Tag Archives: unified threat management

FortiOS 6 – Inspection Modes

Inspection modes

You can select one of two inspection modes from the System > Settings page to control the security profile inspection mode for your FortiGate or VDOM.

Proxy-based inspection, that reconstructs content passing through the FortiGate unit and inspects the content for security threats, or
Flow-based inspection, that takes a snapshot of content packets and uses pattern matching to identify security threats in the content.

Each inspection component plays a role in the processing of traffic en route to its destination. Having control over flow and proxy mode is helpful if you want to be sure that only flow inspection mode is used (and that proxy inspection mode is not used). In most cases proxy mode is preferred because more security profile features are available and more configuration options for these individual features are available. Yet, some implementations may require all security profile scanning to only use flow mode. In this case, you can set your FortiGate to flow mode knowing that proxy mode inspection will not be used. While both modes offer significant security, proxybased provides more features and flow-based is designed to optimize performance.

This section addresses the following topics:

Proxy-based inspection

Flow-based inspection

Changing between proxy and flow mode

Comparison of inspection types

Proxy-based inspection

If a FortiGate or VDOM is configured for proxy-based inspection, then a mixture of flow-based and proxy-based inspection occurs. Traffic initially encounters the IPS engine, which applies single-pass IPS, Application Control, and CASI, if configured in the firewall policy accepting the traffic.

The traffic is then sent for proxy-based inspection. Proxy-based inspection extracts and caches content, such as files and web pages, from a content session and inspects the cached content for threats. Content inspection takes place in the following order: VoIP inspection, DLP, AntiSpam, Web Filtering, AntiVirus, and ICAP.

If no threat is found, the proxy relays the content to its destination. If a threat is found, the proxy can block the threat and send a replacement message in its stead. The proxy can also block VoIP traffic that contains threats.

Transparent web proxy mode

In proxy mode, FortiOS 5.6 functions just like FortiOS 5.4 with the addition of the new Transparent Web Proxy mode. See New Operating mode for Transparent web proxy in What’s New in FortiOS 5.6.

Flow-based inspection

Flow-based inspection identifies and blocks security threats in real time as they are identified using single-pass Direct Filter Approach (DFA) pattern matching to identify possible attacks or threats.

If a FortiGate or a VDOM is configured for flow-based inspection, depending on the options selected in the firewall policy that accepted the session, flow-based inspection can apply IPS, Application Control, Web Filtering, DLP, and AntiVirus. Flow-based inspection is all done by the IPS engine and, as you would expect, no proxying is involved.

All of the applicable flow-based security modules are applied simultaneously in one single pass, and pattern matching is offloaded and accelerated by CP8 or CP9 processors. IPS, Application Control, flow-based Web Filtering, and flow-based DLP filtering happen together. Flow-based AntiVirus scanning caches files during protocol decoding and submits cached files for virus scanning while the other matching is carried out.

Flow-based inspection typically requires fewer processing resources than proxy-based inspection and does not change packets, unless a threat is found and packets are blocked. Flow-based inspection cannot apply as many features as proxy inspection. For example, flow-based inspection does not support client comforting and some aspects of replacement messages.

In FortiOS 5.6, flow-based inspection requires the new NGFW mode.

Changing between proxy and flow mode

You can see which inspection mode your FortiGate is using by looking at the System Information widget on your Dashboard.

To change inspection modes, go to System > Settings and scroll down to Inspection Mode. You can select Flow-based to operate in Flow mode or Proxy to operate in Proxy mode.

When you select Flow-based, all proxy mode profiles are converted to flow mode, removing any proxy settings. As well proxy mode only features (for example, Web Application Profile) are removed from the GUI.

In addition, selecting Flow-based inspection will cause the Explicit Web Proxy and Explicit FTP Proxy features to be removed from the GUI and the CLI. This includes Explicit Proxy firewall policies.

W hen you select Flow-based you can only configure Virtual Servers (under Policy & Objects > Virtual Servers) with Type set to HTTP, TCP, UDP, or IP.

If required, you can change back to proxy mode through the System > Settings page.

If your FortiGate has multiple VDOMs, you can set the inspection mode independently for each VDOM. Use the top left drop-down menu to go to Global > System > VDOM. Click Editfor the VDOM you wish to change and select the Inspection Mode.

From the GUI, you can only configure antivirus and web filter security profiles in proxy mode. From the CLI you can configure flow-based antivirus profiles, web filter profiles and DLP profiles and they will appear on the GUI and include their inspection mode setting. Also, flow-based profiles created when in flow mode are still available when you switch to proxy mode.

NGFW profile-based and NGFW policy-based modes

When you select Flow-based as the Inspection Mode, you have the option in FortiOS 5.6 to select an NGFW Mode. NGFW Profile-based mode works the same as flow-based mode did in FortiOS 5.4

When selecting NGFW policy-based mode you can also select the SSL/SSH Inspection mode that is applied to all policies.

In the new NGFW Policy-based mode, you add applications and web filtering profiles directly to a policy without having to first create and configure Application Control or Web Filtering profiles. See NGFW Policy Mode on page

When you change to flow-based inspection, all proxy mode profiles are converted to flow mode, removing any proxy settings. And proxy-mode only features (for example, Web Application Profile) are removed from the GUI.

If your FortiGate has multiple VDOMs, you can set the inspection mode independently for each VDOM. Go to System > VDOM. Click Edit for the VDOM you wish to change and select the Inspection Mode. CLI syntax

The following CLI commands can be used to configure inspection and NGFW (called “policy” in the CLI) modes:

config system settings set inspection-mode {proxy | flow} set policy-mode {standard | ngfw}

end

Comparison of inspection types

The tables in this section show how different security features map to different inspection types and present the strengths and weaknesses of proxy- vs. flow-based inspection.

Security profile features mapped to inspection mode

The table below lists FortiOS security profile features and shows whether they are available in flow-based or proxy-based inspection modes.

Security Profile Feature	Flow-based inspection	Proxy-based inspection
AntiVirus	x	x
Web Filter	x	x

Security Profile Feature	Flow-based inspection	Proxy-based inspection
DNS Filter	x	x
Application Control	x	x
Intrusion Protection	x	x
Anti-Spam		x
Data Leak Protection		x
VoIP		x
ICAP		x
Web Application Firewall		x
FortiClient Profiles	x	x
Proxy Options	x	x
SSL Inspection	x	x
SSH Inspection		x
Web Rating Overrides	x	x
Web Profile Overrides		x

Individual security profile considerations

In flow mode, AntiVirus and Web Filter profiles only include flow-mode features. Web filtering and virus scanning are still done with the same engines and to the same accuracy, but some inspection options are limited or not available in flow mode. Application control, intrusion protection, and FortiClient profiles are not affected when switching between flow and proxy mode.

Application control uses flow-based inspection; if you apply an additional security profile to your traffic that is proxy-based, the connection will simply timeout rather than display the warning, or replacement, message. However, Application Control will still function.

Even though VoIP profiles are not available from the GUI in flow mode, the FortiGate can process VoIP traffic. In this case the appropriate session helper is used (for example, the SIP session helper).

Setting flow or proxy mode doesn’t change the settings available from the CLI. However, when in flow mode you can’t save security profiles that are set to proxy mode.

You can also add proxy-only security profiles to firewall policies from the CLI. So, for example, you can add a VoIP profile to a security policy that accepts VoIP traffic. This practice isn’t recommended because the setting will not be visible from the GUI.

If you set flow-based to use external servers for FortiWeb and FortiMail you must use the CLI to set a Web Application Firewall profile or Anti-Spam profile to external mode and add the Web Application Firewall profile or AntiSpam profile to a firewall policy.

Proxy mode and flow mode antivirus and web filter profile options

The following tables list the antivirus and web filter profile options available in proxy and flow modes.

Antivirus features in proxy and flow mode

Feature	Proxy	Flow
Scan Mode (Quick or Full)	no	yes
Detect viruses (Block or Monitor)	yes	yes
Inspected protocols	yes	no (all relevant protocols are inspected)
Inspection Options	yes	yes (not available for quick scan mode)
Treat Windows Executables in Email Attachments as Viruses	yes	yes
Send Files to FortiSandbox Appliance for Inspection	yes	yes
Use FortiSandbox Database	yes	yes
Include Mobile Malware Protection	yes	yes

Web filter features in proxy and flow mode

Feature	Proxy	Flow
FortiGuard category based filter	yes	yes (show, allow, monitor, block)
Category Usage Quota	yes	no
Allow users to override blocked categories (on some models)	yes	no
Search Engines	yes	no

Feature		Proxy Flow
	Enforce ‘Safe Search’ on Google, Yahoo!, Bing, Yandex	yes	no
	Restrict YouTube Access	yes	no
	Log all search keywords	yes	no
Static URL Filter		yes	yes
	Block invalid URLs	yes	no
	URL Filter	yes	yes
	Block malicious URLs discovered by FortiSandbox	yes	yes
	Web Content Filter	yes	yes
Rating Options		yes	yes
	Allow websites when a rating error occurs	yes	yes
	Rate URLs by domain and IP Address	yes	yes
	Block HTTP redirects by rating	yes	no
	Rate images by URL	yes	no
Proxy Options		yes	no
	Restrict Google account usage to specific domains	yes	no
	Provide details for blocked HTTP 4xx and 5xx errors	yes	no
	HTTP POST Action	yes	no
	Remove Java Applets	yes	no
	Remove ActiveX	yes	no
	Remove Cookies	yes	no
	Filter Per-User Black/White List	yes	no

AntiVirus scanning differences between versions of FortiOS 5.x

In FortiOS 5.0, 5.2, 5.4, 5.6 and 6.0, there are several AntiVirus (AV) scanning inspection modes available. FortiOS 5.0 includes proxy and flow-based virus scanning. FortiOS 5.2 also uses proxy-based and flowbased scanning, but the flow-based mode in FortiOS 5.2 uses a new approach to flow-based scanning (that is sometimes called deepflow or deep flow scanning). FortiOS 5.4 and onward offer another flow-based mode, quick mode, to inspect traffic efficiently.

The databases used for AV scanning does not change from proxy to flow mode unless quick mode is enabled. In flow-based quick mode, a compact antivirus database is used.

AntiVirus scanning examines files in HTTP, HTTPS, email, and FTP traffic for threats as they pass through your FortiGate. If the traffic contains compressed files, they are also examined. Go to the SysAdmin Note on the Fortinet Cookbook site for detailed information on supported compression formats in antivirus scanning.

If the AV scanner finds a threat such as a virus or some other malware, FortiOS protects your network by blocking the file.

FortiOS includes a number of AntiVirus features that make virus scanning more user-friendly. One of these features, called replacement messages, sends a customizable message to anyone whose file is blocked by AV scanning, to explain what happened and why. Other features make communication between the client and the server more seamless. The availability of these changes depending on the inspection mode.

Proxy-based AV scanning

Proxy-based AV scanning is the most feature-rich AV scanning mode. This mode uses a proxy to manage the communication between client and server. The proxy extracts content packets from the data stream as they arrive and buffers the content until the complete file is assembled. Once the file is whole, the AV scanner examines the file for threats. If no threats are found, the file is sent to its destination. If a threat is found, the file is blocked.

Because proxy-based scanning is applied to complete files, including compressed files, it provides very effective threat detection. Proxy-based scanning also supports a full range of features, including replacement messages and client comforting, making proxy-based scanning the most user friendly inspection mode. In addition the proxy manages the communication between the client and the server, improving the user experience. For example, in flow mode if a virus is found, the last part of the file is not downloaded and the connection just times out and the user cannot tell what is going on. In proxy mode, the users gets a message about the file being blocked.

Proxy-based scanning inspects all files under the oversized threshold. Since the FortiGate unit has a limited amount of memory, files larger than a certain size do not fit within the memory buffer. The default buffer size is 10 MB. You can use the uncompsizelimitCLI command to adjust the size of this memory buffer. Files larger than the threshold are passed to the destination without scanning. You can use the Oversized File/Email setting in Security Profiles > Proxy Options to block files larger than the antivirus buffer if allowing files that are too large to be scanned is an unacceptable security risk.

During the buffering and scanning procedure, the client must wait. With a default configuration, the file is released to the client only after it is scanned. You can enable client comforting in the Proxy Options security profile to feed the client a trickle of data to prevent them from possibly thinking the transfer is stalled and consequently canceling the download.

Flow-based AV scanning

Although the name “flow-based scanning” is used in FortiOS 5.0, 5.2, 5.4, and 5.6, the different versions handle this mode in very different ways.

Flow AV in FortiOS 5.4 and 5.6

In FortiOS 5.4 and 5.6, there are two modes available for flow-based virus scanning: Quick and Full scan mode. Full mode is the same as flow-based scanning in FortiOS 5.2 (see below). Quick mode uses a compact antivirus database and advanced techniques to improve performance. You can designate quick or full scan mode when configuring the antivirus profile in the GUI. Alternatively, use the following CLI command to enable quick or full mode:

config antivirus profile edit <profile> set scan-mode {quick | full}

end

Flow AV in FortiOS 5.2 (deepflow or deep flow)

FortiOS 5.2 introduced a new type of flow-based AV scanning, that is sometimes called deepflow or deep flow, and that takes a hybrid approach where content packets are buffered while simultaneously being sent to their destination. When all of the files packets have been collected and buffered, but before the final packet is delivered, the buffered file is scanned. If a threat is found, the last packet is blocked and the client application has to deal with not getting the completed file. If no threat is found the final packet is sent and the user gets their file.

Deepflow AV scanning is as good as proxy-based AV scanning at detecting threats. There may be a small performance advantage over proxy-based AV as files get larger based on the difference between sending the whole file after analysis and just sending the last packet. Deepflow’s most notable limitation is that, just like the flow-based AV in 5.0, it does not support many of the user-friendly features provided by proxy-based AV.

Flow AV in FortiOS 5.0

In FortiOS 5.0, flow-based AV scanning examines the content of individual data packets as they pass through the FortiGate. There is no proxy involved so packets are not changed by the proxy and files are not buffered for analysis. Potentially less memory and CPU resources are used, resulting in a potential performance increase compared to using proxy-based mode. FortiOS 5.0 flow-based AV scanning is also not limited by file size.

Flow AV uses the IPS engine and the AV database and is effective at many kinds of threat detection; however, because it can only analyze what is in an individual packet rather than a complete file, flow-based scanning cannot detect some types of malware, including polymorphic code. Malware in documents, compressed files, and some archives are also less likely to be detected.

Flow AV does not actually block files, it stops delivering a file’s packets once a threat has been detected. This means that parts of the file may already have been delivered when the threat has been detected and the recipient application is responsible for dealing with the partially complete content.

In addition flow AV can be less user friendly. Replacement messages are not supported and clients may have to wait for sessions to time out without knowing why content has been blocked.

Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

Inside FortiOS: AntiVirus

AntiVirus uses a suite of integrated security technologies to provide against a variety of threats, including both known and unknown malicious codes (Malware), plus Advanced Targeted Attacks (ATA), also known as Advanced Persistent Threats (APT).

Advanced protection against malware and APTs

Malware and Advanced Persistent Threats can cause significant damages to today’s organizations. These malicious codes are commonly designed to steal valuable data, gain unauthorized access, or cause products to degrade. FortiOS’s AntiVirus is an industry-proven anti-malware security solution with robust features and deployment options

FortiOS offers the unique ability to implement both Flow- and Proxy-based AV concurrently, depending on traffic type, users, and locations. Flow-based AV offers higher throughput performance while proxy-based solutions are useful in mitigating stealthy malicious codes. The AV detection capabilities are further enhanced with complementary security features and external sandbox integration.

By utilizing the unique Content Pattern Recognition Language (CPRL) built into the FortiASIC Content Processor, FortiOS is able to deliver high performance and low latency anti-malware capabilities. This real-time protection is backed by a team of worldwide researchers.

Highlights

Certification from multiple industries for best-in-class security and capacity with proven coverage and high performance.
Multi-layered protection with extended AV components and external file analysis integration. l Comprehensive remediation actions such as file quarantine and knowledge tools.

Key Features & Benefits

Robust feature set	Allows the flexibility to deploy appropriate protection according to security needs and infrastructure designs.
High performance utilizing FortiASIC and patented CPRL AV signatures	Low latency and high capacity ensures that business applications are not affected while security is enforced.
Backed by FortiGuard Labs that deliver real-time protection	Critical digital assets are covered by continuous protection against latest threats.

Features

Industry’s validated protection

FortiOS anti-malware components and FortiGuard AV signatures periodically undergo numerous authoritative certifications. These independent certifications demonstrate that the solution offered is of the highest standard in performance and accuracy, ensuring organizations are truly protected.

Fortinet has been consistently ranked among the top vendors for Virus Bulletin’s RAP (Reactive And Proactive) bimonthly tests. This test measures a product’s detection rates over the freshest samples available, as well as samples not seen until after product databases are frozen, thus reflecting both the vendor’s ability to handle the huge quantity of newly emerging malware and accurately detect previously unknown malware.

Real time protection

The FortiGuard AntiVirus Service provides fully automated updates to ensure protection against the latest content-level threats via the experienced FortiGuard global network is backed by over 200 researchers. With the release of FortiOS 5.6, botnet protection is part of the FortiGuard AntiVirus contract.

FortiGuard AV service quick facts

l 95,000 malware programs neutralized per minute l 1.8 Million new and updated AV definitions per week l Hourly updates of the AV signature database l 190 TB of threat samples till date

Organizations can also engage the FortiGuard Premier Signature Service, which provides enhanced virus detection and threat analysis support. This service offers submissions for custom AntiVirus signatures on a daily basis, offering prioritized support with guaranteed response times. With the release of FortiOS 5.6, botnet protection is part of the FortiGuard AntiVirus contract.

Unique proxy- and flow-based AV

FortiOS offers organizations the flexibility to select the most appropriate inspection method for different network sessions. This can be implemented by defining policies that match specific source objects (IP, IP ranges, users, and devices), destination objects, applications, and schedules with different AV profiles.

Flow-based AV relies on IPS technology where packets are inspected in real-time and matched against the AV signature database. It offers lower latency and higher throughput than Proxy-based AV. Flow-based AV is recommended for inspecting traffic that requires spontaneous user experience or when serving as an additional AV protection layer.

FortiOS’s Proxy-based AV offers the most secure AV protection as it’s able to inspect more protocols and provides replacement messages on wider range of applications.

AV acceleration with Content Processor

The FortiASICS Content Processor (CP) accelerates content processing traditionally performed completely by the CPU. The CP reduces the resources required by the CPU when matching an incoming file against the signature database, thus improving system performance and stability.

Proactive protection using patented CPRL

Compact Pattern Recognition Language (CPRL) is a patented and proprietary programming language that allows for further inspection of common patterns to not only protect against threats and their variants but also to predict tomorrow’s zero-day malware. It allows FortiGuard analysts to describe entire families of malware with a single program, instead of the traditional signature- based “one signature, one variant” model used by other vendors. With fewer signatures to match, throughput performance and latency naturally improve.

Intelligent behavioral evaluation

Signature-based security alone is no longer sufficient; it is now critical to understand how devices on your network are behaving. Threat Weight scoring provides a cumulative security ranking of each client device on your network based on a range of behaviors. It provides specific, actionable information that helps identify compromised systems and potential zero-day attacks in real-time.

This unique system attaches predefined scores to various malicious network activities discovered by IPS, application control, URL filtering, etc., to determine the top suspicious users. Administrator can then further inspect these users to undercover unknown threats or APTs via FortiView.

External file analysis integration

FortiOS offers organizations the ability to adopt robust ATP (Advanced Threat Protection) framework that reaches mobile users and branch offices, detecting and preventing advanced attacks that may bypass traditional defenses by examining files from various vectors, including encrypted files. To detect unknown threats, zero-day, and targeted attacks, the FortiGate can engage external resources to perform additional file analysis. Files can be submitted to an on- premise appliance (FortiSandbox) or cloud-based service (FortiSandbox Cloud) after both proxy-based and flow- based AV processing.

It is also possible to configure the FortiGate to automatically receive dynamic signature updates from FortiSandbox and add the originating URL of any malicious file to a blocked URL list. In addition, if the organization deploys integrated endpoint control with FortiClient, an administrator can instruct an infected terminal to self-quarantine.

File filtering

File filtering using data leak prevention (DLP) on the FortiGate offers an effective ways to stop unwanted file transmission instantly. Administrators may implement granular file controls by defining protection profiles using filenames or nearly 50 different file types over mail, web, and file download protocols.

File quarantine

FortiOS offers sophisticated file quarantine capabilities that allow organizations to archive suspicious or blocked files for further examination or to release false positives.

Anti-bot

Organizations may prevent, uncover, and block botnet activities using FortiOS Anti-Bot traffic pattern detection and domain and IP reputation services supplied in real-time by FortiGuard threat experts.

User notification

User notifications are helpful in reducing administration and support burdens, as well as providing user education. FortiOS is able to automatically replace blocked attachments and downloads with detailed information sent to Email, FTP, or web users.

Monitoring, logging, and reporting

FortiOS empowers organizations to implement security best practices that require continuous examination of their threat status and adaptation to new requirements. The FortiView widgets provide useful analysis data with detailed and contextual session information, which can be filtered, ranked, and further inspected. System events can also be archived via logs, which in turn can generate useful trending and overview reports.

FortiOS also offers robust in-built E-mail and SMS alert systems, as well as integration with external threat management systems using SNMP and standard-based Syslogs.

Inside FortiOS: Intrusion Prevention System (IPS)

Intrusion Prevention System (IPS) technology protects your network from cybercriminal attacks by actively seeking and blocking external threats before they can reach potentially vulnerable network devices.

World class next generation IPS capabilities

Today, sophisticated and high volume attacks are the challenges that every organization must recognize. These attacks are evolving, infiltrating ever-increasing vectors and complex network environments. The result is an urgent need for network protection while maintaining the ability to efficiently provide demanding services and applications.

FortiOS’s IPS functionality is an industry-proven network security solution that scales up to over 200 Gbps of inline protection. Powered by purpose-built hardware and FortiASICs, FortiOS is able to achieve attractive TCO while meeting performance requirements. IPS is easy to set up, yet offers feature-rich capabilities, with contextual visibility and coverage. It is kept up-to-date by research teams that work 24 hours a day worldwide, in order to detect and deter the latest known threats as well as zero-day attacks.

Highlights

Validated best-in-class security and capacity with proven coverage and high performance.
Comprehensive protection provided by a signatures-based IPS engine, protocol anomaly scanning, and DDOS mitigation. l Flexible deployment options and actionable implementations for a wide array of network integration and operation requirements.

Key features & benefits

High Performance IPS, powered by FortiASIC

Low latency and high capacity ensure business applications are not affected while security is enforced.

Best-in-class security with superior coverage

Protects critical digital resources from both internal exploits and external cybercriminals, even if sophisticated attacks are crafted.

Backed by FortiGuard Labs that deliver real-time

protection

Maintains up-to-date and proactive protection against latest known threats and newly discovered hacking techniques while allowing time for organizations to patch vulnerable systems.

Features Inside FortiOS: Intrusion Prevention System (IPS)

Features

Tested and proven protection

Not only have FortiGates been deployed in some of the largest enterprises in the world since 2002, FortiOS IPS components and FortiGuard IPS signatures are periodically tested and certified by well-known external labs. For example, Fortinet’s FortiGate 3000D earned the highest ratings for Security Effectiveness, blocking 99.9 percent of exploits in the recent NSS Labs DCIPS test. These independent certifications ensure that solutions delivered to

customers are of the highest standards in performance, coverage, and accuracy.

Real-time & zero-day protection

The FortiGuard Intrusion Prevention Service (IPS) provides customers with the latest defenses against stealthy network-level threats through a constantly updated database of known threats and behavior-based signatures.

FortiGuard IPS service quick facts

l Over 10,000 signatures consisting of 18,000 rules l Approximately 470,000 network intrusion attempts resisted per

minute

l About 1,000 rules are updated or added per week l Over 300 Zero-day vulnerabilities discovered to date

This update service is backed by a team of threat experts and a close relationship with major application vendors. The best-in-class team also uncovers significant zero-day vulnerabilities continuously, providing FortiGate units with advanced protection ahead of vendor patches.

Uncompromised performance

The FortiASICS Content Processor (CP) accelerates content processing, which is traditionally done completely by the CPU. The CP reduces the resources required by the CPU when matching an incoming file against the signature database, thus improving system performance and stability.

Protocol decoders and anomaly detection

Protocol decoders are required to assemble the packets and detect suspicious, nonconforming sessions that resemble known attacks or are non-compliant to RFC or standard implementation.

FortiOS offers one of the most comprehensive arrays of protocol decoders in the industry, providing customers with significantly wide coverage in all kinds of environments.

Pattern & rate-based signatures

The pattern signature matching technique is essential in IPS implementation due to its high level of precision and accuracy. FortiOS offers administrators robust pattern signature selection using filters based on severity, target, operating system, application, and protocol. Each of the 10,000+ signatures has a direct link to its detailed entry on the threat encyclopedia and CVE-ID references. After selection, administrators are able to assign associated actions such as monitoring, blocking, or resetting the session.

Rate-based IPS signatures protect networks against application based DoS and brute force attacks.

Administrators can configure nearly 30 rate-based IPS signatures and tune them to their needs. Threshold (incidents per minute) and an action to take when the threshold is reached can be assigned to each signature. If the action is set to block, then a timeout period can be set so that the block is removed after a specified duration.

DoS and DDoS mitigation

DoS policies can help protect against DDoS attacks that aim to overwhelm server resources. In FortiOS, the DoS scans precede the policy engine at the incoming interfaces, thus eliminating unnecessary sessions from the firewall process and state table entry during a surge of attack traffic. This helps to safeguard the firewall from overloading and allows it to perform optimally.

FortiOS DoS policies can be configured to detect and block floodings, port scans, and sweeps. Administrators can set baselines for the amount of concurrent sessions from sources or to destinations. The settings utilize thresholds and can be applied to UDP, TCP, ICMP, IP, and SCTP.

Network interfaces associated with a port attached to a Network Processor (NP) can be configured to offload anomaly checking, further offloading the CPU for greater performance. Some of the anomaly traffic dropped includes LAND attacks, IP protocol with malformed options, and WinNukes.

Quarantine attacks

FortiOS offers sophisticated automatic attack quarantine capabilities which allow organizations to proactively prevent further attacks from known attackers over a predefined duration. Quarantining by duration can be used to protect potentially vulnerable servers until more permanent defense.

Packet logging

Administrators may choose to automatically perform IPS packet logging, which saves packets for detailed analysis when an IPS signature is matched. Saved packets can be viewed and analyzed on the FortiGate unit or by using third-party analysis tools. Packet logging is also useful in determining false positives.

Custom signatures

Custom IPS signatures can be created to further extend protection. For example, you can use custom IPS signatures to protect unusual or specialized applications, or even custom platforms from known and unknown attacks.

Organizations may use FortiConverter to easily convert Snort signatures for FortiOS use.

Resistant against evasions

Evasion techniques attempt to fool the protocol decoders in IPS products by crafting exotic network streams that would not be handled or reconstructed by the decoders, yet still be valid enough for the target recipient to process. Robust IPS engine is capable of handling both common evasions and sophisticated AETs (Advanced Evasion Techniques) deployed by hackers such as IP Packet Fragmentation, TCP Stream Segmentation, RPC Fragmentation, URL & HTML Obfuscation, and other protocol specific evasion techniques.

Intrusion detection mode

In out-of-band sniffer mode (or one-arm IPS mode), IPS operates as an Intrusion Detection System (IDS), detecting attacks and reporting them but not taking any action against them. In sniffer mode, the FortiGate unit does not process network traffic and instead is connected to a spanning or mirrored switch port, or a network tap. If an attack is detected, log messages can be recorded and alerts sent to system administrators.

Traffic bypass

Since most IPS deployments are in transparent inline mode, active traffic bypass is often desired until normal operation of the device resumes. Some FortiGates offer inbuilt active bypass interfaces while others may use external bypass devices such as the FortiBridge. Administrators are also offered with software fail-open option to tackle instances where the IPS engine fails.

Monitoring, logging, and reporting

FortiOS empowers organizations to implement security best practices that require continuous examination of their threat status and adaptation to new requirements. The FortiView query widgets provide useful analysis data with detailed and contextual session information, which can be filtered, ranked, and further inspected. System events can also be archived via logs, which in turn can generate useful trending and overview reports.