Category Archives: FortiGate

DLP examples

To view or modify the replacement message text, go to System > Replacement Messages.

Blocking content with credit card numbers

When the objective is to block credit card numbers one of the important things to remember is that 2 filters will need to be used in the sensor.

In the default Credit-Card sensor, you will notice a few things.

The Action is set to Log Only
In the Files filter not all of the services are being examined.

If you wish to block as much content as possible with credit card numbers in it instead of just logging most the traffic that has it, the existing sensor will have to be edited.

1. Go to Security Profiles > Data Leak Prevention.

Some configurations will have a preconfigured Credit Card sensor where you can use the drop down menu to select Credit–Card. If your configuration doesn’t already have one create a new sensor.

2. Use the Create New icon to add a new sensor.

3. Create/edit the first filter. Use the following settings:

Filter

Filter Messages

Filter option Credit Card #

Examine the Following Services

Make sure all of the services are being examined.

Action

Set action to Block. Select OK or Apply.

4. Create/edit the first filter. Use the following settings:

Filter

Filter Files

Filter option Credit Card #

Examine the Following Services

Make sure all of the services are being examined.

Action

Set action to Block. Select OK or Apply

5. Edit the appropriate policies so that under Security Profiles, DLP is turned on and the Credit–Card sensor is selected.

Blocking emails larger than 15 MB and logging emails from 5 MB to 15 MB

Multiple filters will have to be used in this case and the order that they are used is important. Because there is no mechanism to move the filters within the sensor the order that they are added to the sensor is important.

1. Go to Security Profiles > Data Leak Prevention.

2. Use the Create New icon to add a new sensor.

Use the following values:

Name large_emails

Comment <optional>

Once the Sensor has been created, a new filter will need to be added.

3. Create the filter to block the emails over 15 MB. In the filters table select Create New.

Use the following values:

Filter

Filter Messages

Filter option File Size >=

KB 15360 (1MB = 1024KB, 15 MB = 15 x 1024KB = 15360KB)

Examine the Following Services

Make sure all of the Email services are being examined.

Action

Set action to Block. Select OK.

4. Create the filter to log emails between 5 MB and 10 MB. In the filters table select Create New.

Use the following values

Filter

Filter Messages

Filter option File Size >=

KB 5120 (1MB = 1024KB, 5 MB = 5 x 1024KB = 5124 KB)

Examine the Following Services

Make sure all of the Email services are being examined.

Action

Set action to Block. Select OK.

The reason that the block filter is placed first is because the filters are applied in sequence and once the traffic triggers a filter the action is applied and then the traffic is passed on to the next test. If the Log Only filter which checks for anything over 1MB is triggered this would include traffic over 15MB, so a 16 MB file would only be logged. In the described order, the 16 MB file will be blocked and the 3 MB file will be logged.

Selective blocking based on a finger print

The following is a fairly complex example but shows what can be done by combining various components in the correct configuration.

The company has a number of copyrighted documents that it does not want “escaping” to the Internet but it does want to be able to send those documents to the printers for turning into hardcopy.

The policies and procedures regarding this issue state that:

Only members of the group Senior_Editors can send copyrighted material to the printers.
Every member of the company by default is included in the group employees.
Even permitted transmission of copyrighted material should be recorded.
All of the printers IP addresses are in a group called approved_printers.
There is a file share called copyrighted where any file that is copyrighted is required to have a copy stored.
It doesn’t happen often but for legal reasons sometimes these files can be changed, but all versions of a file in this directory need to be secured.
All network connections to the Internet must have Antivirus enabled using at least the default profile.
The SSL/SSH Inspection profile used will be default. It is assumed for the purposes of this example that:
Any addresses or address groups have been created.
User accounts and groups have been created.
The account used by the FortiGate is fgtaccess.
The copyrighted sensitivity level needs to be created.
The copyrighted material is stored at \\192.168.27.50\books\copyrighted\

1. Add a new Sensitivity Level by running the following commands in the CLI

config dlp fp-sensitivity edit copyrighted

end

2. Apply files to the fingerprint database

a. Go to Security Profiles > DLP Fingerprint.

b. In the Document Sources section select Create New.

Use the following field values:

Name copyrighted_material

Server Type Windows Share

Server Address 192.168.27.50

User Name fgtaccess

Password ******

Path books/copyrighted/

Filename Pattern *.pdf

Sensitivity copyrighted

Scan Periodically enabled

<Frequency> Daily, Hour: 2, Min: 0

Advanced

Fingerprint files in sub- directories enabled

Remove fingerprints for deleted files not enabled

Keep previous fingerprints for modified files enabled

Two Sensors need to be created. One for blocking the transmission of copyrighted material and a second for allowing the passing of copyrighted material under specific circumstances.

3. Create the first DLP Sensor

Go to Security Profiles > Data Leak Prevention.
Create a new sensor.

Use the following field values:

Name block_copyrighted

Comment <optional>

In the Filter table, select Create New.

Use the following values

Filter

Filter Files

Filter option File Finger Print

Finger print value from dropdown “copyrighted”

Examine the Following Services

Make sure all of the services are being examined.

Action

From the drop down menu choose Block

4. Create the second DLP Sensor

Go to Security Profiles > Data Leak Prevention.
Create a new sensor.

Use the following field values:

Name allow_copyrighted

Comment <optional>

In the Filter table, select Create New.

Use the following values

Filter

Filter Files

Filter option File Finger Print

Finger print value from dropdown “copyrighted”

Examine the Following Services Make sure all of the services are being examined.

Action

From the drop down menu choose Log Only

5. Create a policy to allow transmission of copyrighted material.

a. Go to Policy & Objects > IPv4 Policy.

b. Select Create New.

c. Use the following values in the Policy:

Incoming Interface LAN

Source Address all

Outgoing Interface wan1

Destination Address all

Schedule always

Service all

Action ACCEPT

Enable NAT enabled — Use Destination Interface Address

Antivirus <ON> default

DLP <ON> Copyrighted

SSL/SSH Inspection <ON> default

Enable this policy <ON>

This policy should be place as close to the beginning of the list of policies so the it is among the first tested against.

6. Create a policy to block transmission of copyrighted material.

This will in effect be the default template for all following policies in that they will have to use the DLP profile that blocks the transmission of the copyrighted material.

a. Go to Policy & Objects > IPv4 Policy.

b. Select Create New or Edit an existing policy.

c. Use the following values in the Policy:

The fields should include what ever values you need to accomplish your requirements are but each policy should include the DLP sensor block_copyrighted or if a different DLP configuration is required it should include a filter that blocks copyrighted fingerprinted file.

If you need to create a policy that is identity based make sure that there is an Authentication rule for the group employees that uses the DLP sensor that blocks copyrighted material.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Creating/editing a DLP sensor

Leave a reply

Creating/editing a DLP sensor

DLP sensors are collections of filters. You must also specify an action for the filter when you create it in a sensor. Once a DLP sensor is configured, you can select it a security policy profile. Any traffic handled by the security policy will be examined according to the DLP sensor configuration.

To create/edit a DLP sensor

1. Go to Security Profiles > Data Leak Prevention.

2. Choose whether you want to edit an exiting sensor or create a new one.

The default sensor will be the one displayed by default.
If you are going to edit an existing sensor, selecting it can be done by either using the drop down menu in the upper right hand corner of the window or by selecting the List icon (the furthest right of the 3 icons in the upper right of the window, if resembles a page with some lines on it), and then selecting the profile you want to edit from the list.
If you need to create a new sensor you can either select the Create New icon (a plus sign within a circle) or select the List icon and then select the Create New link in the upper left of the window that appears.

3. Enter a name in the Name field for any new DLP sensors.

4. Optionally, you may also enter a comment. The comment appears in the DLP sensor list and can remind you of the details of the sensor.

5. At this point you can add filters to the sensor (see adding filters to a DLP sensor) or select OK to save the sensor. Without filters, the DLP sensor will do nothing.

Adding filters to a DLP sensor

Once you have created a DLP sensor, you need to add filters.

1. To add filters to a DLP sensor

2. Go to Security Profiles > Data Leak Prevention.

3. Select the Sensor you wish to edit using the drop down menu or the sensor list window.

4. Within the Edit DLP Sensor window select Create New. A New Filter window should pop up.

5. Select the type of filter. You can choose either Messages or Files. Depending on which of these two are chosen different options will be available.

Message filter will have these configuration options:

[radio button] Containing: [drop down menu including: Credit Card # or SSN]
[radio button] Regular Expression [input field] Examine the following Services:

Web Access

HTTP-POST

[check box] SMTP
[check box] POP3
[check box] IMAP
[check box] MAPI

Others

[check box] NNTP

Action [from drop down menu]

None
Log Only,
Block
Quarantine IP address

Files filter will have these options:

[radio button] Containing: drop down menu including: Credit Card # or SSN
[radio button] File Size >= [ ]KB
[radio button] Specify File Types

File Types: [“Click to add…”drop down menu of File extensions] File Name Patterns:[“Click to add…”drop down menu]

[radio button] File Finger Print : [drop down menu]
[radio button] Watermark Sensitivity: [drop down menu] and Corporate Identifier [id field]
[radio button] Regular Expression [input field]
[radio button] Encrypted Examine the following Services: Web Access
[check box] HTTP-POST
[check box] HTTP-GET

[check box] SMTP
[check box] POP3
[check box] IMAP
[check box] MAPI

Others

[check box] FTP
[check box] NNTP

Action [from drop down menu]

None
Log Only,
Block
Quarantine IP address

6. Select OK.

7. Repeat Steps 6 and 7 for each filter.

8. Select Apply to confirm the settings of the sensor.

If you have configured DLP to block IP addresses and if the FortiGate unit receives ses- sions that have passed through a NAT device, all traffic from that NAT device — not just traffic from individual users — could be blocked. You can avoid this problem by implementing authentication.

Enable data leak prevention

Leave a reply

Enable data leak prevention

DLP examines your network traffic for data patterns you specify. The FortiGate unit then performs an action based on the which pattern is found and a configuration set for each filter trigger.

General configuration steps

Follow the configuration procedures in the order given. Also, note that if you perform any additional actions between procedures, your configuration may have different results.

1. Create a DLP sensor.

New DLP sensors are empty. You must create one or more filters in a sensor before it can examine network traffic.

2. Add one or more filters to the DLP sensor.

Each filter searches for a specific data pattern. When a pattern in the active DLP sensor appears in the traffic, the FortiGate unit takes the action configured in the matching filter. Because the order of filters within a sensor cannot be changed, you must configure DLP in sequence.

3. Add the DLP sensor to one or more firewall policies that control the traffic to be examined.

Data leak prevention concepts

Leave a reply

Data leak prevention concepts

Data leak prevention examines network traffic for data patterns you specify. You define whatever patterns you want the FortiGate unit to look for in network traffic. The DLP feature is broken down into a number of parts.

DLP sensor

A DLP sensor is a package of filters. To use DLP, you must enable it in a security policy and select the DLP sensor to use. The traffic controlled by the security policy will be searched for the patterns defined in the filters contained in the DLP sensor. Matching traffic will be passed or blocked according to how you configured the filters.

DLP filter

Each DLP sensor has one or more filters configured within it. Filters can examine traffic for known files using DLP fingerprints, for files of a particular type or name, for files larger than a specified size, for data matching a specified regular expression, or for traffic matching an advanced rule or compound rule.

You can configure the action taken when a match is detected. The actions include:

None
Log Only
Block
Quarantine IP address

Log Only is enabled by default.

DLP Filter Actions

None

No action is taken if filter even if filter is triggered

Log Only

The FortiGate unit will take no action on network traffic matching a rule with this action. The filter match is logged, however. Other matching filters in the same sensor may still operate on matching traffic.

Block

Traffic matching a filter with the block action will not be delivered. The matching message or download is replaced with the data leak prevention replacement message.

Quarantine IP Address/ Source IP ban

Starting in FortiOS 5.2, the quarantine, as a place where traffic content was held in storage where it couldn’t interact with the network or system was removed, but the term quarantine was kept to describe keeping selected source IPs from interacting with the network and protected systems. This source IP ban is kept in the kernel rather than in any specific application engine and can be queried by APIs. The features that can use the APIs to access and use the banned source IP addresses are antivirus, DLP, DoS and IPS. Both IPv4 and IPv6 version are included in this feature.

If the quarantine-ip action is used, the additional variable of expiry time will become available. This variable determines for how long the source IP adddress will be blocked. In the GUI it is shown as a field before minutes. In the CLI the option is called expiry and the duration is in the format <###d##h##m>. The maximum days value is 364. The maximum hour value is 23 and the maximum minute value is 59. The default is 5 minutes.

Configure using the CLI

To configure the DLP sensor to add the source IP address of the sender of a protected file to the quarantine or list of banned source IP addresses edit the DLP Filter, in the CLI. as follows:

config dlp sensor

edit <sensor name>

config filter

edit <id number of filter> set action quarantine-ip set expiry 5m

end end

Preconfigured sensors

A number of preconfigured sensors are provided with your FortiGate unit. These can be edited or added to more closely match your needs.

Some of the preconfigured sensors with filters ready to go are:

Credit-Card – This sensor logs the traffic, both files and messages, that contain credit card numbers in the formates used by American Express, MasterCard and Visa.
SSN-Sensor – This sensor logs the traffic, both files and messages, that contain Social Security Numbers with the exception of those that are WebEx invitation emails.

These rules affect only unencrypted traffic types. If you are using a FortiGate unit that can decrypt and examine encrypted traffic, you can enable those traffic types in these rules to extend their functionality if required.

Before using the rules, examine them closely to ensure you understand how they will affect the traffic on your network.

DLP document fingerprinting

One of the DLP techniques to detect sensitive data is fingerprinting (also called document fingerprinting). Most DLP techniques rely on you providing a characteristic of the file you want to detect, whether it’s the file type, the file name, or part of the file contents. Fingerprinting is different in that you provide the file itself. The FortiGate unit then generates a checksum fingerprint and stores it. The FortiGate unit generates a fingerprint for all files detected in network traffic, and it is compared to all of the fingerprints stored in its fingerprint database. If a match is found, the configured action is taken.

The document fingerprint feature requires a FortiGate unit with internal storage. The document fingerprinting menu item does not appear on models without internal storage.

Any type of file can be detected by DLP fingerprinting and fingerprints can be saved for each revision of your files as they are updated.

To use fingerprinting you select the documents to be fingerprinted and then add fingerprinting filters to DLP sensors and add the sensors to firewall policies that accept the traffic to which to apply fingerprinting.

Fingerprinting

Fingerprint scanning allows you to create a library of files for the FortiGate unit to examine. It will create checksum fingerprints so each file can be easily identified. Then, when files appear in network traffic, the FortiGate will generate a checksum fingerprint and compare it to those in the fingerprint database. A match triggers the configured action.

You must configure a document source or uploaded documents to the FortiGate unit for fingerprint scanning to work.

Fingerprinted Documents

The FortiGate unit must have access to the documents for which it generates fingerprints. One method is to manually upload documents to be fingerprinted directly to the FortiGate unit. The other is to allow the FortiGate unit to access a network share that contains the documents to be fingerprinted.

If only a few documents are to be fingerprinted, a manual upload may be the easiest solution. If many documents require fingerprinting, or if the fingerprinted documents are frequently revised, using a network share makes user access easier to manage.

Fingerprinting by document source

To configure a fingerprint document source

1. Go to Security Profiles > DLP Fingerprint.

2. In the Document Sources section, select Create New.

3. Configure the settings:

Name Enter a descriptive name for the document source.

Server Type This refers to the type of server share that is being accessed. The default is Windows Share but this will also work on Samba shares.

Server Address Enter the IP address of the server.

User Name Enter the user name of the account the FortiGate unit uses to access the server network share.

Password Enter the password for the account being used to access the network share.

Path Enter the path to the document folder.

Filename Pattern You may enter a filename pattern to restrict fingerprinting to only those files that match the pattern. To fingerprint all files, enter an asterisk (“*”).

Sensitivity Level Select a sensitivity level. The sensitivity is a tag for your reference that is included in the log files. It does not change how fingerprinting works.

Scan Periodically To have the files on the document source scanned on a regular basis, select this option. This is useful if files are added or changed regularly. Once selected, you can choose Daily, Weekly, or Monthly update option- s.The Hour and Min fields are for determining, in a 24 hour clock, the time that the source shares will be scanned.

Advanced Expand the Advanced heading for additional options.

Fingerprint files in sub- directories

By default, only the files in the specified path are fingerprinted. Files in sub- directories are ignored. Select this option to fingerprint files in sub- directories of the specified path.

Remove fingerprints for deleted files

Select this option to retain the fingerprints of files deleted from the doc- ument source. If this option is disabled, fingerprints for deleted files will be removed when the document source is rescanned.

Keep previous fingerprints for modified files

Select this option to retain the fingerprints of previous revisions of updated files. If this option is disabled, fingerprints for previous version of files will be deleted when a new fingerprint is generated.

4. Select OK.

Fingerprinting manually by document

To configure manual document fingerprints

1. Go to Security Profiles > DLP Fingerprint.

2. In the Manual Document Fingerprints section, select Create New.

3. Use the Browse feature for the File field to select the file to be fingerprinted. The selection will be limited to network resourses

4. Choose a Sensitivity level. The default choices are Critical, Private and Warning, but more can be added in the CLI.

5. If the file is an archive containing other files, select Process files inside archive if you also want the individual files inside the archive to have fingerprints generated in addition to the archive itself.

6. Select OK.

The file is uploaded and a fingerprint generated.

File size

This filter-type checks for files exceeding a configured size. All files larger than the specified size are subject to the configured action. The value of the field is measured in Kilobytes.

DLP filtering by specific file types

File filters use file filter lists to examine network traffic for files that match either file names or file types. For example, you can create a file filter list that will find files called secret.* and also all JPEG graphic files. You can create multiple file filter lists and use them in filters in multiple DLP sensors as required.

Specify File Types is a DLP option that allows you to block files based on their file name or their type.

File types are a means of filtering based on an examination of the file contents, regardless of the file name. If you block the file type Archive (zip), all zip archives are blocked even if they are renamed with a different file extension. The FortiGate examines the file contents to determine what type of file it is and then acts accordingly.
File Name patterns are a means of filtering based purely on the names of files. They may include wildcards (*).

For example, blocking *.scr will stop all files with an scr file extension, which is commonly used for Windows screen saver files. Files trying to pass themselves off as Windows screen saver files by adopting the file-naming convention will also be stopped.

Files can specify the full or partial file name, the full or partial file extension, or any combination. File pattern entries are not case sensitive. For example, adding *.exe to the file pattern list also blocks any files ending with .EXE.
Files are compared to the enabled file patterns from top to bottom, in list order.

File filter does not detect files within archives. You can use file filter to block or allow the archives themselves, but not the contents of the archives.

Watermarking

Watermarking is essentially marking files with a digital pattern to mark the file as being proprietary to a specific company. Fortinet has a utility that will apply a digital watermark to files. The utility adds a small (approx. 100 byte) pattern to the file that is recognised by the DLP Watermark filter. the pattern is invisible to the end user.

When watermarking a file it should be verified that the pattern matches up to a category found on the FortiGate firewall. For example, if you are going to watermark a file with the sensitivity level of “Secret” you should verify that “Secret” is a sensitivity level that has been assigned in the FortiGate unit.

Watermark Sensitivity

If you are using watermarking on your files you can use this filter to check for watermarks that correspond to sensitivity categories that you have set up.

The Corporate Identifier is to make sure that you are only blocking watermarks that your company has place on the files, not watermarks with the same name by other companies.

Software Versions

Before planning on using watermarking software it is always best to verify that the software will work with your OS. Currently, the only utility available to watermark files is within the FortiExplorer software and that is only only available for the Windows operating system. There was an older version of software that is for Linux and is Commandline only, but is has been discontinued.

File types

The Watermark tool does not work with every file type. The following file types are supported by the watermark tool:

.txt
.pdf
.doc
.xls
.ppt
.docx
.pptx
.xlsx

Currently the DLP only works with Fortinet’s watermarking software.

Using the FortiExplorer Watermark tool

The FortiExplorer software can be downloaded from the Fortinet Support Site.

1. Choose whether to “Apply Watermark To:”

Select File
Entire Directory

2. Fill in the fields:

a. Select File

This Field has a browse icon next to it which will allow the user to browse to and select a single file or directory to apply the water mark to.

b. Sensitivity Level

This field is a drop down menu that lists the available sensitivity levels that the FortiGate can scan for

c. Identifier

This is a unique identifier string of characters to identify the company that the document belongs to.

d. Output Directory

This Field has a browse icon next to it which will allow the user to browse to a directory where the altered file will be placed. If the output directory is the same as the source directory the original file will be overwritten. If the output directory is different than the source directory then the watermarked version of the file will be place there and the unaltered original will be left in the source directory.

3. Select Apply Watermark to start the process.

Regular expression

The FortiGate unit checks network traffic for the regular expression specified in a regular expression filter. The regular expression library used by Fortinet is a variation of a library called PCRE (Perl Compatible Regular Expressions). A number of these filters can be added to a sensor making a sort of ‘dictionary’ subset within the sensor.

Some other, more limited DLP implementations, use a list of words in a text file to define what words are searched for. While the format used here is slightly different than what some people are used to, the resulting effect is similar. Each Regular Expression filter can be thought of as a more versatile word to be searched against. In this dictionary (or sensor), the list of words is not limited to just predefined words. It can include expressions that can accommodate complex variations on those words and even target phrases. Another advantage of the individual filter model of this dictionary over the list is that each word can be assigned its own action, making this implementation much more granular.

Encrypted

This filter is a binary one. If the file going through the policy is encrypted the action is triggered.

Examining specific services

To assist in optimizing the performance of the firewall, the option exists to select which services/protocol traffic will be checked for the targeted content.This setting gives you a tool to save the resources of the FortiGate unit by only using processing cycles on the relevant traffic. Just check the boxes associated with the service / protocol that you want to have checked for filter triggers.

Data leak prevention

Leave a reply

Data leak prevention

The FortiGate data leak prevention (DLP) system allows you to prevent sensitive data from leaving your network. When you define sensitive data patterns, data matching these patterns will be blocked, or logged and allowed, when passing through the FortiGate unit. You configure the DLP system by creating individual filters based on file type, file size, a regular expression, an advanced rule, or a compound rule, in a DLP sensor and assign the sensor to a security policy.

Although the primary use of the DLP feature is to stop sensitive data from leaving your network, it can also be used to prevent unwanted data from entering your network and to archive some or all of the content passing through the FortiGate unit.

This section describes how to configure the DLP settings. The following topics are included:

Data leak prevention concepts
Enable data leak prevention
Fingerprint
File filter
DLP archiving
DLP examples

Log Only is enabled by default.

Custom Application & IPS Signatures

Leave a reply

Custom Application & IPS Signatures

Creating a custom IPS signature

The FortiGate predefined signatures cover common attacks. If you use an unusual or specialized application or an uncommon platform, add custom signatures based on the security alerts released by the application and platform vendors.

You can add or edit custom signatures using the web-based manager or the CLI.

To create a custom signature

1. Go to Security Profiles > Intrusion Protection.

2. Select [View IPS Signatures]

3. Select Creat New to add a new custom signature.

4. Enter a Name for the custom signature.

5. Enter the Signature. For information about completing this field, see “Custom signature syntax and keywords”.

6. Select OK.

Custom signature syntax and keywords

All custom signatures follow a particular syntax. Each begins with a header and is followed by one or more keywords. The syntax and keywords are detailed in the next two topics.

Custom signature syntax

A custom signature definition is limited to a maximum length of 512 characters. A definition can be a single line or span multiple lines connected by a backslash (\) at the end of each line.

A custom signature definition begins with a header, followed by a set of keyword/value pairs enclosed by parenthesis [( )]. The keyword and value pairs are separated by a semi colon (;) and consist of a keyword and a value separated by a space. The basic format of a definition is HEADER (KEYWORD VALUE;)

You can use as many keyword/value pairs as required within the 512 character limit. To configure a custom signature, go to Security Profiles > Intrusion Protection, select View IPS Signatures, select Create New, and enter the data directly into the Signature field, following the guidance in the next topics.

The table below shows the valid characters and basic structure. For details about each keyword and its associated values, see “Custom signature keywords”.

Valid syntax for custom signature fields

Field

Valid Characters

Usage

HEADER

F-SBID

The header for an attack defin- ition signature. Each custom signature must begin with this header.

Field Valid Characters Usage

KEYWORD

Each keyword must start with a pair of dashes (–), and consist of a string of 1 to 19 characters.

Normally, keywords are an English word or English words connected by an underscore (_). Keywords are case insensitive.

The keyword is used to identify a parameter.

VALUE Double quotes (“) must be used around the value if it contains a space and/or a semicolon (;).

If the value is NULL, the space between the KEYWORD and VALUE can be omitted. Values are case sensitive.

Note: If double quotes are used for quoting the value, the double quotes are not considered as part of the value string.

The value is set specifically for a parameter identified by a keyword.

Custom signature keywords

Information keywords attack_id Syntax: –attack_id <id_int>;

Description:

Use this optional value to identify the signature. It cannot be the same value as any other custom rules. If an attack ID is not specified, the FortiGate automatically assigns an attack ID to the signature. If you are using VDOMs, custom signatures appear only in the VDOM in which you create them. You can use the same attack ID for signatures in different VDOMs.

An attack ID you assign must be between 1000 and 9999.

Example: –attack_id 1234;

name

Syntax: –name <name_str>;

Description:

Enter the name of the rule. A rule name must be unique. If you are using VDOMs, custom signatures appear only in the VDOM in which you create them. You can use the same rule name for signatures in different VDOMs. The name you assign must be a string greater than 0 and less than 64 characters in length.

Example: –name “Buffer_Overflow”;

Session keywords flow Syntax: –flow {from_client[,reversed] | from_server[,reversed] | bi_direction };

Description:

Specify the traffic direction and state to be inspected. They can be used for all IP traffic.

Example: –src_port 41523; –flow bi_direction;

The signature checks traffic to and from port 41523.

If you enable “quarantine attacker”, the optional reversed keyword allows you to change the side of the connection to be quarantined when the signature is detected.

For example, a custom signature written to detect a brute-force log in attack is triggered when “Login Failed” is detected from_server more than 10 times in 5 seconds. If the attacker is quarantined, it is the server that is quarantined in this instance. Adding reversed corrects this problem and quarantines the actual attacker.

Previous FortiOS versions used to_client and to_server values. These are now deprecated, but still function for backwards compatibility.

service

Syntax: –service {HTTP | TELNET | FTP | DNS | SMTP | POP3 | IMAP | SNMP | RADIUS | LDAP | MSSQL | RPC | SIP | H323 | NBSS | DCERPC | SSH | SSL};

Description:

Specify the protocol type to be inspected. This keyword allows you to specify the traffic type by protocol rather than by port. If the decoder has the capability to identify the protocol on any port, the signature can be used to detect the attack no matter what port the service is running on. Currently, HTTP, SIP, SSL, and SSH protocols can be identified on any port based on the content.

Content keywords byte_extract

Syntax: byte_extract:<bytes_to_extract>, <offset>, <name> \ [, relative][, multiplier <multiplier value>][, <endian>]\ [, string][, hex][, dec][, oct][, align <align value>][, dce];

Description:

Use the byte_extract option to write rules against length-encoded protocols. This reads some of the bytes from the packet payload and saves it to a variable.

byte_jump

Syntax: –byte_jump <bytes_to_convert>, <offset>[, multiplier][, relative] [, big] [, little] [, string] [, hex] [, dec] [, oct] [, align];

Description:

Use the byte_jump option to extract a number of bytes from a packet, convert them to their numeric representation, and jump the match reference up that many bytes (for further pattern matching or byte testing). This keyword allows relative pattern matches to take into account numerical values found in network data. The available keyword options include:

<bytes_to_convert>: The number of bytes to examine from the packet.
<offset>: The number of bytes into the payload to start processing.
[multiplier]: multiplier is optional. It must be a numerical value when present. The converted value multiplied by the number is the result to be skipped.
relative: Use an offset relative to last pattern match.
big: Process the data as big endian (default).
little: Process the data as little endian.
string: The data is a string in the packet.
hex: The converted string data is represented in hexadecimal notation.
dec: The converted string data is represented in decimal notation.
oct: The converted string data is represented in octal notation.
align: Round up the number of converted bytes to the next 32-bit boundary.

byte_test Syntax: –byte_test <bytes_to_convert>, <operator>, <value>, <offset> [multiplier][, relative] [, big] [, little] [, string] [, hex] [, dec] [, oct];

Description:

Use the byte_test keyword to compare a byte field against a specific value (with operator). This keyword is capable of testing binary values or converting representative byte strings to their binary equivalent and testing them. The available keyword options include:

<bytes_to_convert>: The number of bytes to compare.
<operator>: The operation to perform when comparing the value (<,>,=,!,&).
<value>: The value to compare the converted value against.
<offset>: The number of bytes into the payload to start processing.
[multiplier]: multiplier is optional. It must be a numerical value when present. The converted value multiplied by the number is the result to be skipped.
relative: Use an offset relative to last pattern match.
big: Process the data as big endian (default).
little: Process the data as little endian.
string: The data is a string in the packet.
hex: The converted string data is represented in hexadecimal notation.
dec: The converted string data is represented in decimal notation.
oct: The converted string data is represented in octal notation.

depth Syntax: –depth <depth_int>;

Description:

Use the depth keyword to search for the contents within the specified number of bytes after the starting point defined by the offset keyword. If no offset is specified, the offset is assumed to be equal to 0.

If the value of the depth keyword is smaller than the length of the value of the content keyword, this signature will never be matched.

The depth must be between 0 and 65535.

distance Syntax: –distance <dist_int>;

Description:

Use the distance keyword to search for the contents within the specified number of bytes relative to the end of the previously matched contents. If the within keyword is not specified, continue looking for a match until the end of the payload.

The distance must be between 0 and 65535.

content

Syntax: –content [!]”<content_str>”;

Description:

Deprecated, see pattern and context keywords. Use the content keyword to search for the content string in the packet payload. The content string must be enclosed in double quotes.

To have the FortiGate search for a packet that does not contain the specified context string, add an exclamation mark (!) before the content string.

Multiple content items can be specified in one rule. The value can contain mixed text and binary data. The binary data is generally enclosed within the pipe (|) character.

The double quote (“), pipe sign(|) and colon(:) characters must be escaped using a back slash if specified in a content string.

If the value of the content keyword is greater than the length of the value of the depth keyword, this signature will never be matched.

context Syntax: –context {uri | header | body | host};

Description:

Specify the protocol field to look for the pattern. If context is not specified for a pattern, the FortiGate unit searches for the pattern anywhere in the packet buffer. The available context variables are:

uri: Search for the pattern in the HTTP URI line.
header: Search for the pattern in HTTP header lines or SMTP/POP3/SMTP control messages.
body: Search for the pattern in HTTP body or SMTP/POP3/SMTP email body.
host: Search for the pattern in HTTP HOST line.

no_case

Syntax: –no_case;

Description:

Use the no-case keyword to force the FortiGate unit to perform a case-insensitive pattern match.

offset

Syntax: –offset <offset_int>;

Description:

Use the offset keyword to look for the contents after the specified number of bytes into the payload. The specified number of bytes is an absolute value in the payload. Follow the offset keyword with the depth keyword to stop looking for a match after a specified number of bytes. If no depth is specified, the FortiGate unit continues looking for a match until the end of the payload.

The offset must be between 0 and 65535.

pattern

Syntax: –pattern [!]”<pattern_str>”;

Description:

The FortiGate unit will search for the specified pattern. A pattern keyword normally is followed by a context keyword to define where to look for the pattern in the packet. If a context keyword is not present, the FortiGate unit looks for the pattern anywhere in the packet buffer. To have the FortiGate search for a packet that does not contain the specified URI, add an exclamation mark (!) before the URI.

Example: –pattern “/level/” –pattern “|E8 D9FF FFFF|/bin/sh” –pattern !”|20|RTSP/”

pcre

Syntax: –pcre [!]”/<regex>/[ismxAEGRUB]”;

Description:

Similarly to the pattern keyword, use the pcre keyword to specify a pattern using Perl-compatible regular expressions (PCRE). A pcre keyword can be followed by a context keyword to define where to look for the pattern in the packet. If no context keyword is present, the FortiGate unit looks for the pattern anywhere in the packet buffer.

For more information about PCRE syntax, go to http://www.pcre.org. The switches include:

i: Case insensitive.
s: Include newlines in the dot metacharacter.
m: By default, the string is treated as one big line of characters. ^ and $ match at the beginning and ending of the string. When m is set, ^ and $ match immediately following or immediately before any newline in the buffer, as well as the very start and very end of the buffer.
x: White space data characters in the pattern are ignored except when escaped or inside a character class.
A: The pattern must match only at the start of the buffer (same as ^ ).
E: Set $ to match only at the end of the subject string. Without E, $ also matches immediately before the final character if it is a newline (but not before any other newlines).
G: Invert the “greediness” of the quantifiers so that they are not greedy by default, but become greedy if followed by ?.
R: Match relative to the end of the last pattern match. (Similar to distance:0;).
U: Deprecated, see the context keyword. Match the decoded URI buffers.

uri

Syntax: –uri [!]”<uri_str>”;

Description:

Deprecated, see pattern and context keywords. Use the uri keyword to search for the URI in the packet payload. The URI must be enclosed in double quotes (“). To have the FortiGate unit search for a packet that does not contain the specified URI, add an exclamation mark (!) before the URI. Multiple content items can be specified in one rule. The value can contain mixed text and binary data. The binary data is generally enclosed within the pipe (|) character. The double quote (“), pipe sign (|) and colon (:) characters must be escaped using a back slash (\) if specified in a URI string.

within

Syntax: –within <within_int>;

Description:

Use this together with the distance keyword to search for the contents within the specified number of bytes of the payload.

The within value must be between 0 and 65535.

IP header keywords dst_addr Syntax: –dst_addr [!]<ipv4>;

Description:

Use the dst_addr keyword to search for the destination IP address. To have the FortiGate search for a packet that does not contain the specified address, add an exclamation mark (!) before the IP address. You can define up to 28 IP addresses or CIDR blocks. Enclose the comma separated list in square brackets.

Example: dst_addr [172.20.0.0/16, 10.1.0.0/16,192.168.0.0/16]

ip_dscp

Syntax: –ip_dscp

Description:

Use the ip_dscp keyword to check the IP DSCP field for the specified value.

ip_id

Syntax: –ip_id <field_int>;

Description:

Check the IP ID field for the specified value.

ip_option

Syntax: –ip_option {rr | eol | nop | ts | sec | lsrr | ssrr | satid | any};

Description:

Use the ip_option keyword to check various IP option settings. The available options include:

rr: Check if IP RR (record route) option is present. l eol: Check if IP EOL (end of list) option is present. l nop: Check if IP NOP (no op) option is present.
ts: Check if IP TS (time stamp) option is present.
sec: Check if IP SEC (IP security) option is present.
lsrr: Check if IP LSRR (loose source routing) option is present. l ssrr: Check if IP SSRR (strict source routing) option is present. l satid: Check if IP SATID (stream identifier) option is present.
any: Check if IP any option is present.

ip_tos

Syntax: –ip_tos <field_int>;

Description:

Check the IP TOS field for the specified value.

ip_ttl

Syntax: –ip_ttl [< | >] <ttl_int>;

Description:

Check the IP time-to-live value against the specified value. Optionally, you can check for an IP time-to-live greater-than (>) or less-than (<) the specified value with the appropriate symbol.

protocol

Syntax: –protocol {<protocol_int> | tcp | udp | icmp};

Description:

Check the IP protocol header.

Example: –protocol tcp;

src_addr

Syntax: –src_addr [!]<ipv4>;

Description:

Use the src_addr keyword to search for the source IP address. To have the FortiGate unit search for a packet that does not contain the specified address, add an exclamation mark (!) before the IP address. You can define up to 28 IP addresses or CIDR blocks. Enclose the comma separated list in square brackets.

Example: src_addr 192.168.13.0/24

TCP header keywords ack

Syntax: –ack <ack_int>;

Description:

Check for the specified TCP acknowledge number.

dst_port

Syntax: –dst_port [!]{<port_int> | :<port_int> | <port_int>: | <port_

int>:<port_int>};

Description:

Use the dst_port keyword to specify the destination port number. You can specify a single port or port range:

<port_int> is a single port.
:<port_int> includes the specified port and all lower numbered ports.
<port_int>: includes the specified port and all higher numbered ports.
<port_int>:<port_int> includes the two specified ports and all ports in between.

seq

Syntax: –seq [operator,]<number>[,relative];

Description:

Check for the specified TCP sequence number.

operator includes =,<,>,!.
relative indicates it’s relative to the initial sequence number of the TCP session.

src_port

Syntax: –src_port [!]{<port_int> | :<port_int> | <port_int>: | <port_

int>:<port_int>};

Description:

Use the src_port keyword to specify the source port number. You can specify a single port or port range:

<port_int> is a single port.
:<port_int> includes the specified port and all lower numbered ports.
<port_int>: includes the specified port and all higher numbered ports.
<port_int>:<port_int> includes the two specified ports and all ports in between.

tcp_flags

Syntax: –tcp_flags <SAFRUP120>[!|*|+] [,<SAFRUP120>];

Description:

Specify the TCP flags to match in a packet.

S: Match the SYN flag. l A: Match the ACK flag. l F: Match the FIN flag.
R: Match the RST flag.
U: Match the URG flag.
P: Match the PSH flag.
1: Match Reserved bit 1.
2: Match Reserved bit 2.
0: Match No TCP flags set.
!: Match if the specified bits are not set.
*: Match if any of the specified bits are set.
+: Match on the specified bits, plus any others.

The first part if the value (<SAFRUP120>) defines the bits that must be present for a successful match.

Example:

–tcp_flags AP only matches the case where both A and P bits are set.

The second part ([,<SAFRUP120>]) is optional, and defines the additional bits that can be present for a match.

For example tcp_flags S,12 matches the following combinations of flags: S, S and 1, S and 2, S and 1 and 2. The modifiers !, * and + cannot be used in the second part.

window_size

Syntax: –window_size [!]<window_int>;

Description:

Check for the specified TCP window size. You can specify the window size as a hexadecimal or decimal integer. A hexadecimal value must be preceded by 0x. To have the FortiGate search for the absence of the specified window size, add an exclamation mark (!) before the window size.

UDP header keywords dst_port

Syntax: –dst_port [!]{<port_int> | :<port_int> | <port_int>: | <port_

int>:<port_int>};

Description:

Specify the destination port number. You can specify a single port or port range:

<port_int> is a single port.
:<port_int> includes the specified port and all lower numbered ports.
<port_int>: includes the specified port and all higher numbered ports.
<port_int>:<port_int> includes the two specified ports and all ports in between.

src_port

Syntax: –src_port [!]{<port_int> | :<port_int> | <port_int>: | <port_

int>:<port_int>};

Description:

Specify the destination port number. You can specify a single port or port range:

<port_int> is a single port.
:<port_int> includes the specified port and all lower numbered ports.
<port_int>: includes the specified port and all higher numbered ports.
<port_int>:<port_int> includes the two specified ports and all ports in between.

ICMP keywords icmp_code

Syntax: –icmp_code <code_int>;

Description:

Specify the ICMP code to match.

icmp_id

Syntax: –icmp_id <id_int>;

Description:

Check for the specified ICMP ID value.

icmp_seq

Syntax: –icmp_seq <seq_int>;

Description:

Check for the specified ICMP sequence value.

icmp_type

Syntax: –icmp_type <type_int>;

Description:

Specify the ICMP type to match.

Other keywords data_size

Syntax: –data_size {<size_int> | <<size_int> | ><size_int>;

Description:

Test the packet payload size. With data_size specified, packet reassembly is turned off automatically. So a signature with data_size and only_stream values set is wrong.

<size_int> is a particular packet size.
<<size_int> is a packet smaller than the specified size.
><size_int> is a packet larger than the specified size. Examples:
–data_size 300;
–data_size <300;
–data_size >300;

data_at

Syntax: –data_at <offset_int>[, relative];

Description:

Verify that the payload has data at a specified offset, optionally looking for data relative to the end of the previous content match.

dump–all–html

Syntax: –dump-all-html

Description:

Dump all HTML files for benchmarking via iSniff. When there is no file type specified, all HTML files are dumped.

rate

Syntax: –rate <matches_int>,<time_int>;

Description:

Instead of generating log entries every time the signature is detected, use this keyword to generate a log entry only if the signature is detected a specified number of times within a specified time period.

<matches_int> is the number of times a signature must be detected.
<time_int> is the length of time in which the signature must be detected, in seconds.

For example, if a custom signature detects a pattern, a log entry will be created every time the signature is detected. If –rate 100,10; is added to the signature, a log entry will be created if the signature is detected 100 times in the previous 10 seconds. Use this command with –track to further limit log entries to when the specified number of detections occur within a certain time period involving the same source or destination address rather than all addresses.

rpc_num

Syntax: –rpc_num <app_int>[, <ver_int> | *][, <proc_int> | *>];

Description:

Check for RPC application, version, and procedure numbers in SUNRPC CALL requests. The * wild card can be used for version and procedure numbers.

same_ip

Syntax: –same_ip;

Description:

Check that the source and the destination have the same IP addresses.

track

Syntax: –track {SRC_IP |DST_IP |DHCP_CLIENT |DNS_DOMAIN}[,block_int];

Description:

When used with –rate, this keyword narrows the custom signature rate totals to individual addresses.

SRC_IP: tracks the packet’s source IP.
DST_IP: tracks the packet’s destination IP.
DHCP_CLIENT: tracks the DHCP client’s MAC address.
DNS_DOMAIN: counts the number of any specific domain name.
block_int has the FortiGate unit block connections for the specified number of seconds, from the client or to the server, depending on which is specified.

For example, if –rate 100,10 is added to the signature, a log entry will be created if the signature is detected 100 times in the previous 10 seconds. The FortiGate unit maintains a single total, regardless of source and destination address.

If the same custom signature also includes –track client; matches are totaled separately for each source address. A log entry is added when the signature is detected 100 times in 10 seconds within traffic from the same source address.

The –track keyword can also be used without –rate. If an integer is specified, the client or server will be blocked for the specified number of seconds every time the signature is detected.

Enable IPS packet logging

10 Replies

Enable IPS packet logging

Packet logging saves the network packets containing the traffic matching an IPS signature to the attack log. The FortiGate unit will save the logged packets to wherever the logs are configured to be stored, whether memory, internal hard drive, a FortiAnalyzer unit, or the FortiGuard Analysis and Management Service.

You can enable packet logging in the filters. Use caution in enabling packet logging in a filter. Filters configured with few restrictions can contain thousands of signatures, potentially resulting in a flood of saved packets. This would take up a great deal of space, require time to sort through, and consume considerable system resources to process. Packet logging is designed as a focused diagnostic tool and is best used with a narrow scope.

Although logging to multiple FortiAnalyzer units is supported, packet logs are not sent to the secondary and tertiary FortiAnalyzer units. Only the primary unit receives packet logs.

To enable packet logging for a filter

1. Create a filter in an IPS sensor.

2. After creating the filter, right-click the filter, and select Enable under Packet Logging.

3. Select the IPS sensor in the security policy that allows the network traffic the FortiGate unit will examine for the signature.

For information on viewing and saving logged packets, see “Configuring packet logging options”.

IPS logging changes

IPS operations severely affected by disk logging are moved out of the quick scanning path, including logging, SNMP trap generation, quarantine, etc.

Scanning processes are dedicated to nothing but scanning, which results in more evenly distributed CPU usage. Slow (IPS) operations are taken care of in a dedicated process, which usually stays idle.

IPS examples

Configuring basic IPS protection

Small offices, whether they are small companies, home offices, or satellite offices, often have very simple needs. This example details how to enable IPS protection on a FortiGate unit located in a satellite office. The satellite office contains only Windows clients.

Creating an IPS sensor

Most IPS settings are configured in an IPS sensor. IPS sensors are selected in firewall policies. This way, you can create multiple IPS sensors, and tailor them to the traffic controlled by the security policy in which they are selected. In this example, you will create one IPS sensor.

To create an IPS sensor— web-based manager

1. Go to Security Profiles > Intrusion Protection.

2. Select the Create New icon in the top of the Edit IPS Sensor window.

3. In the Name field, enter basic_ips.

4. In the Comments field, enter IPS protection for Windows clients.

5. Select OK.

6. Select the Create New drop-down to add a new component to the sensor and for the Sensor Type choose Filter Based.

7. In the Filter Options choose the following: a. For Severity: select all of the options b. For Target: select Client only.

c. For OS: select Windows only.

8. For the Action leave as the default.

9. Select OK to save the filter.

10. Select OK to save the IPS sensor.

To create an IPS sensor — CLI

config ips sensor edit basic_ips

set comment “IPS protection for Windows clients” config entries

edit 1

set location client set os windows

end

Selecting the IPS sensor in a security policy

An IPS sensor directs the FortiGate unit to scan network traffic only when it is selected in a security policy. When an IPS sensor is selected in a security policy, its settings are applied to all the traffic the security policy handles.

To select the IPS sensor in a security policy — web-based manager

1. Go to Policy > Policy > Policy.

2. Select a policy.

3. Select the Edit icon.

4. Enable the IPS option.

5. Select the basic_ips profile from the list.

6. Select OK to save the security policy.

To select the IPS sensor in a security policy — CLI

config firewall policy edit 1

set utm-status enable

set ips-sensor basic_ips end

All traffic handled by the security policy you modified will be scanned for attacks against Windows clients. A small office may have only one security policy configured. If you have multiple policies, consider enabling IPS scanning for all of them.

Using IPS to protect your web server

Many companies have web servers and they must be protected from attack. Since web servers must be accessible, protection is not as simple as blocking access. IPS is one tool your FortiGate unit has to allow you to protect your network.

In this example, we will configure IPS to protect a web server. As shown below, a FortiGate unit protects a web server and an internal network. The internal network will have its own policies and configuration but we will concentrate on the web server in this example.

A simple network configuration

The FortiGate unit is configured with:

a virtual IP to give the web server a unique address accessible from the Internet.
a security policy to allow access to the web server from the Internet using the virtual IP.

To protect the web server using intrusion protection, you need to create an IPS sensor, populate it with filters, then enable IPS scanning in the security policy.

To create an IPS sensor

1. Go to Security Profiles > Intrusion Protection.

2. Select Create New.

3. Enter web_server as the name of the new IPS sensor.

4. Select OK.

The new IPS sensor is created but it has no filters, and therefore no signatures are included.

The web server operating system is Linux, so you need to create a filter for all Linux server signatures.

To create the Linux server filter

1. Go to Security Profiles > Intrusion Protection.

2. Select the web_server IPS sensor and select the Edit icon.

3. In the Pattern Based Signatures and Filters section, select Create New.

4. For Sensor Type, select Filter Based.

5. For Filter Options.

6. In the Filter Options choose the following: a. For Severity: select all of the options b. For Target: select server only.

c. For OS: select Linux only.

7. Select OK.

The filter is saved and the IPS sensor page reappears. In the filter list, find the Linux Server filter and look at the value in the Count column. This shows how many signatures match the current filter settings. You can select the View Rules icon to see a listing of the included signatures.

To edit the security policy

1. Go to Policy & Objects > IPv4 Policy select security policy that allows access to the web server, and select the Edit icon.

2. Enable IPS option and choose the web_server IPS sensor from the list.

3. Select OK.

Since IPS is enabled and the web_server IPS sensor is specified in the security policy controlling the web server traffic, the IPS sensor examines the web server traffic for matches to the signatures it contains.

Create and test a packet logging IPS sensor

In this example, you create a new IPS sensor and include a filter that detects the EICAR test file and saves a packet log when it is found. This is an ideal first experience with packet logging because the EICAR test file can cause no harm, and it is freely available for testing purposes.

Create an IPS senor

1. Go to Security Profiles > Intrusion Protection.

2. Select Create New.

3. Name the new IPS sensor EICAR_test.

4. Select OK.

Create an entry

1. Select the Create New.

2. For Sensor Type choose Specify Signatures.

3. Rather than search through the signature list, use the name filter by selecting the search icon over the header of the Signature column.

4. Enter EICAR in the Search field.

5. Highlight the Virus.Test.File signature by clicking on it.

6. Select Block All as the Action.

7. Enable Packet Logging.

8. Select OK to save the IPS sensor.

You are returned to the IPS sensor list. The EICAR test sensor appears in the list.

Add the IPS sensor to the security policy allowing Internet access

1. Go to Policy & Objects > IPv4 Policy.

2. Select the security policy that allows you to access the Internet.

3. Select the Edit icon.

4. Turn ON Log Allowed Traffic.

a. Select All Sessions

5. Enable the IPS option.

6. Choose EICAR test from the available IPS sensors.

7. Select OK.

With the IPS sensor configured and selected in the security policy, the FortiGate unit blocks any attempt to download the EICAR test file.

Test the IPS sensor

1. Using your web browser, go to http://www.eicar.org/anti_virus_test_file.htm.

2. Scroll to the bottom of the page and select eicar.com from the row labeled as using the standard HTTP protocol.

3. The browser attempts to download the requested file and,

If the file is successfully downloaded, the custom signature configuration failed at some point. Check the custom signature, the IPS sensor, and the firewall profile.
If the download is blocked with a high security alert message explaining that you’re not permitted to download the file, the EICAR test file was blocked by the FortiGate unit antivirus scanner before the IPS sensor could examine it. Disable antivirus scanning and try to download the EICAR test file again.
If no file is downloaded and the browser eventually times out, the custom signature successfully detected the EICAR test file and blocked the download.

Viewing the packet log

1. Go to Log&Report > Security Log > AntiVirus.

2. Locate the log entry that recorded the blocking of the EICAR test file block. The Message field data will be tools: EICAR.AV.Test.File.Download.

3. Select the View Packet Log icon in the Packet Log column.

4. The packet log viewer is displayed.

Configuring a Fortinet Security Processing module

The Example Corporation has a web site that is the target of SYN floods. While they investigate the source of the attacks, it’s very important that the web site remain accessible. To enhance the ability of the company’s FortiGate-100D to deal with SYN floods, the administrator will install an ASM-CE4 Fortinet Security Processing module and have all external access to the web server come though it.

The security processing modules not only accelerate and offload network traffic from the FortiGate unit’s processor, but they also accelerate and offload security and content scanning. The ability of the security module to accelerate IPS scanning and DoS protection greatly enhances the defense capabilities of the FortiGate-100D.

Assumptions

As shown in other examples and network diagrams throughout this document, the Example Corporation has a pair of FortiGate-100D units in an HA cluster. To simplify this example, the cluster is replaced with a single FortiGate-100D.

An ASM-CE4 is installed in the FortiGate-100D. The network is configured as shown below.

Network configuration

The Example Corporation network needs minimal changes to incorporate the ASM-CE4. Interface amc-sw1/1 of the ASM-CE4 is connected to the Internet and interface amc-sw1/1 is connected to the web server.

Since the main office network is connected to port2 and the Internet is connected to port1, a switch is installed to allow both port1 and amc-sw1/1 to be connected to the Internet.

The FortiGate-100D network configuration

The switch used to connect port1 and amc-sw1/1 to the Internet must be able to handle any SYN flood, all of the legitimate traffic to the web site, and all of the traffic to and from the Example Corporation internal network. If the switch can not handle the bandwidth, or if the connection to the service provider can not provide the required bandwidth, traffic will be lost.

Security module configuration

The Fortinet security modules come configured to give equal priority to content inspection and firewall processing. The Example Corporation is using a ASM-CE4 module to defend its web server against SYN flood attacks so firewall processing is a secondary consideration.

Use these CLI commands to configure the security module in ASM slot 1 to devote more resources to content processing, including DoS and IPS, than to firewall processing.

config system amc-slot edit sw1

set optimization-mode fw-ips set ips-weight balanced

set ips-p2p disable

set ips-fail-open enable set fp-disable none

set ipsec-inb-optimization enable set syn-proxy-client-timer 3

set syn-proxy-server-timer 3 end

These settings do not disable firewall processing. Rather, when the security module nears its processing capacity, it will chose to service content inspection over firewall processing.

IPS Sensor

You can group signatures into IPS sensors for easy selection when applying to firewall policies. You can define signatures for specific types of traffic in separate IPS sensors, and then select those sensors in profiles designed to handle that type of traffic. For example, you can specify all of the web-server related signatures in an IPS sensor, and that sensor can then be applied to a firewall policy that controls all of the traffic to and from a web server protected by the unit.

The FortiGuard Service periodically updates the pre-defined signatures, with signatures added to counter new threats. Since the signatures included in filters are defined by specifying signature attributes, new signatures matching existing filter specifications will automatically be included in those filters. For example, if you have a filter that includes all signatures for the Windows operating system, your filter will automatically incorporate new Windows signatures as they are added.

Each IPS sensor consists of two parts: filters and overrides. Overrides are always checked before filters.

Each filter consists of a number of signatures attributes. All of the signatures with those attributes, and only those attributes, are checked against traffic when the filter is run. If multiple filters are defined in an IPS Sensor, they are checked against the traffic one at a time, from top to bottom. If a match is found, the unit takes the appropriate action and stops further checking.

A signature override can modify the behavior of a signature specified in a filter. A signature override can also add a signature not specified in the sensor’s filters. Custom signatures are included in an IPS sensor using overrides.

The signatures in the overrides are first compared to network traffic. If the IPS sensor does not find any matches, it then compares the signatures in each filter to network traffic, one filter at a time, from top to bottom. If no signature matches are found, the IPS sensor allows the network traffic.

The signatures included in the filter are only those matching every attribute specified. When created, a new filter has every attribute set to all which causes every signature to be included in the filter. If the severity is changed to high, and the target is changed to server, the filter includes only signatures checking for high priority attacks targeted at servers.

Configure IPS options

Leave a reply

Configure IPS options

The following IPS configuration options are available:

Malicious URL database for drive-by exploits detection
Customizable replacement message when IPS blocks traffic
Hardware Acceleration
Extended IPS Database
Configuring the IPS engine algorithm
Configuring the IPS engine-count
Configuring fail-open
Configuring the session count accuracy
Configuring IPS intelligence
Configuring the IPS buffer size
Configuring protocol decoders
Configuring security processing modules
IPS signature rate count threshold

Malicious URL database for drive-by exploits detection

This feature uses a local malicious URL database on the FortiGate to assist in drive-by exploits detection. The database contains all malicious URLs active in the last one month, and all drive-by exploit URLs active in the last three months. The number of URLs are controlled in the one million range.

CLI Syntax

config ips sensor edit <profile>

set block-malicious-url [enable | disable]

next end

Customizable replacement message when IPS blocks traffic

You can edit a replacement message that will appear specifically for IPS sensor blocked Internet access. Go to System > Replacement Messages, and find IPS Sensor Block Page under the Security heading.

Hardware Acceleration for flow-based security profiles (NTurbo and IPSA)

Some FortiGate models support a feature call NTurbo that can offload flow-based firewall sessions to NP4 or NP6 network processors. Some FortiGate models also support offloading enhanced pattern matching for flow- based security profiles to CP8 or CP9 content processors. You can use the following command to configure NTurbo and IPSA:

config ips global

set np-accel-mode {none | basic}

set cp-accel-mode {none | basic | advanced}

end

If the np-accel-mode option is available, your FortiGate supports NTurbo: none disables NTurbo and basic (the default) enables NTurbo. If the cp-accel-mode option is available your FortiGate supports IPSA: none disables IPSA, basic enables basic IPSA and advanced enables enhanced IPSA which can offload more types of pattern matching than basic IPSA. advanced is only available on FortiGate models with two or more CP8 processors or one or more CP9 processors.

See the Hardware Acceleration handbook chapter for more information about NTurbo and IPSA.

Extended IPS Database

Some models have access to an extended IPS Database. The extended database may affect the performance of the FortiGate unit so depending on the model of the FortiGate unit the extended database package may not be enabled by default. For example, the D-series Desktop model have this option disabled by default.

This feature can only be enbled through the CLI.

config ips global

set database extended end

Configuring the IPS engine algorithm

The IPS engine is able to search for signature matches in two ways. One method is faster but uses more memory, the other uses less memory but is slower. Use the algorithm CLI command to select one method:

config ips global

set algorithm {super | high | low | engine-pick}

end

Specify high to use the faster more memory intensive method or low for the slower memory efficient method. The setting super improves the performance for FortiGate units with more than 4GB of memory. The default setting is engine-pick, which allows the IPS engine to choose the best method on the fly.

Configuring the IPS engine-count

FortiGate units with multiple processors can run more than one IPS engine concurrently. The engine-count CLI command allows you to specify how many IPS engines are used at the same time:

config ips global

set engine-count <int>

end

The recommended and default setting is 0, which allows the FortiGate unit to determine the optimum number of IPS engines.

Configuring fail-open

IPS protection is likely more important to your network than uninterrupted flow of network traffic, so the fail-open behaviour of the IPS engine is disabled by default. If you would like to enable the fail-open option, use the following syntax. When enabled, if the IPS engine fails for any reason, it will fail open. This applies for inspection of all the protocols inspected by FortiOS IPS protocol decoders, including but not limited to HTTP, HTTPS, FTP, SMTP, POP3, IMAP, etc. This means that traffic continues to flow without IPS scanning. To enable:

config ips global

set fail-open {enable | disable}

end

The default setting is disable.

Configuring the session count accuracy

The IPS engine can keep track of the number of open session in two ways. An accurate count uses more resources than a less accurate heuristic count.

config ips global

set session-limit-mode {accurate | heuristic}

end

The default is heuristic.

Configuring IPS intelligence

If intelligent-mode is enabled (the default), in most cases the IPS engine will scan the first 200 kilobytes of a session (this value is hard coded).

In some cases, however, the IPS engine will still scan all traffic in a session. If intelligent-mode is disabled, the IPS engine scans all traffic.

config ips global

set intelligent-mode [enable|disable]

end

Configuring the IPS buffer size

Set the size of the IPS buffer.

config ips global

set socket-size <int>

end

The acceptable range is from 1 to 64 megabytes. The default size varies by model. In short, socket-size determines how much data the kernel passes to the IPS engine each time the engine samples packets.

Configuring protocol decoders

The FortiGate Intrusion Protection system uses protocol decoders to identify the abnormal traffic patterns that do not meet the protocol requirements and standards. For example, the HTTP decoder monitors traffic to identify any HTTP packets that do not meet the HTTP protocol standards.

To change the ports a decoder examines, you must use the CLI. In this example, the ports examined by the DNS decoder are changed from the default 53 to 100, 200, and 300.

config ips decoder dns_decoder set port_list “100,200,300”

end

You cannot assign specific ports to decoders that are set to auto by default. These decoders can detect their traffic on any port. Specifying individual ports is not necessary.

Configuring security processing modules

FortiGate Security Processing Modules, such as the CE4, XE2, and FE8, can increase overall system performance by accelerating some security and networking processing on the interfaces they provide. They also allow the FortiGate unit to offload the processing to the security module, thereby freeing up its own processor for other tasks. The security module performs its own IPS and firewall processing, but you can configure it to favor IPS in hostile high-traffic environments.

If you have a security processing module, use the following CLI commands to configure it to devote more resources to IPS than firewall. This example shows the CLI commands required to configure a security module in slot 1 for increased IPS performance.

config system amc-slot edit sw1

set optimization-mode fw-ips set ips-weight balanced

set ips-p2p disable

set ips-fail-open enable set fp-disable none

set ipsec-inb-optimization enable set syn-proxy-client-timer 3

set syn-proxy-server-timer 3 end

In addition to offloading IPS processing, security processing modules provide a hardware accelerated SYN proxy to defend against SYN flood denial of service attacks. When using a security module, configure your DoS anomaly check for tcp_syn_flood with the Proxy action. The Proxy action activates the hardware accelerated SYN proxy.

IPS signature rate count threshold

The IPS signature threshold can allow configuring a signature so that it will not be triggered until a rate count threshold is met. This provides a more controlled recording of attack activity. For example, if multiple login attempts produce a failed result over a short period of time then an alert would be sent and perhaps traffic blocked. This would be a more rational response than sending an alert every time a login failed.

The syntax for this configuration is as follows:

config ips sensor edit default

config entries

edit <Filter ID number>

set rule <*id>

set rate-count <integer between 1 – 65535>

set rate-duration <integer between 1 – 65535>

The value of the rate-duration is an integer for the time in seconds.

set rate-mode <continuous | periodical>

The rate-mode refers to how the count threshold is met.

If the setting is “continuous”, and the action is set to block, as soon as the rate-count is reached the action is engaged. For example, if the count is 10, as soon as the signature is triggered 10 times the traffic would be blocked.

If the setting is “periodical”, the FortiGate allows up to the value of the rate-count incidents where the signature is triggered during the rate-duration. For example, if the rate count is 100 and the duration is 60, the signature would need to be triggered 100 times in 60 seconds for the action to be engaged.

set rate-track <dest-ip | dhcp-client-mac | dns-domain | none | src-ip>

This setting allows the tracking of one of the protocol fields within the packet.