol standards.

To change the ports a decoder examines, you must use the CLI. In this example, the ports examined by the DNS decoder are changed from the default 53 to 100, 200, and 300.

config ips decoder dns_decoder set port_list “100,200,300”

end

You cannot assign specific ports to decoders that are set to auto by default. These decoders can detect their traffic on any port. Specifying individual ports is not necessary.

Configuring security processing modules

FortiGate Security Processing Modules, such as the CE4, XE2, and FE8, can increase overall system performance by accelerating some security and networking processing on the interfaces they provide. They also allow the FortiGate unit to offload the processing to the security module, thereby freeing up its own processor for other tasks. The security module performs its own IPS and firewall processing, but you can configure it to favor IPS in hostile high-traffic environments.

If you have a security processing module, use the following CLI commands to configure it to devote more resources to IPS than firewall. This example shows the CLI commands required to configure a security module in slot 1 for increased IPS performance.

config system amc-slot edit sw1 set optimization-mode fw-ips set ips-weight balanced set ips-p2p disable set ips-fail-open enable set fp-disable none set ipsec-inb-optimization enable set syn-proxy-client-timer 3 set syn-proxy-server-timer 3

end

In addition to offloading IPS processing, security processing modules provide a hardware accelerated SYN proxy to defend against SYN flood denial of service attacks. When using a security module, configure your DoS anomaly check for tcp_syn_flood with the Proxy action. The Proxy action activates the hardware accelerated SYN proxy.

IPS signature rate count threshold

The IPS signature threshold can allow configuring a signature so that it will not be triggered until a rate count threshold is met. This provides a more controlled recording of attack activity. For example, if multiple login attempts produce a failed result over a short period of time then an alert would be sent and perhaps traffic blocked. This would be a more rational response than sending an alert every time a login failed.

The syntax for this configuration is as follows:

Enabling IPS packet logging

config ips sensor edit default config entries edit <Filter ID number> set rule <*id>

set rate-count <integer between 1 – 65535> set rate-duration <integer between 1 – 65535>

The value of the rate-duration is an integer for the time in seconds. set rate-mode <continuous | periodical>

The rate-mode refers to how the count threshold is met.

If the setting is “continuous”, and the action is set to block, as soon as the rate-count is reached the action is engaged. For example, if the count is 10, as soon as the signature is triggered 10 times the traffic would be blocked.

If the setting is “periodical”, the FortiGate allows up to the value of the rate-count incidents where the signature is triggered during the rate-duration. For example, if the rate count is 100 and the duration is 60, the signature would need to be triggered 100 times in 60 seconds for the action to be engaged. set rate-track <dest-ip | dhcp-client-mac | dns-domain | none | src-ip>

This setting allows the tracking of one of the protocol fields within the packet.

Geographic location filter

Place filters based on geographical location. Note that routes will not be installed if the resolved IPv6 address belongs to the country in the filter.

Any country entered for geo-filter will prevent all destination addresses that belong to that country from being installed into static routing table:

config webfilter {ips-urlfilter-setting | ips-urlfilter-setting6} edit <address> set geo-filter <country-name>

next

end

Use the following diagnose command to list the IPv4 and/or IPv6 IP ranges of a specific country:

diagnose geoip {iprange6 | iprange} <country-name>


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Pages: 1 2 3 4 5 6 7
This entry was posted in Administration Guides, FortiOS 6 and tagged , on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.