advertisement
U S E R G U I D E
FortiGate
IPS User Guide
Version 3.0 MR5
www.fortinet.com
FortiGate IPS User Guide
Version 3.0 MR5
July 24, 2007
01-30005-0080-20070724
© Copyright 2007 Fortinet, Inc. All rights reserved. No part of this publication including text, examples, diagrams or illustrations may be reproduced, transmitted, or translated in any form or by any means, electronic, mechanical, manual, optical or otherwise, for any purpose, without prior written permission of Fortinet, Inc.
Trademarks
Dynamic Threat Prevention System (DTPS), APSecure, FortiASIC,
FortiBIOS, FortiBridge, FortiClient, FortiGate, FortiGate Unified Threat
Management System, FortiGuard, FortiGuard-Antispam, FortiGuard-
Antivirus, FortiGuard-Intrusion, FortiGuard-Web, FortiLog, FortiAnalyzer,
FortiManager, Fortinet, FortiOS, FortiPartner, FortiProtect, FortiReporter,
FortiResponse, FortiShield, FortiVoIP, and FortiWiFi are trademarks of
Fortinet, Inc. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
Contents
Contents
Introduction ........................................................................................ 5
Comments on Fortinet technical documentation .......................................... 7
Customer service and technical support ........................................................ 8
IPS Overview and General Configuration ........................................ 9
Default signature and anomaly settings ...................................................... 11
Monitoring the network and dealing with attacks ........................................ 12
Configuring logging and alert email............................................................. 12
Creating a protection profile that uses IPS.................................................. 15
Adding protection profiles to firewall policies .............................................. 16
Adding protection profiles to user groups.................................................... 16
Predefined Signatures ..................................................................... 17
Configuring signatures using the web-based manager............................... 20
Fine tuning IPS predefined signatures for enhanced system performance 21
Configuring predefined signatures using the CLI ........................................ 21
Custom Signatures .......................................................................... 27
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
3
4
Contents
Adding custom signatures using the web-based manager ......................... 28
Adding custom signatures using the CLI .................................................... 29
Decoders........................................................................................... 39
Upgrading IPS protocol decoder list ............................................................. 39
Configuring protocol decoder parameters using the web-based manager 40
Configuring parameters for protocol decoders............................................ 41
Traffic anomalies ............................................................................. 43
Configuring a traffic anomaly using the web-based manager .................... 44
Configuring an anomaly using the CLI.......................................................... 46
SYN Flood Attacks........................................................................... 51
The FortiGate IPS Response to SYN Flood Attacks..................................... 52
How IPS works to prevent SYN floods........................................................ 52
Suggested settings for different network conditions .................................. 54
ICMP Sweep Attacks........................................................................ 55
The FortiGate IPS response to ICMP sweep attacks.................................... 55
Configuring ICMP sweep protection.............................................................. 58
Suggested settings for different network conditions .................................. 58
Index.................................................................................................. 59
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
Introduction The FortiGate IPS
Introduction
This section introduces you to the FortiGate IPS and the following topics:
•
•
•
•
Customer service and technical support
The FortiGate IPS
Spam and viruses are not the only threats facing enterprises and small businesses. Sophisticated, automated attack tools are prevalent on the Internet today, making intrusion detection and prevention vital to securing corporate networks. An attack or intrusion can be launched to steal confidential information, force a costly web site crash, or use network resources to launch other attacks.
The FortiGate Intrusion Prevention System (IPS) detects intrusions using attack signatures for known intrusion methods, and detects anomalies in network traffic to identify new or unknown intrusions. Not only can the IPS detect and log attacks, but users can choose one of eight actions to take on the session when an attack is detected. This Guide describes how to configure and use the IPS and the IPS response to some common attacks.
This Guide describes:
•
IPS Overview and General Configuration
•
•
•
•
•
•
About this document
Document conventions
The following document conventions are used in this guide:
• In the examples, private IP addresses are used for both private and public IP addresses.
• Notes and Cautions are used to provide important information:
Note: Highlights useful additional information.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
5
6
Fortinet documentation Introduction
!
Caution: Warns you about commands or procedures that could have unexpected or undesirable results including loss of data or damage to equipment.
Typographic conventions
FortiGate documentation uses the following typographical conventions:
Convention
Keyboard input
Code examples
CLI command syntax
Document names
File content
Menu commands
Program output
Variables
Example
In the Gateway Name field, type a name for the remote VPN peer or client (for example, Central_Office_1).
F-SBID (--protocol tcp; --flow established; --content "content here";
--no_case) config firewall policy edit id_integer set http_retry_count <retry_integer> set natip <address_ipv4mask> end
FortiGate Administration Guide
<HTML><HEAD><TITLE>Firewall
Authentication</TITLE></HEAD>
<BODY><H4>You must authenticate to use this service.</H4>
Go to VPN > IPSEC > Phase 1 and select Create New.
Welcome!
<address_ipv4>
Fortinet documentation
The most up-to-date publications and previous releases of Fortinet™ product documentation are available from the Fortinet Technical Documentation web site at http://docs.forticare.com
.
The following FortiGate product documentation is available:
• FortiGate QuickStart Guide
Provides basic information about connecting and installing a FortiGate unit.
• FortiGate Installation Guide
Describes how to install a FortiGate unit. Includes a hardware reference, default configuration information, installation procedures, connection procedures, and basic configuration procedures. Choose the guide for your product model number.
• FortiGate Administration Guide
Provides basic information about how to configure a FortiGate unit, including how to define FortiGate protection profiles and firewall policies; how to apply intrusion prevention, antivirus protection, web content filtering, and spam filtering; and how to configure a VPN.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
Introduction Fortinet documentation
• FortiGate online help
Provides a context-sensitive and searchable version of the Administration
Guide in HTML format. You can access online help from the web-based
manager as you work.
• FortiGate CLI Reference
Describes how to use the FortiGate CLI and contains a reference to all
FortiGate CLI commands.
• FortiGate Log Message Reference
Describes the structure of FortiGate log messages and provides information about the log messages that are generated by FortiGate units.
• FortiGate High Availability User Guide
Contains in-depth information about the FortiGate high availability feature and the FortiGate clustering protocol.
• FortiGate IPS User Guide
Describes how to configure the FortiGate Intrusion Prevention System settings and how the FortiGate IPS deals with some common attacks.
• FortiGate IPSec VPN User Guide
Provides step-by-step instructions for configuring IPSec VPNs using the webbased manager.
• FortiGate SSL VPN User Guide
Compares FortiGate IPSec VPN and FortiGate SSL VPN technology, and describes how to configure web-only mode and tunnel-mode SSL VPN access for remote users through the web-based manager.
• FortiGate PPTP VPN User Guide
Explains how to configure a PPTP VPN using the web-based manager.
• FortiGate Certificate Management Guide
Contains procedures for managing digital certificates including generating certificate requests, installing signed certificates, importing CA root certificates and certificate revocation lists, and backing up and restoring installed certificates and private keys.
• FortiGate VLANs and VDOMs User Guide
Describes how to configure VLANs and VDOMS in both NAT/Route and
Transparent mode. Includes detailed examples.
Fortinet Knowledge Center
Additional Fortinet technical documentation is available from the Fortinet
Knowledge Center. The knowledge center contains troubleshooting and how-to articles, FAQs, technical notes, and more. Visit the Fortinet Knowledge Center at http://kc.forticare.com
.
Comments on Fortinet technical documentation
Please send information about any errors or omissions in this document, or any
Fortinet technical documentation, to [email protected].
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
7
Customer service and technical support Introduction
Customer service and technical support
Fortinet Technical Support provides services designed to make sure that your
Fortinet systems install quickly, configure easily, and operate reliably in your network.
Please visit the Fortinet Technical Support web site at http://support.fortinet.com
to learn about the technical support services that Fortinet provides.
8
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
IPS Overview and General Configuration The FortiGate IPS
IPS Overview and General
Configuration
This section contains the following topics:
•
•
•
Monitoring the network and dealing with attacks
•
Using IPS in a protection profile
The FortiGate IPS
An IPS is an Intrusion Prevention System for networks. While early systems focused on intrusion detection, the continuing rapid growth of the Internet, and the potential for the theft of sensitive data, has resulted in the need for not only detection, but prevention.
The FortiGate IPS combines detection using signatures, prevention by recognizing network anomalies, and the ability to block attacks by selecting the action to take when an attack or anomaly is detected. The attack can pass through or the session can be ended in a variety of ways, including sending TCP resets to the client, server, or both. All attacks can be logged regardless of the action applied.
Both the IPS predefined signatures and the IPS engine are upgraded through the
FortiGuard Distribution Network (FDN). These upgrades provide the latest protection against IM/P2P and other threats. Anomalies are updated with firmware upgrades. The FortiGate IPS default settings implement the recommended settings for all signatures and anomalies. Signature settings and some anomaly thresholds are adjusted to work best with the normal traffic on the protected networks. Custom signatures can be created for the FortiGate IPS in diverse network environments.
Administrators are notified of intrusions and possible intrusions using log messages and alert email.
Packet logging provides administrators with the ability to analyze packets for forensics and false positive detection.
IPS settings and controls
Configure the IPS using either the web-based manager or the CLI, then enable or disable all signatures or all anomalies in individual firewall protection profiles. If virtual domains are enabled on the FortiGate unit, the IPS is configured globally for all virtual domains. To access the IPS, select Global Configuration on the main menu.
Table 1 describes the IPS settings and where to configure and access them in the web-based manager.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
9
The FortiGate IPS IPS Overview and General Configuration
Table 1: IPS and Protection Profile IPS configuration
Protection Profile IPS options
IPS Signature
Enable or disable IPS signatures by severity level.
IPS Anomaly
Enable or disable IPS anomalies by severity level.
Log Intrusions
Enable logging of all signature and anomaly intrusions.
IPS setting
Intrusion Protection > Signature
View and configure a list of predefined signatures.
Create custom signatures based on the network requirements.
View and configure protocol decorders.
Intrusion Protection > Anomaly
View and configure a list of predefined anomalies.
Intrusion Protection > Signature > [individual signature]
Intrusion Protection > Anomaly > [individual anomaly]
Enable packet logging for each signature or anomaly.
See
“Using IPS in a protection profile” on page 15 or see the Firewall section in
the FortiGate Administration Guide for complete protection profile and firewall policy procedures.
To access protection profile IPS options, go to Firewall > Protection Profile, select
Edit or Create New, and select IPS.
For detailed information on individual signatures and anomalies, see the Attack
Encyclopedia in the FortiGuard Center available on the Fortinet web site at http://www.fortinet.com/FortiGuardCenter/ .
When to use IPS
IPS is best for large networks or for networks protecting highly sensitive information. Using IPS effectively requires monitoring and analysis of the attack logs to determine the nature and threat level of an attack. An administrator can adjust the threshold levels to ensure a balance between performance and intrusion prevention. Small businesses and home offices without network administrators may be overrun with attack log messages and not have the networking background required to configure the thresholds and other IPS settings. In addition, the other protection features in the FortiGate unit, such as antivirus (including grayware), spam filters, and web filters offer excellent protection for all networks.
10
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
IPS Overview and General Configuration Network performance
Network performance
The FortiGate IPS is extremely accurate and reliable as an in-line network device.
Independent testing shows that the FortiGate IPS successfully detects and blocks attacks even under high traffic loads, while keeping latency within expected limits.
This section describes:
•
Default signature and anomaly settings
•
•
•
•
•
Default signature and anomaly settings
The FortiGate IPS default settings implement the recommended settings for all signatures and anomalies. Most signatures are enabled, although some are set to pass but log detected sessions to avoid blocking legitimate traffic on most networks.
Adjust the IPS settings according to the traffic and applications on your network.
For instance, if POP3 is not in use, disable the pop3 signature group.
Default fail open setting
If for any reason the IPS should cease to function, it will fail open by default. This means that crucial network traffic will not be blocked and the Firewall will continue to operate while the problem is resolved.
Change the default fail open setting using the CLI: config ips global set fail-open [enable | disable] end
Controlling sessions
Use this command to ignore sessions after a set amount of traffic has passed.
The default is 204800 bytes.
config ips global set ignore-session-bytes <byte_integer> end
Setting autoupdate
When the IPS is updated, user-modified settings are retained. If recommended
IPS signature settings have not been modified, and the updated settings are different, signature settings will be set according to accept-recommendedsettings. The default is disable.
config system autoupdate ips set accept-recommended-settings {enable | disable} end
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
11
Monitoring the network and dealing with attacks IPS Overview and General Configuration
Restricting IPS processing
Save system resources by restricting IPS processing to only those services allowed by firewall policies. The default is disable.
config ips global set ip-protocol {enable | disable} end
Setting the buffer size
Set the size of the IPS buffer. The size of the buffer is model-dependent.
config ips global set socket-size <ips_buffer_size> end
Monitoring the network and dealing with attacks
After configuring IPS and enabling it in protection profiles, it is time to set up tracking and notification of attacks. Enabling logging and alert email to maintain user awareness of attacks on the network.
The next step is dealing with attacks if and when they occur. The FortiGuard
Center at http://www.fortinet.com/FortiGuardCenter/ provides a comprehensive
Attack Encyclopedia to help decide what actions to take to further protect the network.
This section describes:
•
Configuring logging and alert email
•
•
Configuring logging and alert email
Whenever the IPS detects or prevents an attack, it generates an attack log message that can be recorded or sent as an alert email.
The FortiGate unit categorizes attack log messages by signature or anomaly and includes the attack name in the log message. Enable logging and alert email for attack signatures and attack anomalies.
1
2
3
4
Note: Attack and intrusion attempts occur frequently on networks connected to the Internet.
Reduce the number of log messages and alert email by disabling signatures for attacks that the system is not vulnerable to (for example, web attacks when not running a web server).
To configure logging and alert email for IPS events using the web-based manager
Go to Log&Report > Log Config > Log Setting.
Select and configure the settings for any logging locations to use.
Select Apply.
Go to Log&Report > Log Config > Alert Email.
12
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
IPS Overview and General Configuration Monitoring the network and dealing with attacks
5
6
Select and configure authentication if required and enter the email addresses that will receive the alert email.
Enter the time interval to wait before sending log messages for each logging severity level.
Note: If more than one log message is collected before an interval is reached, the messages are combined and sent out as one alert email.
7
Select Apply.
To access log messages from memory or on the local disk
View and download log messages stored in memory or on the FortiGate local disk from the web-based manager. Go to Log&Report > Log Access and select the log type to view.
See the FortiGate Administration Guide and the FortiGate Log Message
Reference Guide for more logging procedures.
Attack log messages
Signature
The following log message is generated when an attack signature is found:
Message ID:
Severity:
Message:
Example:
Meaning:
Action:
70000
Alert attack_id=<value_attack_id> src=<ip_address> dst=<ip_address> src_port=<port_num> dst_port=<port_num> interface=<interface_name> src_int=<interface_name> dst_int=<interface_name> status={clear_session | detected | dropped | reset} proto=<protocol_num> service=<network_service> msg="<string><[url]>"
2004-07-07 16:21:18 log_id=0420073000 type=ips subtype=signature pri=alert attack_id=101318674 src=8.8.120.254 dst=11.1.1.254 src_port=2217 dst_port=25 interface=internal src_int=n/a dst_int=n/a status=reset proto=6 service=smtp msg="signature: Dagger.1.4.0.Drives
[Reference: http://www.fortinet.com/ids/ID101318674 ]"
Attack signature message providing the source and destination addressing information and the attack name.
Get more information about the attack and the steps to take from the
Fortinet Attack Encyclopedia in the FortiGuard Center. Copy and paste the URL from the log message into your browser to go directly to the signature description in the Attack Encyclopedia.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
13
Monitoring the network and dealing with attacks IPS Overview and General Configuration
Anomaly
The following log message is generated when an attack anomaly is detected:
Message ID:
Severity:
Message:
Example:
Meaning:
Action:
73001
Alert attack_id=<value_attack_id> src=<ip_address> dst=<ip_address> src_port=<port_num> dst_port=<port_num> interface=<interface_name> src_int=<interface_name> dst_int=<interface_name> status={clear_session | detected | dropped | reset} proto=<protocol_num> service=<network_service> msg="<string><[url]>"
2004-04-07 13:58:53 log_id=0420073001 type=ips subtype=anomaly pri=alert attack_id=100663396 src=8.8.120.254 dst=11.1.1.254 src_port=2217 dst_port=25 interface=internal src_int=n/a dst_int=n/a status=reset proto=6 service=smtp msg="anomaly: syn_flood, 100 > threshold 10.[Reference: http://www.fortinet.com/ids/ID100663396]"
Attack anomaly message providing the source and destination addressing information and the attack name.
Get more information about the attack and the steps to take from the
Fortinet Attack Encyclopedia in the FortiGuard Center. Copy and paste the URL from the log message into your browser to go directly to the signature description in the Attack Encyclopedia.
The FortiGuard Center
The FortiGuard Center combines the knowledge base of the Fortinet technical team into an easily searchable database. FortiGuard Center includes both virus and attack information. Go to http://www.fortinet.com/FortiGuardCenter/ .
Search for attacks in the FortiGuard Attack Encyclopedia by any of the criteria shown in Figure 1 .
Figure 1: Searching the FortiGuard Attack Encyclopedia
14
Type in the name or ID of the attack, or copy and paste the URL from the log message or alert email into a browser.
The Attack Encyclopedia lists the following information for each signature:
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
IPS Overview and General Configuration Using IPS in a protection profile
Using IPS in a protection profile
IPS can be combined with other FortiGate features – antivirus, spam filtering, web filtering, and web category filtering – to create protection profiles. Protection profiles are then added to individual user groups and then to firewall policies, or added directly to firewall policies.
This section describes:
•
Creating a protection profile that uses IPS
•
Adding protection profiles to firewall policies
•
Adding protection profiles to user groups
Creating a protection profile that uses IPS
1
2
To create a protection profile using the web-based manager
Go to Firewall > Protection Profile.
Select Create New.
Figure 2: New Protection Profile
3
4
Enter a name for the protection profile.
Expand the IPS option list.
Figure 3: IPS protection profile options
5
6
The following options are available for IPS through the protection profile:
IPS Signature
IPS Anomaly
Enable or disable signature based intrusion detection and prevention for all protocols.
Enable or disable traffic anomaly based intrusion detection and prevention for all protocols.
Configure any other required protection profile options.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
15
Using IPS in a protection profile IPS Overview and General Configuration
7
Select OK.
The protection profile can now be added to any firewall policies that require it. The protection profile can also be added to user groups and these user groups can be used to apply authentication to firewall policies.
To create a protection profile using the CLI
This example creates a protection profile called IPS_Special with critical and medium severity level signatures and anomalies enabled.
config firewall profile edit IPS_Special set ips-anomaly critical medium set ips-signature critical medium end
Adding protection profiles to firewall policies
Adding a protection profile to a firewall policy applies the profile settings, including
IPS, to traffic matching that policy.
Adding protection profiles to user groups
When creating a user group, select a protection profile that applies to that group.
Then, when configuring a firewall policy that includes user authentication, select one or more user groups to authenticate. Each user group selected for authentication in the firewall policy can have a different protection profile, and therefore different IPS settings, applied to it.
16
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
Predefined Signatures IPS predefined signatures
Predefined Signatures
This section describes:
•
•
Viewing the predefined signature list
•
Predefined signature configuration
IPS predefined signatures
Predefined signatures are arranged in alphabetical order. By default, some signatures are disabled to prevent interference with common traffic, but logging is enabled for all signatures. Check the default settings to ensure they meet the requirements of the network traffic.
Disabling unneeded signatures can improve system performance and reduce the number of log messages and alert emails the IPS generates. For example, the
IPS detects a large number of web server attacks. If there is no web server behind the FortiGate unit, disable all web server attack signatures.
For each signature, configure the action the FortiGate IPS takes when it detects an attack. The FortiGate IPS can pass, drop, reset or clear packets or sessions.
Enable or disable packet logging. Select a severity level to be applied to the signature.
Note: By allowing your IPS signature settings to run on default, you may be slowing down the overall performance of the FortiGate unit. By fine tuning the predefined signature and logging setting, you can ensure maximum performance as well as maximum protection.
See
“Fine tuning IPS predefined signatures for enhanced system performance” on page 21 .
Viewing the predefined signature list
Enable or disable predefined signatures and configure the settings for individual predefined signatures from the predefined signature list. The list can be viewed by signature severity level.
To view the predefined signature list, go to Intrusion Protection > Signature >
Predefined.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
17
Viewing the predefined signature list
Figure 4: A portion of the predefined signature list
Predefined Signatures
18
Configure icon Configure settings for the signature.
Reset icon
Column
Settings
Reset only appears when the default settings for a signature have been modified. Selecting Reset for an individual signature restores the default settings for that signature.
Select to customize the signature information to display in the table. You can also readjust the column order.
By default, the signature ID, group name, and revision number are not displayed
The column types are described below.
Name
Enable
Logging
Action
Severity
The signature name.
The status of the signature. A check mark means the signature is enabled. An empty box means the signature is disabled.
The logging status of the signature. If logging is enabled, the action appears in the status field of the log message generated by the signature. By default, logging is enabled for all signatures.
The action set for individual signatures. Action can be Pass, Drop,
Reset, Reset Client, Reset Server, Drop Session, Clear Session, or
Pass Session. See Table 2 for descriptions of the actions.
The severity level for each signature. Severity level can be Information,
Low, Medium, High, or Critical.
The revision number for individual signatures.
Revision
ID
OS
Group
The signature's unique ID.
The operating system the signature applies to.
The group that the signature belongs to such as IM, Backdoor amongst others.
Protocols
Location
Application
The protocol the signature applies to.
The location that is protected by the signature; Client, Server or both.
The applications the signature applies to.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
Predefined Signatures Predefined signature configuration
Table 2 describes the action by the predefined signatures.
Table 2: Actions to select for each predefined signature
Action
Pass
Drop
Reset
Reset Client
Reset Server
Drop Session
Pass Session
Clear Session
Description
When a packet triggers a signature, the FortiGate unit generates an alert and allows the packet through the firewall without further action.
If logging is disabled and action is set to Pass, the signature is effectively disabled.
When a packet triggers a signature, the FortiGate unit generates an alert and drops the packet. The firewall session is not touched.
Fortinet recommends using an action other than Drop for TCP connection based attacks.
When a packet triggers a signature, the FortiGate unit generates an alert and drops the packet. The FortiGate unit sends a reset to both the client and the server and drops the firewall session from the firewall session table.
This is used for TCP connections only. If set for non-TCP connection based attacks, the action will behave as Clear Session. If the Reset action is triggered before the TCP connection is fully established, it acts as Clear Session.
When a packet triggers a signature, the FortiGate unit generates an alert and drops the packet. The FortiGate unit sends a reset to the client and drops the firewall session from the firewall session table.
This is used for TCP connections only. If set for non-TCP connection based attacks, the action will behave as Clear Session. If the Reset
Client action is triggered before the TCP connection is fully established, it acts as Clear Session.
When a packet triggers a signature, the FortiGate unit generates an alert and drops the packet. The FortiGate unit sends a reset to the server and drops the firewall session from the firewall session table.
This is used for TCP connections only. If set for non-TCP connection based attacks, the action will behave as Clear Session. If the Reset
Server action is triggered before the TCP connection is fully established, it acts as Clear Session.
When a packet triggers a signature, the FortiGate unit generates an alert and drops the packet. For the remainder of this packet’s firewall session, all follow-up packets are dropped.
When a packet triggers a signature, the FortiGate unit generates an alert and allows the packet through the firewall. For the remainder of this packet’s session, the IPS is bypassed by all follow-up packets.
When a packet triggers a signature, the FortiGate unit generates an alert and the session to which the packet belongs is removed from the session table immediately. No reset is sent.
For TCP, all follow-up packets could be dropped.
For UDP, all follow-up packets could trigger the firewall to create a new session.
Predefined signature configuration
This section describes:
•
Configuring signatures using the web-based manager
•
Fine tuning IPS predefined signatures for enhanced system performance
•
Configuring predefined signatures using the CLI
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
19
Predefined signature configuration
Configuring signatures using the web-based manager
Figure 5: Edit IPS Configuration
Predefined Signatures
1
2
To configure predefined signature settings
Go to Intrusion Protection > Signature > Predefined.
Select the Configure icon for the signature to configure.
Figure 6: Configure Predefined IPS Signature
3
4
5
6
7
Select the Action for the FortiGate unit to take when traffic matches this signature.
(See Table 2 .)
If required, enable Packet Log.
Select a Severity level for the signature: Information, Low, Medium, High, or
Critical.
If required create an IP exemption for the signature.
Select OK.
20
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
Predefined Signatures Predefined signature configuration
1
2
3
To restore the recommended settings of a signature
Go to Intrusion Protection > Signature > Predefined.
Select the Reset icon for the signature to restore to recommended settings.
The Reset icon is displayed only if the settings for the signature have been changed from recommended settings.
Select OK.
Fine tuning IPS predefined signatures for enhanced system performance
By default, the FortiGate unit will have most of the predefined signatures enabled and will log all of them. If left on the default settings, the FortiGate will provide your system with the best protection available. By fine tuning the signatures and log settings you can still provide the best protection available but also free up valuable FortiGate resources. Fine tuning allows you to turn off features that you are not using. By turning off signatures and logs that you do not use, you allow the
FortiGate unit to perform tasks faster thus improving overall system performance.
Not all systems require you to scan for all signatures of the IPS suite all the time.
For example. If you have a FortiGate unit that is controlling computers that only have access to an internal database and do not have access to the internet or email, there is no point having the Fortigate unit scanning for certain types of signatures such as email, IM, and P2P.
By telling the FortiGate unit not to look for these signatures, you will maintain a high level of security and increase overall performance.
You should also review exactly how you use the information provided by the logging feature. If you find that you do not review the information, it is best to turn off the logging feature. Logging is best used to provide actionable intelligence.
1
2
1
2
3
4
To disable individual signatures
Go to Intrusion Protection > Signatures > Predefined.
Clear the Enable box for the signatures you want to disable.
To turn off logging for a signature
Go to Intrusion Protection > Signatures > Predefined.
Select the Configure icon on the right hand side of the signature you want to change.
Clear the Logging check box.
Select OK.
Configuring predefined signatures using the CLI
Note: In the web-based interface, the IPS settings are divided between signatures, protocol anomalies, and traffic anomalies. In the command line interface, protocol anomalies are included with signatures leaving two categories named anomalies and signatures.
idle_timeout min_ttl
If a session is idle for longer than this number of seconds, the session will not be maintained by tcp_reassembler.
A packet with a higher ttl number in its IP header than the number specified here is not processed by tcp_reassembler.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
21
Predefined signature configuration
22
Predefined Signatures
port_list bad_flag_list reassembly_ direction codepoint
A comma separated list of ports. The dissector can decode these TCP ports.
A comma separated list of bad TCP flags.
Valid settings are from-server, from-client, or both.
A number from 0 to 63. Used for differentiated services tagging. When the action for P2P and IM signatures is set to Pass, the FortiGate unit checks the codepoint. If the codepoint is set to a number from 1 to 63, the codepoint for the session is changed to the specified value. If the codepoint is set to -1 (the default) no change is made to the codepoint in the IP header.
Signatures are arranged into groups based on the type of attack. By default, all signature groups are enabled.
Enable or disable signature groups or individual signatures. Disabling unneeded signatures can improve system performance and reduce the number of log messages and alert emails that the IPS generates. For example, the IPS detects a large number of web server attacks. If there is no web server behind the FortiGate unit, disable all web server attack signatures.
Some signature groups include configurable parameters. The parameters that are available depend on the type of signatures in the signature group. When configured for a signature group, the parameters apply to all of the signatures in the group.
For each signature, configure the action the FortiGate IPS takes when it detects an attack. The FortiGate IPS can pass, drop, reset or clear packets or sessions.
Also enable or disable logging of the attack.
The config ips group command has 1 subcommand.
config rule <rule-name_str>
Access the rule subcommand using the ips group command. Use the config rule subcommand to configure the settings for individual signatures in a signature group.
Command syntax pattern
config ips group < group_name_str > set bad_flag_list <flag_str> set codepoint <codepoint_integer> set idle_timeout <timeout_integer> set min_ttl <ttl_integer> set port_list <port_integer> set direction <direction_str> set status {enable | disable} config rule < rule_name_str > set action {clear_session | drop | drop_session | pass
| pass_session | reset | reset_client | reset_server} end end set log {enable | disable} set log_packet {enable | disable} set severity {info | low | medium | high | critical} set status {enable | disable}
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
Predefined Signatures Predefined signature configuration
Keywords and variables Description Default
group_name_str bad_flag_list
<flag_str>
The name of the signature group.
A comma separated list of bad TCP flags.
This applies to tcp_reassembler.
NULL, F,
U, P, SF,
PF, UP,
UPF,
UAPSF,
UAPRSF
-1 codepoint
<codepoint_integer> idle_timeout
<timeout_integer> min_ttl
<ttl_integer> port_list
<port_integer> direction
<direction_str>
A number from 0 to 63. Used for differentiated services tagging. When the action for P2P and
IM signatures is set to pass, the FortiGate unit checks the codepoint. If the codepoint is set to a number from 1 to 63, the codepoint for the session is changed to the specified value. If the codepoint is set to -1 (the default) no change is made to the codepoint in the IP header.
This applies to IM and P2P.
If a session is idle for longer than this number of seconds, the session is be maintained by tcp reassembly.
This applies to tcp_reassembler.
A packet with a higher TTL number in its IP header than the number specified here is not processed by tcp reassembly.
This applies to tcp_reassembler.
A comma separated list of ports. The dissector can decode these TCP ports.
Default port lists:
• tcp_reassembler - 21, 23, 25, 53, 80,
110, 111, 143, 513,1837,1863,5050,5190
• dns_decoder - 53
• ftp_decoder - 21
• http_decoder - 80
• imap_decoder - 143
• pop_decoder - 110
• rpc_decoder - 111, 32771
• smtp_decoder - 25
• snmp_decoder - 161-162
This applies to tcp_reassembler, dns_decoder, ftp_decoder, http_decoder, imap_decoder, pop_decoder, rpc_decoder, smtp_decoder, and snmp_decoder.
Valid settings are from-server, from-client, or both.
This applies to tcp_reassembler.
Enable or disable this signature group.
30
1
Varies.
fromclient status
{enable | disable} enable
The following keywords are specific to the config rule command.
rule_name_str
The name of the rule.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
23
Predefined signature configuration Predefined Signatures
Keywords and variables
action {clear_session
| drop | drop_session
| pass | pass_session
| reset | reset_client | reset_server}
Description
Select an action for the FortiGate unit to take when traffic triggers this signature. If logging is enabled, the action appears in the status field of the log message generated by the signature.
clear_session
• The FortiGate unit drops the packet that triggered the signature, removes the session from the FortiGate session table, and does not send a reset.
drop
• The FortiGate unit drops the packet that triggered the signature. Fortinet recommends using an action other than drop for TCP connection based attacks.
drop_session
• The FortiGate unit drops the packet that triggered the signature and drops any other packets in the same session.
pass
• The FortiGate unit lets the packet that triggered the signature pass through the firewall. If logging is disabled and action is set to Pass, the signature is effectively disabled.
pass_session
• The FortiGate unit lets the packet that triggered the signature and all other packets in the session pass through the firewall. reset
• The FortiGate unit drops the packet that triggered the signature, sends a reset to both the client and the server, and removes the session from the FortiGate session table.
Used for TCP connections only. If this action is set for non-TCP connection based attacks, the action behaves as clear_session. If the reset action is triggered before the TCP connection is fully established it acts as clear_session.
reset_client
• The FortiGate unit drops the packet that triggered the signature, sends a reset to the client, and removes the session from the
FortiGate session table. Used for TCP connections only. If this action is set for non-
TCP connection based attacks, the action behaves as clear_session. If the reset_client action is triggered before the TCP connection is fully established it acts as clear_session.
reset_server
• The FortiGate unit drops the packet that triggered the signature, sends a reset to the server, and removes the session from the
FortiGate session table. Used for TCP connections only. If this action is set for non-
TCP connection based attacks, the action behaves as clear_session. If the reset_server action is triggered before the TCP connection is fully established it acts as clear_session.
Default
Varies.
24
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
Predefined Signatures Predefined signature configuration
Keywords and variables
default_action
{clear_session | drop | drop_session | pass | pass_session | reset | reset_client
| reset_server} default_severity
{info | low | medium
| high | critical} log {enable | disable}
Description
The default action for the rule. This option is get only.
The default severity level for the rule. This option is get only.
Enable or disable logging for the signature. If logging is enabled, the action appears in the status field of the log message generated by the signature.
Enable or disable packet logging.
log_packet {enable | disable} rev <rev_integer>
The revision number of the rule. This option is get only.
Set the severity level for the rule.
severity {info | low
| medium | high | critical} status {enable | disable}
Enable or disable this signature.
Default
critical enable disable
0 critical enable
Examples
This example shows how to change the action for the NAPTHA signature in the dos signature group to drop.
config ips group DOS config rule Newtear set action drop end end
Use the following command to get information about the rule Echo.Reply.
config ips group icmp
(icmp)# config rule Echo.Reply
(Echo.Reply)# get name : Echo.Reply action : pass action (default) : pass log : enable log_packet : disable rev : 2.136 severity : critical severity (default) : critical status : disable status (default) : disable
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
25
Predefined signature configuration Predefined Signatures
26
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
Custom Signatures IPS custom signatures
Custom Signatures
Custom signatures provide the power and flexibility to customize the FortiGate
IPS for diverse network environments. This section describes:
•
•
Viewing the custom signature list
•
Custom signature configuration
•
IPS custom signatures
The FortiGate predefined signatures cover common attacks. If an unusual or specialized application or an uncommon platform is being used, add custom signatures based on the security alerts released by the application and platform vendors.
Use custom signatures to block or allow specific traffic. For example, to block traffic containing pornography, add custom signatures similar to the following:
F-SBID (--protocol tcp; --flow established; --content "nude cheerleader"; --no_case)
Note: If virtual domains are enabled on the FortiGate unit, the IPS is configured globally. To access the IPS, select Global Configuration on the main menu.
Viewing the custom signature list
To view the custom signature list, go to Intrusion Protection > Signature >
Custom.
Figure 7: The custom signature list
View custom signatures with severity
Select filters then select Go to view only those custom signatures that match the filter criteria. Sort criteria can be <=, =, >= to All, Information,
Low, Medium, High, or Critical.
Enable custom signature
Create New
Select to enable the custom signature group, or clear to disable the custom signature group.
Select to create a new custom signature.
Clear all custom signatures
Remove all the custom signatures from the custom signature group.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
27
Custom signature configuration Custom Signatures
Reset to recommended settings
Name
Enable
Logging
Action
Severity
Delete icon
Edit icon
Reset all the custom signatures to the recommended settings.
The custom signature name.
The status of each custom signature. A check mark in the box indicates the signature is enabled.
The logging status of each custom signature. A check mark in the box indicates logging is enabled for the custom signature.
The action set for each custom signature. Action can be Pass, Drop,
Reset, Reset Client, Reset Server, Drop Session, Clear Session, or
Pass Session.
The severity level set for each custom signature. Severity level can be
Information, Low, Medium, High, or Critical. Severity level is set for individual signatures.
Select to delete the custom signature.
Select to edit the following information: Name, Signature, Action, Packet
Log, and Severity.
Custom signature configuration
Add custom signatures using the web-based manager or the CLI. For more
information about custom signature syntax, see “Creating custom signatures” on page 29
and “Custom signature syntax” on page 30 .
Adding custom signatures using the web-based manager
1
2
To add a custom signature
Go to Intrusion Protection > Signature > Custom.
Select Create New to add a new custom signature, or select the Edit icon to edit a custom signature.
Figure 8: Edit Custom Signature
28
5
6
3
4
7
8
Enter a name for the custom signature.
Enter the Signature.
Set the action to Drop Session.
If required, enable Packet Log.
Select a Severity level for the signature: Information, Low, Medium, High, or
Critical.
Select OK.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
Custom Signatures Creating custom signatures
Adding custom signatures using the CLI
After adding the custom signature, configure the settings for it under the signature group named custom. For more information about configuring signature groups,
see “Configuring predefined signatures using the CLI” on page 21 .
Command syntax pattern
config ips custom edit < name_str > set signature <‘signature_str’> end
Keywords and variables Description
name_str
The name of the custom signature.
signature
<‘signature_str’>
Enter the custom signature. The signature must be enclosed in single quotes.
Default
No default.
Example
This example shows how to add a custom signature for ICMP packets set to type
10.
config ips custom edit ICMP10 set signature 'F-SBID(--protocol icmp; --icmp_type 10;
--revision 2; )' end
Creating custom signatures
A custom signature definition should be less than 1000 characters. A definition can be a single line or span multiple lines connected by a backslash (\) at the end of each line.
A custom signature definition begins with a header, followed by a set of keyword and value pairs enclosed by parenthesis [( )]. The keyword and value pairs are separated by a semi colon (;) and consist of a keyword and a value separated by a space. The basic format of a definition is HEADER (KEYWORD VALUE;)
KEYWORD VALUE; can be repeated up to 64 times until all the parameters needed for the signature are included.
Custom signature fields
Table 3 shows the valid characters for custom signature fields.
Table 3: Valid characters for custom signature fields
Field
HEADER
Valid Characters
F-SBID
Usage
The header for an attack definition signature. Each custom signature must begin with this header.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
29
Creating custom signatures Custom Signatures
Table 3: Valid characters for custom signature fields
KEYWORD
VALUE
A keyword must start with “--”, and be a string of 1 to 19 characters.
Normally, keywords are an
English word or English words connected by “_”.
Letters are usually lower case; however, keywords are case insensitive.
Double quotes must be used around the value if it contains a space and/or a semicolon.
If the value is NULL, the space between the
KEYWORD and VALUE can be omitted.
Values are case sensitive.
Note: if double quotes are used for quoting the value, the double quotes are not considered as part of the value string.
The keyword is used to identify a parameter. See
“Custom signature syntax” on page 30
for tables of supported keywords.
Set the value for a parameter identified by a keyword.
Custom signature syntax
Table 4: General keywords
Keyword name
Value
A string of greater than 0 and less than 64 characters.
Normally, the group name is an English word or English words connected by _. All letters are normally lower case.
The name keyword can be different from the signature name.
default_action
[pass | pass_session | drop | drop_session | reset | reset_client | reset_server | clear_session]
protocol
ip; tcp; icmp; udp;
revision
An integer.
Usage
Because the name identifies the signature for the user, it should be easily readable and unique. The name keyword is optional for custom signatures.
The recommended action for a signature. The default action is pass.
The protocol name.
Optional. A revision number for this signature.
30
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
Custom Signatures Creating custom signatures
Table 5: Content specific keywords
Keyword content uri offset depth distance within no_case raw regex
Value
[!]"<content string>";
A string quoted within double quotes. Optionally place an exclamation mark (!) before the first double quote to express "Not".
Same as content.
<number>;
An integer (0-65535).
<number>;
An integer (1-65535).
<number>;
An integer (0-65535).
<number>;
An integer (1-65535).
NULL
NULL
NULL
Usage
The content contained in the packet payload. Multiple contents can be specified in one rule. The value can contain mixed text and binary data. The binary data is generally enclosed within the pipe (|) character. The following characters in the content string must be escaped using a back slash: double quote ("), pipe sign(|) and colon(:).
Search for the normalized request URI field. Binary data can be defined as the
URI value.
Start looking for the contents after the specified number of bytes of the payload. This tag is an absolute value in the payload. Follow the offset tag with the depth tag to stop looking for a match after the value specified by the depth tag. If there is no depth specified, continue looking for a match until the end of the payload.
Look for the contents within the specified number of bytes of the payload. If the value of the depth keyword is smaller than the length of the value of the content keyword, this signature will never be matched. If depth is used without a proceeding
"offset", it is equal to a "-offset 0" there.
Search for the contents the specified number of bytes relative to the end of the previously matched contents. The distance tag could be followed with the within tag. If there is no value specified for the within tag, continue looking for a match until the end of the payload.
Look for the contents within the specified number of bytes of the payload. Use with the distance tag.
Ignore case in the content value.
Ignore any decoding. Look at the raw packet data.
Regular expressions are used in the contents. An asterisk (*) in the content string means any character, any number of times. A question mark (?) means any single character.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
31
Creating custom signatures Custom Signatures
Table 5: Content specific keywords (Continued) byte_test
<bytes_to_convert>,
<operator>, <value>, <offset>
[, [relative,, [big,] [little,]
[string,] [hex,] [dec,] [oct]];
Test a byte field against a specific value (with operator).
Capable of testing binary values or converting representative byte strings to their binary equivalent and testing them.
bytes_to_convert
- The number of bytes to pick up from the packet.
operator
- The operation to perform to test the value (<,>,=,!,&).
value
- The value to test the converted value against.
offset
- The number of bytes into the payload to start processing.
relative
- Use an offset relative to last pattern match.
big
- Process the data as big endian
(default).
little
- Process the data as little endian.
string
- The data is stored in string format in the packet.
hex
- The converted string data is represented in hexadecimal.
dec
- The converted string data is represented in decimal.
oct
The converted string data is represented in octal.
32
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
Custom Signatures Creating custom signatures
Table 5: Content specific keywords (Continued) byte_jump
<bytes_to_convert>, <offset>
[, [relative,] [big,] [little,]
[string,] [hex,] [dec,] [oct,]
[align]];
The byte_jump option is used to get a specified number of bytes, convert them to their numeric representation, and jump the doe_ptr up that many bytes for further pattern matching/byte_testing. This allows relative pattern matches to take into account numerical values found in network data.
bytes_to_convert
- The number of bytes to pick up from the packet.
offset
- The number of bytes into the payload to start processing.
relative
- Use an offset relative to the last pattern match.
big
- Process the data as big endian
(default).
little
- Process data as little endian.
string
- The data is stored in string format in the packet.
hex
- The converted string data is represented in hexadecimal.
dec
- The converted string data is represented in decimal.
oct
- The converted string data is represented in octal.
align
- Round the number of converted bytes up to the next 32-bit boundary.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
33
Creating custom signatures Custom Signatures
Table 5: Content specific keywords (Continued) pcre data_at
[!]"(/<regex>/|m<delim><regex
><delim>)[ismxAEGRUB]";
The pcre keyword allows you to write rules using perl compatible regular expressions (PCRE). For more information on using
PCRE, see the PCRE web site at http://www.pcre.org.
The post-re modifiers set compile time flags for the regular expression.
<value> [,relative];
i
- Case insensitive.
s
- Include newlines in the dot metacharacter.
m
- By default, the string is treated as one big line of characters. ^ and $ match at the start and end of the string. When m is set, ^ and $ match immediately following or immediately before any newline in the buffer, as well as the very start and very end of the buffer.
x
- Whitespace data characters in the pattern are ignored except when escaped or inside a character class.
A
- The pattern must match only at the start of the buffer (same as ^ ).
E
- Set $ to match only at the end of the subject string. Without E, $ also matches immediately before the final character if it is a newline (but not before any other newlines).
G
- Inverts the "greediness" of the quantifiers so that they are not greedy by default, but become greedy if followed by "?".
R
- Match relative to the end of the last pattern match (similar to distance:0;).
U
Match the decoded URI buffers (similar to the uri keyword).
B
Do not use the decoded buffers (similar to the raw keyword).
Verify that the payload has data at a specified location. Optionally look for data relative to the end of the previous content match.
Table 6: IP header keywords
Keyword ip_version ihl tos
Value
<number>;
<number>;
An integer(5-15).
<number>;
ip_id
<number>;
Usage
The IP version number.
The IP header length.
Check the IP TOS field for the specified value.
Check the IP ID field for the specified value.
34
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
Custom Signatures Creating custom signatures
Table 6: IP header keywords (Continued) ip_option
{rr | eol | nop | ts | sec | lsrr | ssrr | satid | any}
ip_flag ttl
[!]<[MDR]>[+|*];
rr
- Check if IP RR (record route) option is present.
eol
- Check if IP EOL (end of list) option is present.
nop
- Check if IP NOP (no op) option is present.
ts
- Check if IP TS (time stamp) option is present.
sec
- Check if IP SEC (IP security) option is present.
lsrr
- Check if IP LSRR (loose source routing) option is present.
ssrr
- Check if IP SSRR (strict source routing) option is present.
satid
- Check if IP SATID (stream identifier) option is present.
any
- Check if IP any option is present.
Check if IP fragmentation and reserved bits are set in the IP header.
M
- The More Fragments bit.
D
- The Don't Fragment bit.
R
The Reserved Bit.
+
- Match on the specified bits, plus any others.
*
- Match if any of the specified bits are set.
!
- Match if the specified bits are not set.
Check the IP time-to-live value against the specified value.
src_addr
<number>;
><number>;
<<number>;
[!]<ip addresses or CIDR blocks>
You can define up to 28 IP address or CIDR blocks.
Enclose the comma separated list in square brackets.
The source IP address.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
35
Creating custom signatures
36
Custom Signatures
Table 6: IP header keywords (Continued) dst_addr ip_proto
[!]<ip addresses or CIDR blocks>
You can define up to 28 IP address or CIDR blocks.
Enclose the comma separated list in square brackets.
<number>;
[!]<number>;
><number>;
<<number>;
The destination IP address.
Check the IP protocol header.
Table 7: TCP header keywords
Keyword src_port dst_port tcp_flags seq
Value
[!]<number>;
[!]:<number>;
[!]<number>:;
[!]<number>:<number>;
[!]<number>
[!]:<number>
[!]<number>:
[!]<number>:<number>
[!|*|+]<FSRPAU120>[,<FSRP
AU120>];
The first part
(<FSRPAU120>) defines the bits that must present for a successful match. For example:
--tcp_flags AP only matches the case where both A and P bits are set.
The second part
([,<FSRPAU120>]) is optional, and defines the additional bits that can present for a match. For example:
--tcp_flags S,12 matches the following combinations of flags: S, S and 1, S and 2, S and 1 and
2.
The modifiers !, * and + can not be used in the second part.
<number>;
Usage
The source port number.
The destination port number.
Specify the TCP flags to match in a packet.
S
- Match the SYN flag.
A
- Match the ACK flag.
F
- Match the FIN flag.
R
- Match the RST flag.
U
- Match the URG flag.
P
- Match the PSH flag.
1
- Match Reserved bit 1.
2
- Match Reserved bit 2.
0
- Match No TCP flags set.
+
- Match on the specified bits, plus any others.
*
- Match if any of the specified bits are set.
!
- Match if the specified bits are not set.
Check for the specified TCP sequence number.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
Custom Signatures Creating custom signatures
Table 7: TCP header keywords (Continued) ack window_size
<number>;
[!]<number>;
An integer in either hexadecimal or decimal.
A hexadecimal value must be preceded by 0x.
Check for the specified TCP acknowledge number.
Check for the specified TCP window size.
Table 8: UDP header keywords
Keyword src_port dst_port
Value
[!]<number>;
[!]:<number>;
[!]<number>:;
[!]<number>:<number>;
[!]<number>;
[!]:<number>;
[!]<number>:;
[!]<number>:<number>;
Usage
The source port number.
The destination port number.
Table 9: ICMP keywords
Keyword icmp_type icmp_code icmp_id icmp_seq
Value
<number>;
<number>;
<number>;
<number>;
Usage
Specify the ICMP type to match.
Specify the ICMP code to match.
Check for the specified ICMP ID value.
Check for the specified ICMP sequence value.
Table 10: Other keywords
Keyword same_ip rpc_num flow
Value
NULL
<application number>,
[<version number>|*],
[<procedure number>|*>;
[to_client|to_server|from_client
| from_server ]; established; bi_direction;
[no_stream|only_stream];
Usage
The source and the destination have the same IP addresses.
Check for RPC application, version, and procedure numbers in SUNRPC
CALL requests. The * wildcard can be used for version and procedure numbers.
TCP only.
The to_server value is equal to the from_client value. The to_client value is equal to the from_server value.
The bi_direction tag makes the signature match traffic for both directions. For example, if you have a signature with
"--dst_port 80", and with bi_direction set, the signature checks traffic from and to port 80.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
37
Creating custom signatures Custom Signatures
Table 10: Other keywords (Continued) data_size
< number;
> number;
< number; number <> number;
revision
<number>;
Test the packet payload size. With data_size specified, packet reassembly is turned off automatically. So a signature with data_size and only_stream values set is wrong.
The revision number of the attack signature.
38
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
Decoders Protocol decoders
Decoders
This section describes:
•
•
Upgrading IPS protocol decoder list
•
Viewing the protocol decoder list
•
Configuring protocol decoder parameters using the web-based manager
Protocol decoders
The FortiGate IPS uses protocol decoders to identify the abnormal traffic patterns that do not meet the protocol requirements and standards. For example, the
HTTP decorder monitors the HTTP traffic to identify any HTTP packets that do not meet the HTTP protocol standards.
Go to Intrusion Protection > Signature > Protocol Decoder to set such parameters as port, min_flood_len, and max_callid_len. To set action, packet log,
severity, and exempt IP see “Predefined signature configuration” on page 19
.
Upgrading IPS protocol decoder list
IPS protocol decoders are included in the IPS upgrade package available through the FortiGuard Distribution Network (FDN). There is no need to wait for firmware upgrades. The IPS upgrade package will keep the IPS decoder list up to date with new threats such as the latest versions of existing IM/P2P as well as new applications.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
39
Viewing the protocol decoder list Decoders
Viewing the protocol decoder list
To view the decoder list, go to Intrusion Protection > Signature > Protocol
Decoder.
Figure 9: The protocol decoder list
40
Name
Port
Edit icon
The protocol decoder name.
The port(s) the protocol decoder is using.
Select to edit the port(s) used by the decoder.
Configuring protocol decoder parameters using the web-based manager
Each protocol decoder is configured with a preset configuration. Use the recommended configurations, or modify the port list to meet the needs of your network.
Figure 10: Edit IPS Protocol Decoder: DNS
3
4
1
2
To configure the parameters of a protocol decoder
Go to Intrusion Protection > Signature > Protocol Decoder.
Select the Edit icon for the protocol decoder to configure.
Configure available parameters.
Select OK.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
Configuring parameters for protocol decoders
The following predefined protocol decoders have configurable parameters:
• DCE RPC_decoder
• dns_decoder
• ftp_decoder
• h323_decoder
• http_decoder
• imap_decoder
• ldap_decoder
• mssql_decoder
• NetBIOS_decoder
• pop3_decoder
• radius_decoder
• Sun rpc_decoder
• sip_decoder
• smtp_decoder
• snmp_decoder
Figure 11: Edit IPS Configuration: sip_decoder
Figure 12: Edit IPS Configuration: imap_decoder
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
41
Configuring protocol decoder parameters using the web-based manager Decoders
42
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
Traffic anomalies IPS traffic anomalies
Traffic anomalies
This section describes:
•
•
Viewing the traffic anomaly list
•
Configuring a traffic anomaly using the web-based manager
•
Configuring an anomaly using the CLI
IPS traffic anomalies
The FortiGate IPS uses anomaly detection to identify network traffic that does not fit known or preset traffic patterns. For example, if one host keeps sending a number of session within a second, the destination will experience traffic flooding.
In this case, the FortiGate IPS uses session thresholds to prevent flooding.
The FortiGate IPS identifies the four statistical anomaly types for the TCP, UDP, and ICMP protocols.
Flooding
Scan
Source session limit
Destination session limit
If the number of sessions targeting a single destination in one second is over a specified threshold, the destination is experiencing flooding.
If the number of sessions from a single source in one second is over a specified threshold, the source is scanning.
If the number of concurrent sessions from a single source is over a specified threshold, the source session limit is reached.
If the number of concurrent sessions to a single destination is over a specified threshold, the destination session limit is reached.
Enable or disable logging for each anomaly, and configure the IPS action in response to detecting an anomaly. In many cases, the thresholds the anomaly uses to detect traffic patterns that could represent an attack are configurable.
Note: It is important to know normal and expected network traffic before changing the default anomaly thresholds. Setting the thresholds too low could cause false positives, and setting the thresholds too high could miss some attacks.
Use the CLI to configure session control based on source and destination network address.
The anomaly detection list can be updated only when the FortiGate firmware image is upgraded.
Note: If virtual domains are enabled on the FortiGate unit, the IPS is configured globally. To access the IPS, select Global Configuration on the main menu.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
43
Viewing the traffic anomaly list
Viewing the traffic anomaly list
To view the anomaly list, go to Intrusion Protection > Anomaly.
Figure 13: A portion of the traffic anomaly list
Traffic anomalies
View traffic anomalies with severity
Select filters then select Go to view only those anomalies that match the filter criteria. Sort criteria can be <=, =, >= to All, Information, Low,
Medium, High, or Critical.
Name
Enable
Logging
The traffic anomaly name.
The status of the anomaly. A check mark in a check box indicates the anomaly is enabled. An empty check box indicates the anomaly is disabled.
The logging status for each anomaly. A check mark in the box indicates logging is enabled for the anomaly.
Action
Severity
Edit icon
Reset icon
The action set for each anomaly. Action can be Pass, Drop, Reset,
Reset Client, Reset Server, Drop Session, Clear Session, or Pass
Session.
The severity level set for each anomaly. Severity level can be
Information, Low, Medium, High, or Critical. Severity level is set for individual anomalies.
Select to edit the following information: Action, Severity, and Threshold.
The Reset icon is displayed only if an anomaly has been modified. Use the Reset icon to restore modified settings to the recommended values.
Configuring a traffic anomaly using the web-based manager
Each traffic anomaly is preset with a recommended configuration. Use the recommended configurations, or modify the recommended configurations to meet the needs of your network.
Figure 14: Edit IPS Traffic Anomaly: icmp_dst_session
44
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
Traffic anomalies Configuring a traffic anomaly using the web-based manager
Figure 15: Edit IPS Traffic Anomaly: syn_fin
3
4
1
2
5
6
1
2
3
To configure the settings of a traffic anomaly
Go to Intrusion Protection > Anomaly.
Select the Edit icon for the signature to configure.
Select an action for the FortiGate unit to take when traffic triggers this anomaly.
Select a Severity level for the anomaly: Information, Low, Medium, High, or
Critical.
If required, enter a new threshold value.
Select OK.
To restore the default settings of an traffic anomaly
Go to Intrusion Protection > Anomaly.
Select the Reset icon for the anomaly to restore to defaults.
The Reset icon is displayed only if the settings for the anomaly have been changed from defaults.
Select OK.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
45
Configuring an anomaly using the CLI Traffic anomalies
Configuring an anomaly using the CLI
The list of anomalies can be updated only when the FortiGate firmware image is upgraded.
The config ips anomaly command has 1 subcommand.
config limit
Access the config limit subcommand using the config ips anomaly
<name_str> command. Use this command for session control based on source and destination network address. This command is available for tcp_src_session, tcp_dst_session, icmp_src_session, icmp_dst_session, udp_src_session, udp_dst_session.
The default entry cannot be edited. Addresses are matched from more specific to more general. For example, if thresholds are defined for 192.168.100.0/24 and
192.168.0.0/16, the address with the 24 bit netmask is matched before the entry with the 16 bit netmask.
Command syntax pattern
config ips anomaly < name_str > set action {clear-session | drop | drop-session | pass
| pass-session | reset | reset-client | reset-server} set log {enable | disable} set severity {info | low | medium | high | critical} set status {enable | disable} set threshold <threshold_integer> config limit end end edit < limit_str > set ipaddress <address_ipv4mask> set threshold <threshold_integer> get ips anomaly < name_str >
46
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
Traffic anomalies Configuring an anomaly using the CLI
Keywords and variables
name_str action
{clear-session | drop
| drop-session | pass
| pass-session | reset
| reset-client
| reset-server}
Description
The name of the anomaly.
Select an action for the FortiGate unit to take when traffic triggers this anomaly. If logging is enabled, the action appears in the status field of the log message generated by the anomaly.
clear-session
• The FortiGate unit drops the packet that triggered the anomaly, removes the session from the FortiGate session table, and does not send a reset.
drop
• The FortiGate unit drops the packet that triggered the anomaly. Fortinet recommends using an action other than drop for TCP connection based attacks.
drop-session
• The FortiGate unit drops the packet that triggered the anomaly and drops any other packets in the same session.
pass
• The FortiGate unit lets the packet that triggered the anomaly pass through the firewall. If logging is disabled and action is set to Pass, the anomaly is effectively disabled.
pass-session
• The FortiGate unit lets the packet that triggered the anomaly and all other packets in the session pass through the firewall. reset
• The FortiGate unit drops the packet that triggered the anomaly, sends a reset to both the client and the server, and removes the session from the FortiGate session table.
Used for TCP connections only. If this action is set for non-TCP connection based attacks, the action behaves as clear-session. If the Reset action is triggered before the TCP connection is fully established it acts as clear-session.
reset-client
• The FortiGate unit drops the packet that triggered the anomaly, sends a reset to the client, and removes the session from the
FortiGate session table. Used for TCP connections only. If this action is set for non-
TCP connection based attacks, the action behaves as clear-session. If the resetclient action is triggered before the TCP connection is fully established it acts as clear-session.
reset-server
• The FortiGate unit drops the packet that triggered the anomaly, sends a reset to the server, and removes the session from the
FortiGate session table. Used for TCP connections only. If this action is set for non-
TCP connection based attacks, the action behaves as clear-session. If the resetserver action is triggered before the TCP connection is fully established it acts as clear-session.
Default
Varies.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
47
Configuring an anomaly using the CLI Traffic anomalies
Keywords and variables Description
default-action {clearsession | drop
| drop-session | pass
| pass-session | reset
| reset-client
| reset-server}
The default action for the anomaly. This option is get only.
default-severity {info
| low | medium | high | critical}
The default severity level for the anomaly. This option is get only.
log {enable | disable}
Enable or disable logging for the anomaly. If logging is enabled, the action appears in the status field of the log message generated by the anomaly.
Set the severity level for the anomaly.
severity {info | low | medium | high | critical} status {enable | disable}
Enable or disable this anomaly.
threshold
<threshold_integer>
For the anomalies that include the threshold setting, traffic over the specified threshold triggers the anomaly.
Default
criti cal enabl e criti cal enabl e
Varies.
The keywords below are specific to the config limit command.
limit_str
The name of the limit.
ipaddress
<address_ipv4mask>
The ip address and netmask of the source or destination network.
No default.
threshold
<threshold_integer>
Set the threshold that triggers this anomaly.
No default.
Examples
This example shows how to change the tcp_land anomaly configuration.
config ips anomaly tcp_land set action pass set log enable set status enable end
Use the following command to configure the limit for the tcp_src_session anomaly.
config ips anomaly tcp_src_session config limit edit subnet1 set ipaddress 1.1.1.0 255.255.255.0
end set threshold 300 end
Use the following command to get information about the anomaly syn_flood.
48
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
Traffic anomalies
get ips anomaly syn_flood name : syn_flood status : enable status(default) : enable action : clear-session action(default) : clear-session severity : critical severity(default) : critical log : enable limit:
== [ default ] name: default
Configuring an anomaly using the CLI
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
49
Configuring an anomaly using the CLI Traffic anomalies
50
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
SYN Flood Attacks What is a SYN flood attack?
SYN Flood Attacks
This section describes:
•
•
•
The FortiGate IPS Response to SYN Flood Attacks
•
Configuring SYN flood protection
•
Suggested settings for different network conditions
What is a SYN flood attack?
A SYN flood is a type of Denial of Service (DoS) attack. DoS is a class of attacks in which an attacker attempts to prevent legitimate users from accessing an internet service, for example, a web server. Using SYN floods, an attacker attempts to disable an Internet service by flooding a server with TCP/IP connection requests which consume all the available slots in the server’s TCP connection table. When the connection table is full, it is not possible to establish any new connections, and the web site on the server becomes inaccessible.
This section provides information about SYN flood attacks and the FortiGate IPS methods of preventing such attacks.
How SYN floods work
SYN floods work by exploiting the structure of the TCP/IP protocol. An attacker floods a server with connection attempts but never acknowledges the server’s replies to open the TCP/IP connection.
The TCP/IP protocol uses a three-step process to establish a network connection.
Figure 16: Establishing a TCP/IP connection
2
3
1
The originator of the connection sends a SYN packet (a packet with the SYN flag set in the TCP header) to initiate the connection.
The receiver sends a SYN/ACK packet (a packet with the SYN and ACK flags set in the TCP header) back to the originator to acknowledge the connection attempt.
The originator then sends an ACK packet (a packet with the ACK flag set in the
TCP header) back to the receiver to open the connection.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
51
The FortiGate IPS Response to SYN Flood Attacks SYN Flood Attacks
After the handshaking process is complete the connection is open and data exchange can begin between the originator and the receiver, in this case the web browser and the web server.
Between steps 2 and 3 however, the web server keeps a record of any incomplete connections until it receives the ACK packet. A SYN flood attacker sends many
SYN packets but never replies with the final ACK packet.
Since most systems have only a limited amount of space for TCP/IP connection records, a flood of incomplete connections will quickly block legitimate users from accessing the server. Most TCP/IP implementations use a fairly long timeout before incomplete connections are cleared from the connection table and traffic caused by a SYN flood is much higher than normal network traffic.
The FortiGate IPS Response to SYN Flood Attacks
The FortiGate unit uses a defense method that combines the SYN Threshold and
SYN Proxy methods to prevent SYN flood attacks.
What is SYN threshold?
An IPS device establishes a limit on the number of incomplete TCP connections, and discards SYN packets if the number of incomplete connections reaches the limit.
What is SYN proxy?
An IPS proxy device synthesizes and sends the SYN/ACK packet back to the originator, and waits for the final ACK packet. After the proxy device receives the
ACK packet from the originator, the IPS device then "replays" the three-step sequence of establishing a TCP connection (SYN, SYN/ACK and ACK) to the receiver.
How IPS works to prevent SYN floods
The FortiGate IPS uses a pseudo SYN proxy to prevent SYN flood attack. The pseudo SYN proxy is an incomplete SYN proxy that reduces resource usage and provides better performance than a full SYN proxy approach.
The IPS allows users to set a limit or threshold on the number of incomplete TCP connections. The threshold can be set either from the CLI or the web-based manager.
When the IPS detects that the total number of incomplete TCP connections to a particular target exceeds the threshold, the pseudo SYN proxy is triggered to operate for all subsequent TCP connections. The pseudo SYN proxy will determine whether a new TCP connection is a legitimate request or another SYN flood attack based on a “best-effect” algorithm. If a subsequent connection attempt is detected to be a normal TCP connection, the IPS will allow a TCP connection from the source to the target. If a subsequent TCP connection is detected to be a new incomplete TCP connection request, one of the following actions will be taken: Drop, Reset, Reset Client, Reset Server, Drop Session,
Pass Session, Clear Session, depending upon the user configuration for SYN
Flood anomaly in the IPS.
52
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
SYN Flood Attacks The FortiGate IPS Response to SYN Flood Attacks
A true SYN proxy approach requires that all three packets (SYN, SYN/ACK, and
ACK) are cached and replayed even before it is known if a TCP connection request is legitimate. The FortiGate IPS pseudo SYN proxy retransmits every TCP packet immediately from the packet source to the packet destination as soon as it records the necessary information for SYN flood detection.
Since the pseudo SYN proxy in the IPS uses a “best effect” algorithm to determine whether a TCP connection is legitimate or not, some legitimate connections may be falsely detected as incomplete TCP connection requests and dropped.
However, the ratio of the pseudo SYN proxy dropping legitimate TCP connection is quite small.
illustrates the operational behavior of the FortiGate IPS Engine before the SYN Flood threshold is reached.
illustrates the operation behavior of the FortiGate IPS Engine after the SYN Flood threshold is reached.
Figure 17: IPS operation before syn_flood threshold is reached
Figure 18: IPS operation after syn_flood threshold is reached
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
53
Configuring SYN flood protection SYN Flood Attacks
Configuring SYN flood protection
To set the configuration for the SYN flood anomaly in the web-based manager, go to Intrusion Protection > Anomaly, find syn_flood in the anomaly list, and select
Edit.
Figure 19: Configuring the syn_flood anomaly
See
“Traffic anomalies” on page 43
for information about configuring anomalies.
Suggested settings for different network conditions
The main setting that impacts the efficiency of the pseudo SYN proxy in detecting
SYN floods is the threshold value. The default threshold is 2000. Select an appropriate value based on network conditions. Normally, if the servers being protected by the FortiGate unit need to handle heavier requests, such as a busy web server, the threshold should be set to a higher value. If the network carries lighter traffic, the threshold should be set to a lower value.
54
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
ICMP Sweep Attacks What is an ICMP sweep?
ICMP Sweep Attacks
This section describes:
•
•
•
The FortiGate IPS response to ICMP sweep attacks
•
Configuring ICMP sweep protection
•
Suggested settings for different network conditions
What is an ICMP sweep?
ICMP (Internet Control Message Protocol) is a part of the IP protocol and is generally used to send error messages describing packet routing problems. ICMP sweeps are not really considered attacks but are used to scan a target network to discover vulnerable hosts for further probing and possible attacks.
Attackers use automated tools that scan all possible IP addresses in the range of the target network to create a map which they can use to plan an attack.
How ICMP sweep attacks work
An ICMP sweep is performed by sending ICMP echo requests - or other ICMP messages that require a reply - to multiple addresses on the target network. Live hosts will reply with an ICMP echo or other reply message. An ICMP sweep basically works the same as sending multiple pings. Live hosts accessible on the network must send a reply. This enables the attacker to determine which hosts are live and connected to the target network so further attacks and probing can be planned.
There are several ways of doing an ICMP sweep depending on the source operating system, and there are many automated tools for network scanning that attackers use to probe target networks.
The FortiGate IPS response to ICMP sweep attacks
The FortiGate IPS provides predefined signatures to detect a variety of ICMP sweep methods. Each signature can be configured to pass, drop, or clear the session. Each signature can be configured to log when the signature is triggered.
Create custom signatures to block attacks specific to the network that are not included in the predefined signature list.
The FortiGate IPS also has an ICMP sweep anomaly setting with a configurable threshold.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
55
The FortiGate IPS response to ICMP sweep attacks
56
ICMP Sweep Attacks
Predefined ICMP signatures
describes all the ICMP-related predefined signatures and the default
Note: The predefined signature descriptions in
Table 11 are accurate as of the IPS Guide
publication date. Predefined signatures may be added or changed with each Attack Definition update.
Table 11: Predefined ICMP sweep signatures
Signature
AddressMask.
Request
Broadscan.Smurf.
Echo.Request
Communication.
Administratively.
Prohibited.Reply
CyberKit.2.2.
Echo.Request
DigitalIsland.
Bandwidth.Query
Echo.Reply
ISS.Pinger.Echo.
Request
Nemesis.V1.1.
Echo.Request
Oversized.Echo.
Request.Packet
Description
AddressMask detects broadcast address mask request messages from a host pretending to be part of the network. The default action is to pass but log this traffic because it could be legitimate network traffic on some networks.
Broadscan is a hacking tool used to generate and broadcast ICMP requests in a smurf attack. In a smurf attack, an attacker broadcasts ICMP requests on Network A using a spoofed source IP address belonging to
Network B. All hosts on Network A send multiple replies to Network B, which becomes flooded.
This signature detects network packets that have been blocked by some kind of filter. The host that blocked the packet sends an ICMP
(code 13) Destination Unreachable message notifying the source or apparent source of the filtered packet. Since this signature may be triggered by legitimate traffic, the default action is to pass but log the traffic, so it can be monitored.
CyberKit 2.2 is Windows-based software used to scan networks. ICMP echo request messages sent using this software contain special characters that identify Cyberkit as the source.
Digital Island is a provider of content delivery networks. This company sends ICMP pings so they can better map routes for their customers.
Use this signature to block their probes.
This signature detects ICMP echo reply messages responding to ICMP echo request messages.
ISS is Internet Security Scanner software that can be used to send ICMP echo request messages and other network probes. While this software can be legitimately used to scan for security holes, use the signature to block unwanted scans.
Nemesis v1.1 is a Windows- or Unix-based scanning tool. ICMP echo request messages sent using this software contain special characters that identify Nemesis as the source.
This signature detects ICMP packets larger than 32 000 bytes, which can crash a server or cause it to hang.
Default settings
Signature enabled
Logging enabled
Action: Pass
Signature enabled
Logging enabled
Action: Drop
Signature enabled
Logging enabled
Action: Pass
Signature enabled
Logging enabled
Action: Pass
Signature enabled
Logging enabled
Action: Drop
Signature disabled
Signature enabled
Logging enabled
Action: Drop
Signature enabled
Logging enabled
Action: Drop
Signature enabled
Logging enabled
Action: Pass
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
ICMP Sweep Attacks The FortiGate IPS response to ICMP sweep attacks
Table 11: Predefined ICMP sweep signatures
Signature
NMAP.Echo.
Request
Redirect.Code4.
Echo.Request
Sniffer.Pro.
NetXRay.Echo.
Request
Superscan.Echo.
Request
Description
NMAP is a free open source network mapping/security tool that is available for most operating systems. NMAP could be used maliciously to perform an ICMP sweep. ICMP echo request messages sent using this software contain special characters that identify
NMAP as the source.
This signature detects ICMP type 5 code 4 redirect messages. An ICMP redirect message describes an alternate route for traffic to take.
An attacker may use ICMP redirect messages to alter the routing table or cause traffic to follow an unintended route.
Sniffer Pro and NetXRay are scanning tools.
ICMP echo request messages sent using this software contain special characters that identify them as the source.
Superscan is a free network scanning tool for
Windows from Foundstone Inc. Superscan could be used maliciously to perform an ICMP sweep. ICMP echo request messages sent using this software contain special characters that identify Superscan as the source.
TimeStamp detects timestamp request messages from a host pretending to be part of the network.
Default settings
Signature disabled
Signature enabled
Logging enabled
Action: Pass
Signature enabled
Logging enabled
Action: Drop
Signature enabled
Logging enabled
Action: Drop
TimeStamp.
Request
TJPingPro1.1.
Echo.Request
TJPingPro1.1 is a widely-used network tool for older versions of Windows. TJPingPro could be used maliciously to perform an ICMP sweep.
ICMP echo request messages sent using this software contain special characters that identify
TJPingPro as the source.
Traceroute.Traffic Traceroute is a very common network tool available on almost any operating system. This tool could be sued maliciously to perform an
ICMP sweep. ICMP echo request messages sent using this software contain special characters that identify traceroute as the source.
Whatsup.Echo.
Request
WhatsUp Gold is a network scanning tool for
Windows from IPswitch. WhatsUp could be used maliciously to perform an ICMP sweep.
ICMP echo request messages sent using this software contain special characters that identify
WhatsUpGold as the source.
Signature enabled
Logging enabled
Action: Pass
Signature enabled
Logging enabled
Action: Drop
Signature enabled
Logging enabled
Action: Pass
Signature enabled
Logging enabled
Action: Drop
ICMP sweep anomalies
The FortiGate unit also detects ICMP sweeps that do not have a predefined signature to block them. The FortiGate IPS monitors traffic to ensure that ICMP messages do not exceed the default or user-defined threshold.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
57
Configuring ICMP sweep protection ICMP Sweep Attacks
Configuring ICMP sweep protection
To set the configuration for the various ICMP sweep attacks, go to Intrusion
Protection > Signatures and expand the icmp list. Each signature can be configured individually.
Figure 20: Some of the ICMP signatures in the predefined signature list
58
See
“Predefined Signatures” on page 17
for information about configuring predefined signatures.
To set the configuration for the ICMP sweep anomaly in the web-based manager, go to Intrusion Protection->Traffic Anomaly, find icmp_sweep in the anomaly list, and select Edit.
Figure 21: Edit IPS Anomaly: icmp_sweep
See
“Traffic anomalies” on page 43
for information about configuring anomalies.
Suggested settings for different network conditions
Enable or disable the ICMP predefined signatures depending on current network traffic and the network scanning tools being used.
To use the icmp_sweep anomaly, monitor the network to find out the normal ICMP traffic patterns. Configure the icmp_sweep anomaly threshold to be triggered when an unusual volume of ICMP requests occurs.
FortiGate IPS User Guide Version 3.0 MR5
01-30005-0080-20070724
Index
Index
A
action
alert email
anomalies
anomaly
destination session limit 43 flooding 43
scan 43 source session limit 43
B
C
clear session
predefined signature action 19
custom signature
D
destination session limit
direction
documentation
drop
predefined signature action 19
drop sessiondrop
predefined signature action 19
F
flooding
FortiGate Version 3.0 MR5 IPS User Guide
01-30005-0080-20070724
FortiGate documentation
FortiProtect Attack Encyclopedia 14
I
ICMP sweep
idle-timeout
introduction
IPS
predefined signature action 19
restoring predefined signature settings 21
L
log
logging
M
messages
N
P
pass
predefined signature action 19
pass sessiondrop
predefined signature action 19
59
predefined signature
actions 19 clear session action 19
drop action 19 drop session action 19
pass action 19 pass session action 19 reset action 19 reset client action 19 reset server action 19
restoring recommended settings 21
protection profiles 15 creating 15
R
reset
predefined signature action 19
reset client
predefined signature action 19
reset server
predefined signature action 19
S
scan
adding custom IPS signatures 28
signature attack log messages 13
source session limit
status
FortiGate response to 52 prevention 52
T
Index
60
FortiGate Version 3.0 MR5 IPS User Guide
01-30005-0080-20070724
www.fortinet.com
www.fortinet.com
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement
Table of contents
- 3 Contents
- 5 Introduction
- 5 The FortiGate IPS
- 5 About this document
- 5 Document conventions
- 6 Typographic conventions
- 6 Fortinet documentation
- 7 Fortinet Knowledge Center
- 7 Comments on Fortinet technical documentation
- 8 Customer service and technical support
- 9 IPS Overview and General Configuration
- 9 The FortiGate IPS
- 9 IPS settings and controls
- 10 When to use IPS
- 11 Network performance
- 11 Default signature and anomaly settings
- 11 Default fail open setting
- 11 Controlling sessions
- 11 Setting autoupdate
- 12 Restricting IPS processing
- 12 Setting the buffer size
- 12 Monitoring the network and dealing with attacks
- 12 Configuring logging and alert email
- 13 Attack log messages
- 13 Signature
- 14 Anomaly
- 14 The FortiGuard Center
- 15 Using IPS in a protection profile
- 15 Creating a protection profile that uses IPS
- 16 Adding protection profiles to firewall policies
- 16 Adding protection profiles to user groups
- 17 Predefined Signatures
- 17 IPS predefined signatures
- 17 Viewing the predefined signature list
- 19 Predefined signature configuration
- 20 Configuring signatures using the web-based manager
- 21 Fine tuning IPS predefined signatures for enhanced system performance
- 21 Configuring predefined signatures using the CLI
- 22 config rule <rule-name_str>
- 22 Command syntax pattern
- 25 Examples
- 27 Custom Signatures
- 27 IPS custom signatures
- 27 Viewing the custom signature list
- 28 Custom signature configuration
- 28 Adding custom signatures using the web-based manager
- 29 Adding custom signatures using the CLI
- 29 Command syntax pattern
- 29 Example
- 29 Creating custom signatures
- 29 Custom signature fields
- 30 Custom signature syntax
- 39 Decoders
- 39 Protocol decoders
- 39 Upgrading IPS protocol decoder list
- 40 Viewing the protocol decoder list
- 40 Configuring protocol decoder parameters using the web-based manager
- 41 Configuring parameters for protocol decoders
- 43 Traffic anomalies
- 43 IPS traffic anomalies
- 44 Viewing the traffic anomaly list
- 44 Configuring a traffic anomaly using the web-based manager
- 46 Configuring an anomaly using the CLI
- 46 config limit
- 46 Command syntax pattern
- 48 Examples
- 51 SYN Flood Attacks
- 51 What is a SYN flood attack?
- 51 How SYN floods work
- 52 The FortiGate IPS Response to SYN Flood Attacks
- 52 What is SYN threshold?
- 52 What is SYN proxy?
- 52 How IPS works to prevent SYN floods
- 54 Configuring SYN flood protection
- 54 Suggested settings for different network conditions
- 55 ICMP Sweep Attacks
- 55 What is an ICMP sweep?
- 55 How ICMP sweep attacks work
- 55 The FortiGate IPS response to ICMP sweep attacks
- 56 Predefined ICMP signatures
- 57 ICMP sweep anomalies
- 58 Configuring ICMP sweep protection
- 58 Suggested settings for different network conditions
- 59 Index