Author Archives: Mike

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

Enable IPS packet logging

Enable IPS packet logging

Packet logging saves the network packets containing the traffic matching an IPS signature to the attack log. The FortiGate unit will save the logged packets to wherever the logs are configured to be stored, whether memory, internal hard drive, a FortiAnalyzer unit, or the FortiGuard Analysis and Management Service.

You can enable packet logging in the filters. Use caution in enabling packet logging in a filter. Filters configured with few restrictions can contain thousands of signatures, potentially resulting in a flood of saved packets. This would take up a great deal of space, require time to sort through, and consume considerable system resources to process. Packet logging is designed as a focused diagnostic tool and is best used with a narrow scope.

Although logging to multiple FortiAnalyzer units is supported, packet logs are not sent to the secondary and tertiary FortiAnalyzer units. Only the primary unit receives packet logs.

 

To enable packet logging for a filter

1. Create a filter in an IPS sensor.

2. After creating the filter, right-click the filter, and select Enable under Packet Logging.

3. Select the IPS sensor in the security policy that allows the network traffic the FortiGate unit will examine for the signature.

For information on viewing and saving logged packets, see “Configuring packet logging options”.

 

IPS logging changes

IPS operations severely affected by disk logging are moved out of the quick scanning path, including logging, SNMP trap generation, quarantine, etc.

Scanning processes are dedicated to nothing but scanning, which results in more evenly distributed CPU usage. Slow (IPS) operations are taken care of in a dedicated process, which usually stays idle.

 

IPS examples

 

Configuring basic IPS protection

Small offices, whether they are small companies, home offices, or satellite offices, often have very simple needs. This example details how to enable IPS protection on a FortiGate unit located in a satellite office. The satellite office contains only Windows clients.

 

Creating an IPS sensor

Most IPS settings are configured in an IPS sensor. IPS sensors are selected in firewall policies. This way, you can create multiple IPS sensors, and tailor them to the traffic controlled by the security policy in which they are selected. In this example, you will create one IPS sensor.

 

To create an IPS sensor— web-based manager

1. Go to Security Profiles > Intrusion Protection.

2. Select the Create New icon in the top of the Edit IPS Sensor window.

3. In the Name field, enter basic_ips.

4. In the Comments field, enter IPS protection for Windows clients.

5. Select OK.

6. Select the Create New drop-down to add a new component to the sensor and for the Sensor Type choose FilteBased.

7. In the Filter Options choose the following: a. For Severity: select all of the options b.  For Target: select Client only.

c. For OS: select Windows only.

8. For the Action leave as the default.

9. Select OK to save the filter.

10. Select OK to save the IPS sensor.

 

To create an IPS sensor — CLI

config ips sensor edit basic_ips

set comment “IPS protection for Windows clients” config entries

edit 1

set location client set os windows

end

end

 

Selecting the IPS sensor in a security policy

An IPS sensor directs the FortiGate unit to scan network traffic only when it is selected in a security policy. When an IPS sensor is selected in a security policy, its settings are applied to all the traffic the security policy handles.

 

To select the IPS sensor in a security policy — web-based manager

1. Go to Policy > Policy > Policy.

2. Select a policy.

3. Select the Edit icon.

4. Enable the IPS option.

5. Select the basic_ips profile from the list.

6. Select OK to save the security policy.

 

To select the IPS sensor in a security policy — CLI

config firewall policy edit 1

set utm-status enable

set ips-sensor basic_ips end

All traffic handled by the security policy you modified will be scanned for attacks against Windows clients. A small office may have only one security policy configured. If you have multiple policies, consider enabling IPS scanning for all of them.

 

Using IPS to protect your web server

Many companies have web servers and they must be protected from attack. Since web servers must be accessible, protection is not as simple as blocking access. IPS is one tool your FortiGate unit has to allow you to protect your network.

In this example, we will configure IPS to protect a web server. As shown below, a FortiGate unit protects a web server and an internal network. The internal network will have its own policies and configuration but we will concentrate on the web server in this example.

 

A simple network configuration

The FortiGate unit is configured with:

  • a virtual IP to give the web server a unique address accessible from the Internet.
  • a security policy to allow access to the web server from the Internet using the virtual IP.

To protect the web server using intrusion protection, you need to create an IPS sensor, populate it with filters, then enable IPS scanning in the security policy.

 

To create an IPS sensor

1. Go to Security Profiles > Intrusion Protection.

2. Select Create New.

3. Enter web_server as the name of the new IPS sensor.

4. Select OK.

The new IPS sensor is created but it has no filters, and therefore no signatures are included.

The web server operating system is Linux, so you need to create a filter for all Linux server signatures.

 

To create the Linux server filter

1. Go to Security Profiles > Intrusion Protection.

2. Select the web_server IPS sensor and select the Edit icon.

3. In the Pattern Based Signatures and Filters section, select Create New.

4. For Sensor Type, select Filter Based.

5. For Filter Options.

6. In the Filter Options choose the following: a. For Severity: select all of the options b.  For Target: select server only.

c. For OS: select Linux only.

7. Select OK.

The filter is saved and the IPS sensor page reappears. In the filter list, find the Linux Server filter and look at the value in the Count column. This shows how many signatures match the current filter settings. You can select the View Rules icon to see a listing of the included signatures.

 

To edit the security policy

1. Go to Policy & Objects > IPv4 Policy select security policy that allows access to the web server, and select the Edit icon.

2. Enable IPS option and choose the web_server IPS sensor from the list.

3. Select OK.

Since IPS is enabled and the web_server IPS sensor is specified in the security policy controlling the web server traffic, the IPS sensor examines the web server traffic for matches to the signatures it contains.

 

Create and test a packet logging IPS sensor

In this example, you create a new IPS sensor and include a filter that detects the EICAR test file and saves a packet log when it is found. This is an ideal first experience with packet logging because the EICAR test file can cause no harm, and it is freely available for testing purposes.

 

Create an IPS senor

1. Go to Security Profiles > Intrusion Protection.

2. Select Create New.

3. Name the new IPS sensor EICAR_test.

4. Select OK.

 

Create an entry

1. Select the Create New.

2. For Sensor Type choose Specify Signatures.

3. Rather than search through the signature list, use the name filter by selecting the search icon over the header of the Signature column.

4. Enter EICAR in the Search field.

5. Highlight the Virus.Test.File signature by clicking on it.

6. Select Block All as the Action.

7. Enable Packet Logging.

8. Select OK to save the IPS sensor.

You are returned to the IPS sensor list. The EICAR test sensor appears in the list.

 

Add the IPS sensor to the security policy allowing Internet access

1. Go to Policy & Objects > IPv4 Policy.

2. Select the security policy that allows you to access the Internet.

3. Select the Edit icon.

4. Turn ON Log Allowed Traffic.

a. Select All Sessions

5. Enable the IPS option.

6. Choose EICAR test from the available IPS sensors.

7. Select OK.

With the IPS sensor configured and selected in the security policy, the FortiGate unit blocks any attempt to download the EICAR test file.

 

Test the IPS sensor

1. Using your web browser, go to http://www.eicar.org/anti_virus_test_file.htm.

2. Scroll to the bottom of the page and select eicar.com from the row labeled as using the standard HTTP protocol.

3. The browser attempts to download the requested file and,

  • If the file is successfully downloaded, the custom signature configuration failed at some point. Check the custom signature, the IPS sensor, and the firewall profile.
  • If the download is blocked with a high security alert message explaining that you’re not permitted to download the file, the EICAR test file was blocked by the FortiGate unit antivirus scanner before the IPS sensor could examine it. Disable antivirus scanning and try to download the EICAR test file again.
  • If no file is downloaded and the browser eventually times out, the custom signature successfully detected the EICAR test file and blocked the download.

 

Viewing the packet log

1. Go to Log&Report > Security Log > AntiVirus.

2. Locate the log entry that recorded the blocking of the EICAR test file block. The Message field data will be tools: EICAR.AV.Test.File.Download.

3. Select the View Packet Log icon in the Packet Log column.

4. The packet log viewer is displayed.

 

Configuring a Fortinet Security Processing module

The Example Corporation has a web site that is the target of SYN floods. While they investigate the source of the attacks, it’s very important that the web site remain accessible. To enhance the ability of the company’s FortiGate-100D to deal with SYN floods, the administrator will install an ASM-CE4 Fortinet Security Processing module and have all external access to the web server come though it.

The security processing modules not only accelerate and offload network traffic from the FortiGate unit’s processor, but they also accelerate and offload security and content scanning. The ability of the security module to accelerate IPS scanning and DoS protection greatly enhances the defense capabilities of the FortiGate-100D.

 

Assumptions

As shown in other examples and network diagrams throughout this document, the Example Corporation has a pair of FortiGate-100D units in an HA cluster. To simplify this example, the cluster is replaced with a single FortiGate-100D.

An ASM-CE4 is installed in the FortiGate-100D. The network is configured as shown below.

Network configuration

The Example Corporation network needs minimal changes to incorporate the ASM-CE4. Interface amc-sw1/1 of the ASM-CE4 is connected to the Internet and interface amc-sw1/1 is connected to the web server.

Since the main office network is connected to port2 and the Internet is connected to port1, a switch is installed to allow both port1 and amc-sw1/1 to be connected to the Internet.

 

The FortiGate-100D network configuration

The switch used to connect port1 and amc-sw1/1 to the Internet must be able to handle any SYN flood, all of the legitimate traffic to the web site, and all of the traffic to and from the Example Corporation internal network. If the switch can not handle the bandwidth, or if the connection to the service provider can not provide the required bandwidth, traffic will be lost.

 

Security module configuration

The Fortinet security modules come configured to give equal priority to content inspection and firewall processing. The Example Corporation is using a ASM-CE4 module to defend its web server against SYN flood attacks so firewall processing is a secondary consideration.

Use these CLI commands to configure the security module in ASM slot 1 to devote more resources to content processing, including DoS and IPS, than to firewall processing.

config system amc-slot edit sw1

set optimization-mode fw-ips set ips-weight balanced

set ips-p2p disable

set ips-fail-open enable set fp-disable none

set ipsec-inb-optimization enable set syn-proxy-client-timer 3

set syn-proxy-server-timer 3 end

These settings do not disable firewall processing. Rather, when the security module nears its processing capacity, it will chose to service content inspection over firewall processing.

 

IPS Sensor

You can group signatures into IPS sensors for easy selection when applying to firewall policies. You can define signatures for specific types of traffic in separate IPS sensors, and then select those sensors in profiles designed to handle that type of traffic. For example, you can specify all of the web-server related signatures in an IPS sensor, and that sensor can then be applied to a firewall policy that controls all of the traffic to and from a web server protected by the unit.

The FortiGuard Service periodically updates the pre-defined signatures, with signatures added to counter new threats. Since the signatures included in filters are defined by specifying signature attributes, new signatures matching existing filter specifications will automatically be included in those filters. For example, if you have a filter that includes all signatures for the Windows operating system, your filter will automatically incorporate new Windows signatures as they are added.

Each IPS sensor consists of two parts: filters and overrides. Overrides are always checked before filters.

Each filter consists of a number of signatures attributes. All of the signatures with those attributes, and only those attributes, are checked against traffic when the filter is run. If multiple filters are defined in an IPS Sensor, they are checked against the traffic one at a time, from top to bottom. If a match is found, the unit takes the appropriate action and stops further checking.

A signature override can modify the behavior of a signature specified in a filter. A signature override can also add a signature not specified in the sensor’s filters. Custom signatures are included in an IPS sensor using overrides.

The signatures in the overrides are first compared to network traffic. If the IPS sensor does not find any matches, it then compares the signatures in each filter to network traffic, one filter at a time, from top to bottom. If no signature matches are found, the IPS sensor allows the network traffic.

The signatures included in the filter are only those matching every attribute specified. When created, a new filter has every attribute set to all which causes every signature to be included in the filter. If the severity is changed to high, and the target is changed to server, the filter includes only signatures checking for high priority attacks targeted at servers.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Configure IPS options

Configure IPS options

The following IPS configuration options are available:

  • Malicious URL database for drive-by exploits detection
  • Customizable replacement message when IPS blocks traffic
  • Hardware Acceleration
  • Extended IPS Database
  • Configuring the IPS engine algorithm
  • Configuring the IPS engine-count
  • Configuring fail-open
  • Configuring the session count accuracy
  • Configuring IPS intelligence
  • Configuring the IPS buffer size
  • Configuring protocol decoders
  • Configuring security processing modules
  • IPS signature rate count threshold

 

Malicious URL database for drive-by exploits detection

This feature uses a local malicious URL database on the FortiGate to assist in drive-by exploits detection. The database contains all malicious URLs active in the last one month, and all drive-by exploit URLs active in the last three months. The number of URLs are controlled in the one million range.

 

CLI Syntax

config ips sensor edit <profile>

set block-malicious-url [enable | disable]

next end

 

Customizable replacement message when IPS blocks traffic

You can edit a replacement message that will appear specifically for IPS sensor blocked Internet access. Go to System > Replacement Messages, and find IPS Sensor Block Page under the Security heading.

 

Hardware Acceleration for flow-based security profiles (NTurbo and IPSA)

Some FortiGate models support a feature call NTurbo that can offload flow-based firewall sessions to NP4 or NP6 network processors. Some FortiGate models also support offloading enhanced pattern matching for flow- based security profiles to CP8 or CP9 content processors. You can use the following command to configure NTurbo and IPSA:

 

config ips global

set np-accel-mode {none | basic}

set cp-accel-mode {none | basic | advanced}

end

If the np-accel-mode option is available, your FortiGate supports NTurbo: none disables NTurbo and basic (the default) enables NTurbo. If the cp-accel-mode option is available your FortiGate supports IPSA: none disables IPSA, basic enables basic IPSA and advanced enables enhanced IPSA which can offload more types of pattern matching than basic IPSA. advanced is only available on FortiGate models with two or more CP8 processors or one or more CP9 processors.

See the Hardware Acceleration handbook chapter for more information about NTurbo and IPSA.

 

Extended IPS Database

Some models have access to an extended IPS Database. The extended database may affect the performance of the FortiGate unit so depending on the model of the FortiGate unit the extended database package may not be enabled by default. For example, the D-series Desktop model have this option disabled by default.

This feature can only be enbled through the CLI.

config ips global

set database extended end

 

Configuring the IPS engine algorithm

The IPS engine is able to search for signature matches in two ways. One method is faster but uses more memory, the other uses less memory but is slower. Use the algorithm CLI command to select one method:

config ips global

set algorithm {super | high | low | engine-pick}

end

 

Specify high to use the faster more memory intensive method or low for the slower memory efficient method. The setting super improves the performance for FortiGate units with more than 4GB of memory. The default setting is engine-pick, which allows the IPS engine to choose the best method on the fly.

 

Configuring the IPS engine-count

FortiGate units with multiple processors can run more than one IPS engine concurrently. The engine-count CLI command allows you to specify how many IPS engines are used at the same time:

config ips global

set engine-count <int>

end

 

The recommended and default setting is 0, which allows the FortiGate unit to determine the optimum number of IPS engines.

 

Configuring fail-open

IPS protection is likely more important to your network than uninterrupted flow of network traffic, so the fail-open behaviour of the IPS engine is disabled by default. If you would like to enable the fail-open option, use the following syntax. When enabled, if the IPS engine fails for any reason, it will fail open. This applies for inspection of all the protocols inspected by FortiOS IPS protocol decoders, including but not limited to HTTP, HTTPS, FTP, SMTP, POP3, IMAP, etc. This means that traffic continues to flow without IPS scanning. To enable:

config ips global

set fail-open {enable | disable}

end

 

The default setting is disable.

 

Configuring the session count accuracy

The IPS engine can keep track of the number of open session in two ways. An accurate count uses more resources than a less accurate heuristic count.

config ips global

set session-limit-mode {accurate | heuristic}

end

 

The default is heuristic.

 

Configuring IPS intelligence

If intelligent-mode is enabled (the default), in most cases the IPS engine will scan the first 200 kilobytes of a session (this value is hard coded).

In some cases, however, the IPS engine will still scan all traffic in a session. If intelligent-mode is disabled, the IPS engine scans all traffic.

config ips global

set intelligent-mode [enable|disable]

end

 

Configuring the IPS buffer size

Set the size of the IPS buffer.

config ips global

set socket-size <int>

end

 

The acceptable range is from 1 to 64 megabytes. The default size varies by model. In short, socket-size determines how much data the kernel passes to the IPS engine each time the engine samples packets.

 

Configuring protocol decoders

The FortiGate Intrusion Protection system uses protocol decoders to identify the abnormal traffic patterns that do not meet the protocol requirements and standards. For example, the HTTP decoder monitors traffic to identify any HTTP packets that do not meet the HTTP protocol standards.

To change the ports a decoder examines, you must use the CLI. In this example, the ports examined by the DNS decoder are changed from the default 53 to 100, 200, and 300.

config ips decoder dns_decoder set port_list “100,200,300”

end

 

You cannot assign specific ports to decoders that are set to auto by default. These decoders can detect their traffic on any port. Specifying individual ports is not necessary.

 

Configuring security processing modules

FortiGate Security Processing Modules, such as the CE4, XE2, and FE8, can increase overall system performance by accelerating some security and networking processing on the interfaces they provide. They also allow the FortiGate unit to offload the processing to the security module, thereby freeing up its own processor for other tasks. The security module performs its own IPS and firewall processing, but you can configure it to favor IPS in hostile high-traffic environments.

If you have a security processing module, use the following CLI commands to configure it to devote more resources to IPS than firewall. This example shows the CLI commands required to configure a security module in slot 1 for increased IPS performance.

 

config system amc-slot edit sw1

set optimization-mode fw-ips set ips-weight balanced

set ips-p2p disable

set ips-fail-open enable set fp-disable none

set ipsec-inb-optimization enable set syn-proxy-client-timer 3

set syn-proxy-server-timer 3 end

In addition to offloading IPS processing, security processing modules provide a hardware accelerated SYN proxy to defend against SYN flood denial of service attacks. When using a security module, configure your DoS anomaly check for tcp_syn_flood with the Proxy action. The Proxy action activates the hardware accelerated SYN proxy.

 

IPS signature rate count threshold

The IPS signature threshold can allow configuring a signature so that it will not be triggered until a rate count threshold is met. This provides a more controlled recording of attack activity. For example, if multiple login attempts produce a failed result over a short period of time then an alert would be sent and perhaps traffic blocked. This would be a more rational response than sending an alert every time a login failed.

 

The syntax for this configuration is as follows:

config ips sensor edit default

config entries

edit <Filter ID number>

set rule <*id>

set rate-count <integer between 1 – 65535>

set rate-duration <integer between 1 – 65535>

 

The value of the rate-duration is an integer for the time in seconds.

set rate-mode <continuous | periodical>

 

The rate-mode refers to how the count threshold is met.

If the setting is “continuous”, and the action is set to block, as soon as the rate-count is reached the action is engaged. For example, if the count is 10, as soon as the signature is triggered 10 times the traffic would be blocked.

If the setting is “periodical”, the FortiGate allows up to the value of the rate-count incidents where the signature is triggered during the rate-duration. For example, if the rate count is 100 and the duration is 60, the signature would need to be triggered 100 times in 60 seconds for the action to be engaged.

set rate-track <dest-ip | dhcp-client-mac | dns-domain | none | src-ip>

 

This setting allows the tracking of one of the protocol fields within the packet.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Create a Simple Remote Access IPSec Tunnel Capability

This video is a brief introduction on how to create a Remote Access (Split Tunnel) IPSec tunnel so that remote users can IPSec into the network and access resources.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

IPS processing in an HA cluster

IPS processing in an HA cluster

IPS processing in an HA cluster is no different than with a single FortiGate unit, from the point of view of the network user. The difference appears when a secondary unit takes over from the primary, and what happens depends on the HA mode.

 

Activepassive

In an active-passive HA cluster, the primary unit processes all traffic just as it would in a stand-alone configuration. Should the primary unit fail, a secondary unit will assume the role of the primary unit and begin to process network traffic. By default, the state of active communication sessions are not shared with secondary units and will not survive the fail-over condition. Once the sessions are reestablished however, traffic processing will continue as normal.

If your network requires that active sessions are taken over by the new primary unit, select Enable Session Pick-up in your HA configuration. Because session information must be sent to all subordinate units on a regular basis, session pick-up is a resource-intensive feature and is not enabled by default.

 

Activeactive

The fail-over process in an active-active cluster is similar to an active-passive cluster. When the primary unit fails, a secondary unit takes over and traffic processing continues. The load-balancing schedule used to distribute sessions to the cluster members is used by the new primary unit to redistribute sessions among the remaining subordinate units. If session pick-up is not enabled, the sessions active on the failed primary are lost, and the sessions redistributed among the secondary units may also be lost. If session pick-up is enabled, all sessions are handled according to their last-known state.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Enable IPS scanning

Enable IPS scanning

Enabling IPS scanning involves two separate parts of the FortiGate unit:

  • The security policy allows certain network traffic based on the sender, receiver, interface, traffic type, and time of day. Firewall policies can also be used to deny traffic, but those policies do not apply to IPS scanning.
  • The IPS sensor contains filters, signature entries, or both. These specify which signatures are included in the IPS sensor.

When IPS is enabled, an IPS sensor is selected in a security policy, and all network traffic matching the policy will be checked for the signatures in the IPS sensor.

 

General configuration steps

For best results in configuring IPS scanning, follow the procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

1. Create an IPS sensor.

2. Add signatures and /or filters.

These can be:

  • Pattern based
  • Rate based
  • Customized

3. Select a security policy or create a new one.

4. In the security policy, turn on IPS, and choose the IPS sensor from the list.

All the network traffic controlled by this security policy will be processed according to the settings in the policy. These settings include the IPS sensor you specify in the policy.

 

Creating an IPS sensor

You need to create an IPS sensor before specific signatures or filters can be choosen. The signatures can be added to a new sensor before it is saved, but it is a good practice to keep in mind that the sensor and its included filters are separte things, and therefore their creation will be treated separately.

 

To create a new IPS sensor

1. Go to Security Profiles > Intrusion Protection.

2. Select the Create New icon in the top of the Edit IPS Sensor window.

3. Enter the name of the new IPS sensor.

4. Optionally, you may also enter a comment. The comment will appear in the IPS sensor list and serves to remind you of the details of the sensor.

5. Select OK.

A newly created sensor is empty and contains no filters or signatures. You need to add one or more filters or signatures before the sensor will be of any use.

 

Adding an IPS filter to a sensor

While individual signatures can be added to a sensor, a filter allows you to add multiple signatures to a sensor by specifying the characteristics of the signatures to be added.

 

To create a new Pattern Based Signature and Filter

1. Go to Security Profiles > Intrusion Protection.

2. Select the IPS sensor to which you want to add the filter using the drop-down list in the top row of the Edit IPS Sensor window or by going to the list window.

3. Under IPS Filters, select Add Filter.

4. Configure the filter that you require. Signatures matching all of the characteristics you specify in the filter will be included in the filter. Once finished, select Use Filters.

Severity refers to the level of threat posed by the attack. The options include Critical, High, Medium, Low, and Info.

Target refers to the type of device targeted by the attack. The options include Clients and Server.

OS refers to the Operating System affected by the attack. The options include BSD, Linux, MacOS, Other,

Solaris, and Windows.

5. Once you have selected the filters you wish to add, right-click the filters and choose an action for when a signature is triggered:

 

Action                      Description
Pass                          Select Pass to allow traffic to continue to its destination.

 

Note: to see what the default for a signature is, go to the IPS Signatures page and enable the column Action, then find the row with the signature name in it.

Block                         Select Block to drop traffic matching any the signatures included in the filter.
Reset                         Select Reset to reset the session whenever the signature is triggered. In the CLI this action is referred to as Reject.
Default                      Select Default to pass all traffic matching the signatures included in the filter, regard- less of their default setting.
Quarantine               The quarantine based on the attacker’s IP Address – Traffic from the Attacker’s IP address is refused until the expiration time from the trigger is reached. You may set the Quarantine Duration to any number of Days, Hours, or Minutes.
Packet Logging       Select to enable packet logging for the filter.

 

When you enable packet logging on a filter, the unit saves a copy of the packets that match any signatures included in the filter. The packets can be analyzed later.

 

For more information about packet filtering, see “Configuring packet logging options”.


6
. Select Apply.

The filter is created and added to the filter list.

 

Adding Rate Based Signatures

These are a subset of the signatures that are found in the database that are normally set to monitor. This group of signatures is for vulnerabilities that are normally only considered a serious threat when the targeted connections come in multiples, a little like DoS attacks.

Adding a rate based signature is straight forward. Select the enable button in the Rate Based Signature table that corresponds with the desired signature.

 

Customized signatures

Customized signatures must be created before they can be added to the sensor. To get more details on customized signatures check the IPS Signatures chapter.

 

Updating predefined IPS signatures

The FortiGuard Service periodically updates the pre-defined signatures and adds new signatures to counter emerging threats as they appear.

To ensure that your system is providing the most protection available, these updates can be scheduled as often as on an hourly basis. To configure this feature, go to System > FortiGuard. Under AntiViru& IPS Scanning, enable Schedule Updates. From here you can set the updates to occur on a consistent weekly, daily, or even hourly basis.

Because the signatures included in filters are defined by specifying signature attributes, new signatures matching existing filter specifications will automatically be included in those filters. For example, if you have a filter that includes all signatures for the Windows operating system, your filter will automatically incorporate new Windows signatures as they are added.

 

Viewing and searching predefined IPS signatures

Go to Security Profiles > Intrusion Protection. Select [View IPS Signatures] to view the list of existing IPS signatures. You may find signatures by paging manually through the list, apply filters, or by using the search field.

 

Searching manually

Signatures are displayed in a paged list, with 50 signatures per page. The bottom of the screen shows the current page and the total number of pages. You can enter a page number and press enter, to skip directly to that page. Previous Page and Next Page buttons move you through the list, one page at a time. The First Page and Last Page button take you to the beginning or end of the list.

 

Searching CVE-IDs

A CVEID column displaying CVE-IDs can be optionally added to the IPS Signatures list, however the column is only available if the IPS package contains CVE-IDs for signatures. CVE-IDs can be numerically filtered by selecting the CVE-ID column’s arrows.

 

Applying filters

You can enter criteria for one of more columns, and only the signatures matching all the conditions you specify will be listed.

 

To apply filters

1. Go to Security Profiles > Intrusion Protection. Select [View IPS Signatures] .

2. Select column by which to filter.

3. Select the funnel/filter icon and enter the value or values to filter by.

4. Use additional columns as needed to refine search.

The available options vary by column. For example, Enable allows you to choose between two options, while OS has multiple options, and you may select multiple items together. Filtering by name allows you to enter a text string and all signature names containing the string will be displayed.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

IPS concepts

IPS concepts

The FortiGate Intrusion Protection System (IPS) protects your network from outside attacks. Your FortiGate unit has two techniques to deal with these attacks: anomaly- and signature-based defense.

 

Anomalybased defense

Anomaly-based defense is used when network traffic itself is used as a weapon. A host can be flooded with far more traffic than it can handle, making the host inaccessible. The most common example is the denial of service (DoS) attack, in which an attacker directs a large number of computers to attempt normal access of the target system. If enough access attempts are made, the target is overwhelmed and unable to service genuine users. The attacker does not gain access to the target system, but it is not accessible to anyone else.

The FortiGate DoS feature will block traffic above a certain threshold from the attacker and allow connections from other legitimate users. The DoS policy configuration can be found in the Firewall Handbook.

 

Access control lists in DoS Policies

This feature allows you to define a list of IPs/subnets/ranges in a DoS policy, and block those IPs from sending any traffic, by way of an ACL (access control list). The ACL looks similar to a firewall policy, but only checks source IP, destination IP, destination port, and protocol.

 

Syntax

config firewall acl edit 1

set interface “port1”

set srcaddr “google-drive” set dstaddr “all”

set service “ALL” next

end

 

Signature-based defense

Signature-based defense is used against known attacks or vulnerability exploits. These often involve an attacker attempting to gain access to your network. The attacker must communicate with the host in an attempt to gain access and this communication will include particular commands or sequences of commands and variables. The IPS signatures include these command sequences, allowing the FortiGate unit to detect and stop the attack.

 

Signatures

IPS signatures are the basis of signature-based intrusion protection. Every attack can be reduced to a particular string of commands or a sequence of commands and variables. Signatures include this information so your FortiGate unit knows what to look for in network traffic.

Signatures also include characteristics about the attack they describe. These characteristics include the network protocol in which the attack will appear, the vulnerable operating system, and the vulnerable application.

To view the complete list of signatures, go to Security Profiles > Intrusion Protection, and select View IPS Signatures. This will include the predefined signatures and any custom signatures that you may have created.

 

Protocol decoders

Before examining network traffic for attacks, the IPS engine uses protocol decoders to identify each protocol appearing in the traffic. Attacks are protocol-specific, so your FortiGate unit conserves resources by looking for attacks only in the protocols used to transmit them. For example, the FortiGate unit will only examine HTTP traffic for the presence of a signature describing an HTTP attack.

 

IPS engine

Once the protocol decoders separate the network traffic by protocol, the IPS engine examines the network traffic for the attack signatures.

 

IPS sensors

The IPS engine does not examine network traffic for all signatures. You must first create an IPS sensor and specify which signatures are included. Add signatures to sensors individually using signature entries, or in groups using IPS filters.

To view the IPS sensors, go to Security Profiles > Intrusion Protection.

There is a disabled group of industrial signatures. This category is disabled by default, however it can be applied through use of the CLI command below. Note that none will mean no signatures are excluded, and that industrial will exclude all industrial signatures.

 

CLI Syntax

config ips global

set exclude-signatures [none | industrial]

end

 

IPS filters

IPS sensors contain one or more IPS filters. A filter is a collection of signature attributes that you specify. The signatures that have all of the attributes specified in a filter are included in the IPS filter.

For example, if your FortiGate unit protects a Linux server running the Apache web server software, you could create a new filter to protect it. By setting OS to Linux, and Application to Apache, the filter will include only the signatures that apply to both Linux and Apache. If you wanted to scan for all the Linux signatures and all the Apache signatures, you would create two filters, one for each.

To view the filters in an IPS sensor, go to Security Profiles > Intrusion Protection, select the IPS sensor containing the filters you want to view, and select Edit.

 

Custom/predefined signature entries

Signature entries allow you to add an individual custom or predefined IPS signature. If you need only one signature, adding a signature entry to an IPS sensor is the easiest way. Signature entries are also the only way to include custom signatures in an IPS sensor.

Another use for signature entries are to change the settings of individual signatures that are already included in a filter within the same IPS sensor. Add a signature entry with the required settings above the filter, and the signature entry will take priority.

 

Policies

To use an IPS sensor, you must select it in a security policy or an interface policy. An IPS sensor that it not selected in a policy will have no effect on network traffic.

IPS is most often configured as part of a security policy. Unless stated otherwise, discussion of IPS sensor use will be in regards to firewall policies in this document.

 

Session timers for IPS sessions

A session-ttl (time to live) timer for IPS sessions is available to reduce synchronization problems between the FortiOS Kernel and IPS, and to reduce IPS memory usage. The timeout values can be customized.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Intrusion protection

Intrusion protection

The FortiGate Intrusion Protection system combines signature detection and prevention with low latency and excellent reliability. With intrusion protection, you can create multiple IPS sensors, each containing a complete configuration based on signatures. Then, you can apply any IPS sensor to any security policy.

This section describes how to configure the FortiGate Intrusion Protection settings.

If you enable virtual domains (VDOMs) on the FortiGate unit, intrusion protection is configured separately for each virtual domain.

 

The following topics are included:

  • IPS concepts
  • Enable IPS scanning
  • Configure IPS options
  • Enable IPS packet logging
  • IPS examples

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

FortiClient Profiles

FortiClient Profiles

This section describes the FortiClient Profiles endpoint protection features and configuration.

You must first enable this feature. Go to System > Feature Select and enable Endpoint Control.

This will reveal the Security Profiles > FortiClient Profiles menu item.

 

The following topics are included in this section:

  • Endpoint protection overview
  • Configuring endpoint protection
  • Configuring endpoint registration over a VPN
  • Modifying the endpoint protection replacement messages
  • Monitoring endpoints

 

Endpoint protection overview

Endpoint Protection enforces the use of up-to-date FortiClient Endpoint Security software on endpoints (workstation computers and mobile devices). It pushes a FortiClient profile to the FortiClient application, specifying security settings, including:

  • Real-time antivirus protection – on or off
  • FortiClient web category filtering based on web filters defined in a FortiGate Web Filter profile
  • FortiClient Application Control (application firewall) using application sensors defined in the FortiGate Application Control profile

 

The FortiClient profile can also:

  • Create VPN configurations
  • Install CA certificates
  • Upload logs to FortiAnalyzer or FortiManager
  • Enable use of FortiManager for client software/signature update
  • Enable a dashboard banner
  • Enable client-based logging while on-net
  • Output a mobile configuration profile (.mobileconfig file for iOS)

 

User experience

When using a web browser, the user of a non-compliant endpoint receives a replacement message HTML page from the FortiGate unit. The message explains that the user needs to install FortiClient Endpoint Security and provides a link to do so. The user cannot continue until the FortiClient software is installed.

For information about modifying the replacement page, see Modifying the endpoint protection replacement messages on page 2159.

 

Default FortiClient non-compliance message for Windows

endpoint-security-required

 

After installing FortiClient Endpoint Security, the user will receive an invitation to register with the FortiGate unit. If the user accepts the invitation, the FortiClient profile is sent to the device’s FortiClient application. Now the user is compliant and can connect to the network. FortiClient Endpoint Security registered with a FortiGate unit does not need to be separately licensed with FortiGuard.

The FortiGate unit can also register endpoints who connect over the Internet through a VPN. The user can accept an invitation to register with the FortiGate unit. See Endpoint protection overview on page 2151.

 

FortiGate endpoint registration limits

To view the number of endpoints that are registered and the total that can be registered, go to Dashboard. Under License Information, find FortiClient. You will see a line like “Clients Registered 4 of 10”. This means that there are four registered endpoints and a total of ten are allowed.

When the registration limit is reached, the next FortiClient-compatible device will not be able to register with the FortiGate unit. The user sees a message in FortiClient application about this. The FortiClient profile is not sent to client and the client cannot connect through the FortiGate unit.

For all FortiGate models, the maximum number of registered endpoints is ten. For all models except 20C, you can purchase an endpoint license to increase this capacity:

 

To add an endpoint license – web-based manager

1. Go to Dashboard.

2. In the License Information widget, under FortiClient, select Enter License, enter the license key, and select

OK.

 

Maximum registered endpoints with endpoint license

 

Model type Max Registered Endpoints
 

30 to 90 series

 

200

 

100 to 300 series

 

600

 

500 to 800 series, VM1, VM2

 

2 000

 

1000 series, VM4

 

8 000

 

3000 to 5000 series, VM8

 

20 000

 

 

Configuring endpoint protection

Endpoint Protection requires that all hosts connecting to an interface have the FortiClient Endpoint Security application installed. Make sure that all endpoints behind the interface are able to install this application. Currently, FortiClient Endpoint Security is available for Microsoft Windows (2000 and later), Apple (Mac OS X and later), and Android devices only.

 

By default, the FortiGuard service provides the FortiClient installer. If you prefer to host it on your own server, see Changing the FortiClient installer download location, below. To set up Endpoint Protection, complete the following:

  • Create a FortiClient Profile or use the default profile. See Creating a FortiClient profile on page 2153. Enable the application sensor and web category filtering profiles that you want to use.
  • Configure the FortiGate unit to support endpoint registration using FortiHeartBeat (under Network > Interfaces, allow FortiHeartBeat admission control).
  • Optionally, enforce FortiClient registration. See Enforcing FortiClient registration on page 2156.
  • Optionally, configure application sensors and web filter profiles as needed to monitor or block applications.
  • Optionally, modify the Endpoint NAC Download Portal replacement messages (one per platform). See Modifying the endpoint protection replacement messages on page 2159.

 

Creating a FortiClient profile

The default FortiClient profile has only AntiVirus, Web Filter, and VPN options enabled. You can modify this profile or create your own FortiClient profiles, including settings for iOS and Android devices.

It is possible for more than one profile to be assigned to a device type. As with security policies, clients are matched to FortiClient profiles in the order that the profiles appear in the list.

 

To create a FortiClient profile – web-based manager

1. If you will use the Application Firewall feature, go to Security Profiles > Application Control to create the Application Sensors that you will need.

2. If you will use Web Category Filtering, go to Security Profiles > Web Filter to create the Web Filter Profile that you will need.

3. Go to Security Profiles > FortiClient Profiles.

If there is only the default FortiClient profile, it will be displayed and ready to edit. At the top right of the page you can select or create other profiles.

4. Select Create New or select an existing profile and Edit it.

5. In Assign Profile To, select the device groups, user groups, and users to which this FortiClient profile applies.

This is not available for the default profile.

6. Configure the FortiClient Profile under the following tabs: Security, VPN, Advanced, and Mobile:

 

Security option                         Description
 

AntiVirus

Realtime Protection       Enable to configure AV options, including Scan File Downloads, Block malicious websites, and Block attack channels.
Scheduled Scan             Enable to configure the following:

Type: Select from Quick, Full, or Custom.

Schedule: Select from Daily, Weekly, or Monthly.

Time: Select when the scan should take place.

Excluded Paths              Enable to add paths you wish to be excluded from AV scanning.
Web Filter
Profile                               Select which Web Filter Profile you wish to use.
Client Side when On-     Select to enable client side web filtering when the device is On-Net.

Net

Application Firewall
Application Control        Select which Application Control Sensor you wish to use.

list

Monitor unknown            Enable to monitor any applications that do not fall into any Application

applications                     Control categories.

VPN option                              Description

VPN

Client

VPN Provisioning

Enable to configure the FortiClient VPN client, and enter the VPN con- figuration details.

VPN option                              Description

Allow user defined VPN

Enable to accept VPN tunnels for specific users.

VPN before Windows logon

Enable to establish the VPN connection before logging in to Windows.

 

Advanced option                       Description
 

Install CA Certificates    Enable to force the FortiClient endpoint to download CA Certificates from the FortiGate.

Disable Unregister          Enable to prevent managed endpoints from unregistering.

Option

Upload Logs to                Enable to determine where FortiClient will upload its logs. Same as Sys-

FortiAnalyzer                   tem will send the logs as configured via Log & Report > Log Settings.

Select Specify to upload them elsewhere.

FortiManager updates    Enable to download client signature updates from FortiManager from spe- cified IP addresses. Also, you can Failover to FDN when FortiManager

is not available.

Dashboard Banner          Enable to display the dashboard banner.
Client-based Logging     Enable to always save logs on the client. Logs can be viewed with the

when On-Net                    FortiClient Console.

Single Sign-on Mobil-    Enable to configure a specific server with a pre-shared key for SSO.

ity Agent

 

Mobile option                          Description
 

iOS

Web Filter                         Select which Web Filter Profile you wish to use, and select Client Side when On-Net to enable client side web filtering when the iOS device is On-Net.
Client                                 Enable to configure the FortiClient VPN client, and enter the VPN con-

VPN Provisioning             figuration details.

Distribute Con-                 Enable to select and upload a ‘.mobileconfig’ file that will be distributed to

figuration Profile              iOS devices.

Android

Mobile option                          Description

Web Filter                         Select which Web Filter Profile you wish to use, and select Client Side when On-Net to enable client side web filtering when the Android device is On-Net.

ClienVPN Provisioning

Enable to configure the FortiClient VPN client, and enter the VPN con- figuration details.

7. Select Apply.

 

To create a FortiClient profile – CLI:

This example creates a profile for Windows and Mac computers.

config endpoint-control profile edit ep-profile1

set device-groups mac windows-pc config forticlient-winmac-settings

set forticlient-av enable set forticlient-wf enable

set forticlient-wf-profile default end

end

 

To install CA certificates – CLI:

config endpoint-control profile edit <profile>

config forticlient-winmac-settings

set install-ca-certificate [enable | disable]

end next

end

 

Enforcing FortiClient registration

When you enable FortiHeartBeat on an interface, the option to enforce FortiClient registration becomes available. Devices connecting to that interface are forced to register to the FortiGate and install FortiClient before gaining access to network services.

The following example includes editing the default FortiClient Profile to enforce realtime antivirus protection and malicious website blocking.

 

To enforce FortiClient registration on the internal interface – web-based manager:

1. On the FortiGate, go to System > Feature Select and make sure that Endpoint Control is enabled.

2. Go to Network > Interfaces and edit the internal interface.

3. Under Restrict Access, enable FortiHeartBeat.

4. Under Admission Control, enable Enforce FortiHeartBeat for all FortiClients.

Optionally, you can also Exempt Sources and/or Exempt Destinations/Services. If you were to exempt a source device, that device would not require FortiClient registration to access network services or the Internet.

5. Go to Security Profiles > FortiClient Profiles.

6. Under the Security tab, enable Realtime Protection, Scan File Downloads, Block malicious websites, and Block attack channels.

 

Changing the FortiClient installer download location

By default, FortiClient installers are downloaded from the FortiGuard network. You can also host these installers on a server for your users to download. In that case, you must configure FortiOS with this custom download location. For example, to set the download location to a customer web server with address custom.example.com, enter the following command:

config endpoint-control settings set download-location custom

set download-custom-link “http://custom.example.com” end

 

Storing FortiClient configuration files

Advanced FortiClient configuration files of up to 32k may be stored:

1. Enable the advanced FortiClient configuration option in the endpoint profile:

config endpoint-control profile edit “default”

set forticlient-config-deployment enable set fct-advanced-cfg enable

set fct-advanced-cfg-buffer “hello” set forticlient-license-timeout 1 set netscan-discover-hosts enable

next end

2. Export the configuration from FortiClient (xml format).

3. Copy the contents of the configuration file and paste in the advanced FortiClient configuration box.

 

If the configure file is greater than 32k, you need to use the following CLI:

config endpoint-control profile edit <profile>

config forticlient-winmac-settings config extra-buffer-entries

edit <entry_id>

set buffer xxxxxx next

end end

next end

 

Configuring endpoint registration over a VPN

FortiGate units can register FortiClient-equipped endpoints over either an interface-based IPsec VPN or a tunnel- mode SSL VPN. After the user authenticates, the FortiGate unit sends the FortiClient application the IP address and port to be used for registration. If the user accepts the FortiGate invitation to register, registration proceeds and the FortiClient profile is downloaded to the client.

Users without FortiClient Endpoint Security connecting to the SSL VPN through a browser are redirected to a captive portal to download and install the FortiClient software.

 

Endpoint registration on an IPsec VPN

You can enable endpoint registration when you configure the FortiClient VPN or you can enable it on an existing FortiClient VPN.

 

To enable endpoint registration while configuring the VPN

  • l  Enable Allow Endpoint Registration on the Policy & Routing page of the VPN Wizard when creating the FortiClient VPN.

This is only available when Template Type is set to Remote Access with a FortiCli- ent Remote Device Type.

 

To enable endpoint registration on an existing VPN

1. Go to Network > Interfaces and edit the VPN’s tunnel interface.

The tunnel is a virtual interface under the physical network interface.

2. In Admission Control, enable FortiHeartBeat.

Optionally, you can also enable Enforce FortiHeartBeat for all FortiClients. This forces endpoints to register with FortiClient before they have network access.

3. Select OK.

 

Endpoint registration on an SSL VPN

To enable endpoint registration on the SSL VPN

1. Go to VPN > SSL-VPN Settings.

2. In Tunnel Mode Client Settings, make sure Allow Endpoint Registration is enabled.

3. Select Apply.

4. Go to Network > Interfaces and edit the ssroot interface.

5. In Admission Control, enable FortiHeartBeat.

Optionally, you can also enable Enforce FortiHeartBeat for all FortiClients. This forces endpoints to register with FortiClient before they have network access.

6. Select OK.

This procedure does not include all settings needed to configure a working SSL VPN.

 

Synchronizing endpoint registrations

To support roaming users in a network with multiple FortiGate units, you need to configure synchronization of the endpoint registration databases between the units. The registered endpoints are then recognized on all of the FortiGate units. This is configured in the CLI. For example, to synchronize this FortiGate unit’s registered endpoint database with another unit named other1 at IP address 172.20.120.4, enter:

config endpoint-control forticlient-registration-sync edit other1

set peer-ip 172.20.120.4 end

 

Modifying the endpoint protection replacement messages

If the security policy has Redirect all non-compliant/unregistered FortiClient compatible devices to a captive portal enabled, users of non-compliant devices are redirected to a captive portal that is defined by the Endpoint NAC Download Portal replacement message. There are different portals for Android, iOS, Mac, Windows, Quarantine, and “other” devices.

 

To modify the the endpoint protection replacement messages

1. Go to System > Replacement Messages and select Extended View.

2. In the Endpoint Control section select the message that you want to edit.

The replacement message and its HTML code appear in a split screen in the lower half of the page.

3. Modify the text as needed and select Save.

 

Monitoring endpoints

Go to Monitor > FortiClient Monitor to monitor endpoints.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!