A vulnerability

Is a weakness in an IT system (OS or Application) that can be exploited by an attacker

to deliver a successful attack.

An exploit
Is a program, or piece of code, designed to find and take advantage of a security flaw
or vulnerability in an application or computer system, typically for malicious purposes
such as installing malware.
An exploit is not malware itself, but rather it is a method used by cybercriminals to
deliver malware.

Vulnerabilities VS Anomalies
Vulnerabilities are known attacks with known patterns that can be matched by IPS, web
application firewall (WAF) or antivirus signatures.

Anomalies refer to unusual behavior in the network, such as higher-than-normal CPU

usage or network traffic.
Anomalies must be detected and monitored (and in some cases, blocked or mitigated)
because they may be symptoms of a new attack that has never been seen before
(Zero-day attack).
Anomalies are detected through behavioral analysis, such as DoS policies, and protocol
constraint checks.

IPS concepts

IPS protects your network from outside attacks.

IPS has two techniques to deal with these attacks: anomaly- and signature-based
defense.

✓ Anomaly–based defense
Anomaly-based defense is used when network traffic itself is used as a weapon. A
host can be flooded with far more traffic than it can handle, making the host
inaccessible.
The most common example is the denial of service (DoS) attack

___________________________________________________________________________
How to Configure IPS on FortiGate Firewall | By: Emad Hegazi
Page 1 of 11 #support_team247 #FortiGate | https://www.linkedin.com/in/emadhegazi/
 The FortiGate DoS feature will block traffic above a certain threshold from the
attacker and allow connections from other legitimate users.

✓ Signature-based defense
Signature-based defense is used against known attacks or vulnerability exploits.
These often involve an attacker attempting to gain access to your network. The
attacker must communicate with the host in an attempt to gain access and this
communication will include particular commands or sequences of commands and
variables.
The IPS signatures include these command sequences, allowing the FortiGate unit to
detect and stop the attack.

IPS components

✓ IPS Signatures databases

✓ Protocol Decoders
✓ IPS Engines
➢ Application Control
➢ Antivirus (flow-based)
➢ Web filter (flow-based)
➢ Email filter ((flow-based)

✓ Signatures
Every attack can be reduced to a particular string of commands or a sequence
of commands and variables.
Signatures also include characteristics about the attack like the network protocol
in which the attack will appear, the vulnerable operating system, and the
vulnerable application.
To view the complete list of signatures, go to Security Profiles > IPS Signatures.

___________________________________________________________________________
How to Configure IPS on FortiGate Firewall | By: Emad Hegazi
Page 2 of 11 #support_team247 #FortiGate | https://www.linkedin.com/in/emadhegazi/
 ✓ Protocol decoders
Before examining network traffic for attacks, the IPS engine uses protocol
decoders to identify each protocol appearing in the traffic.
Attacks are protocol-specific, so your FortiGate unit conserves resources by
looking for attacks only in the protocols used to transmit them.
For example, the FortiGate unit will only examine HTTP traffic for the presence of a
signature describing an HTTP attack.
Protocol decoder Parse each packet according to the protocol specification.
Usually, the protocol is detected automatically.

✓ IPS Engine
Once the protocol decoders separate the network traffic by protocol, the IPS
engine examines the network traffic for the attack signatures.
IPS Engine is the software that applies IPS and application control scanning
techniques to content passing through FortiOS.
IPS engine updates include detection and performance improvements and bug
fixes.

FortiGuard IPS updates

• IPS signatures updated most frequently.

By default, each FortiGate firmware release includes an initial set of IPS signatures.
Used to upgrade the IPS signature database. In this way, the IPS is still effective for
new vulnerabilities.
• Protocol decoders are rarely updated unless the protocol specification or RFC
changes (which doesn't happen often).

___________________________________________________________________________
How to Configure IPS on FortiGate Firewall | By: Emad Hegazi
Page 3 of 11 #support_team247 #FortiGate | https://www.linkedin.com/in/emadhegazi/
 • The IPS engine itself changes more frequently, but still infrequently.

• The default automatic update schedule for FortiGuard packages has been
updated. Previously, the frequency was a recurring random interval within two
hours.
Starting with FortiOS 7.0, the frequency is automatic and the update interval is
calculated based on the model and percentage of active subscriptions. The
update interval is within 1 hour.
• The FortiGuard research team identifies and builds new signatures, just like
antivirus signatures. So, if your FortiGuard service contract expires, you can still use
IPS.
However, just like anti-virus scanning, the efficiency of IPS scanning will increase
with the extension of signature time, and old signatures will not be able to defend
against new attacks.

Types of IPS signature Databases

✓ Regular signature database:

contains signatures of some common attacks that cause few or no false positives.
It is a smaller database and its default action is to block detected attacks.

___________________________________________________________________________
How to Configure IPS on FortiGate Firewall | By: Emad Hegazi
Page 4 of 11 #support_team247 #FortiGate | https://www.linkedin.com/in/emadhegazi/
 ✓ The extended signature database:
• contains additional signatures for attacks that have a high-performance impact,
or that by their nature do not support blocking.
• In fact, due to its big size, the extended database is not suitable for FortiGate
models with smaller disks or memory. However, for high security networks, you may
need to enable the extended signature database.
• the extended database package may be disabled by default on some models,
such as desktop models.

You can only enable the extended IPS database by using the CLI.
--------------------------------------------------------
To enable the extended IPS database:

config ips global

set database extended

end

--------------------------------------------------------
• FortiGate models with the CP9 SPU receive the IPS full extended database, and
the other physical FortiGate models receive a slim version of the extended
database.
The slim-extended DB is a smaller version of the full extended DB that contains top
active IPS signatures. It is designed for customers who prefer performance.

IPS Security Profile (IPS sensor)

From the Security Profiles > Intrusion Prevention pane, you can create new IPS sensors

___________________________________________________________________________
How to Configure IPS on FortiGate Firewall | By: Emad Hegazi
Page 5 of 11 #support_team247 #FortiGate | https://www.linkedin.com/in/emadhegazi/
 ✓ IPS Signature and Filters

There are two ways to add predefined signatures on IPS sensors.

1- By Signature:
Choose signatures individually. When a signature is selected in the list, that
signature is added to the sensor as a default action. You can then right click on
the signature and change the action.

Rate-based signatures
You can also add rate-based signatures to block specific traffic when it exceeds
a threshold for a configured period of time.

___________________________________________________________________________
How to Configure IPS on FortiGate Firewall | By: Emad Hegazi
Page 6 of 11 #support_team247 #FortiGate | https://www.linkedin.com/in/emadhegazi/
 Rate-based signatures are a subset of the signatures that are found in the
database that are normally set to monitor.
This group of signatures is for vulnerabilities that are normally only considered a
serious threat when the targeted connections come in multiples, a little like DoS
attacks.
This saves system resources and prevents repeated attacks. FortiGate does not
track statistics for this client, and it is temporarily blocked.

2- By Filters:
Add signatures to sensors by using filters. FortiGate adds all signatures that match
the filter.

✓ IPS Inspection Sequence

Rules are similar to firewall policy matches; the engine first evaluates the filters and
signatures at the top of the list and applies the first match. The engine skips
subsequent filters.
Avoid doing too many filters, as this increases computation and CPU usage.
Also, avoid making very large signature groups in each filter, which increases
memory usage.

✓ Exempt IPs
Sometimes it is desirable to exempt specific source or destination IP addresses
from specific signatures.
This feature is very useful during false positive virus outbreaks. You can temporarily
bypass affected endpoints until you investigate and correct the false positive
issue.

___________________________________________________________________________
How to Configure IPS on FortiGate Firewall | By: Emad Hegazi
Page 7 of 11 #support_team247 #FortiGate | https://www.linkedin.com/in/emadhegazi/
 IP exemptions can only be configured on a single signature. Each signature can
have multiple IP exemptions.

✓ IPS Actions

• Allow: to allow traffic to continue to the destination.

• Monitor: to allow traffic to continue to its destination and log the activity.
• Block: to silently drop traffic that matches any of the signatures contained
in the entry.
• Reset: if selected, a TCP RST message will be generated when the signature
is triggered.
• Default: to adopt the default action of the signature.
• Quarantine: allows you to isolate an attacker's IP address for a specified
period of time. You can set the quarantine duration to any number of days,
hours, or minutes.

✓ Packet logging:
If enabled, FortiGate saves a copy of packets that match the signature.

What is DDoS attack?

In DDoS attacks, an attacker directs a large number of computers to attempt
normal access of the target system. If enough access attempts are made, the
___________________________________________________________________________
How to Configure IPS on FortiGate Firewall | By: Emad Hegazi
Page 8 of 11 #support_team247 #FortiGate | https://www.linkedin.com/in/emadhegazi/
 target is overwhelmed and unable to service genuine users. The attacker does
not gain access to the target system, but it is not accessible to anyone else.

Besides protecting against threats and exploitation of vulnerabilities, the IPS

engine is also responsible for mitigating DDoS attacks using anomaly-based
defense,

Since the botnet database is part of the FortiGuard IPS contract, administrators
can enable scanning for botnet connections to maximize its internal security.
{A botnet refers to a group of computers which have been infected by malware
and have come under the control of a malicious actor. The term botnet is from
the word’s robot and network and each infected device is called a bot.}

Botnets and C&Cs Actions:

• Disabled: do not scan connections to botnet servers
• Block: Block the connection with the botnet server
• Monitoring: record the log of connecting to the botnet server

Best Practices

✓ Before implementing an IPS, you need to analyze your network needs.

• Enabling the default profile across all policies can quickly lead to problems,
the fewest of which are false positives.
• Performing unnecessary inspections on all network traffic can result in high
resource utilization, which can hinder FortiGate's ability to handle regular
traffic.
___________________________________________________________________________
How to Configure IPS on FortiGate Firewall | By: Emad Hegazi
Page 9 of 11 #support_team247 #FortiGate | https://www.linkedin.com/in/emadhegazi/
 ✓ You must assess the applicable threats. If your organization only runs Windows,
you don't need to scan for Mac OS vulnerabilities.
✓ It is also important to consider the direction of traffic. There are many IPS
signatures that only apply to clients, and many signatures that only apply to
servers.
✓ Create IPS sensors specific to the resources you wish to protect. This ensures that
FortiGate does not scan insignificantly signed traffic.
✓ IPS is not a fixed implementation. You need to monitor the logs regularly to find
unusual traffic patterns and adjust the configuration of the IPS profile according
to the actual situation. You should also regularly audit your internal resources to
determine if certain vulnerabilities still apply to your organization.
✓ Certain vulnerabilities apply only to encrypted connections. In some of these
cases, FortiGate cannot reliably identify threats without being able to parse the
payload. For this reason, if you want to get the most out of your IPS and WAF
capabilities, you must use SSL inspection profiles.

✓ Usually, the traffic that needs to be inspected, such as anti-virus and IPS, is
processed by the CPU on the FortiGate. However, there are dedicated chips on
certain FortiGate models that offload these inspection tasks. This frees up CPU
cycles to manage other tasks, and also speeds up sessions that require security
checks.

Troubleshooting

✓ IPS update requests Send to update.fortiguard.net on TCP port 443.

✓ You should periodically check for the most recent update timestamp.

• If there are any indications that the IPS definitions haven't been updated,
you should investigate {Always make sure that FortiGate has proper DNS
resolution for update.fortiguard.net}.

___________________________________________________________________________
How to Configure IPS on FortiGate Firewall | By: Emad Hegazi
Page 10 of 11 #support_team247 #FortiGate | https://www.linkedin.com/in/emadhegazi/
 ✓ The high CPU usage of the IPS engine is abnormal and needs to be checked. You
can troubleshoot these issues by using CLI, {diagnose test application ipsmonitor}
command

• Option 2: completely disable the IPS engine

• Option 5: enables IPS bypass mode. In this mode, the IPS engine is still
running, but no traffic inspection is performed.
If CPU usage drops after this, it usually indicates that the traffic being
inspected is too high for that FortiGate model.
If CPU usage remains high after enabling IPS bypass mode, it usually
indicates a problem with the IPS engine and needs to be reported to
Fortinet Support.
• Option 99: ensures that all IPS-related processes restart gracefully.

✓ When there is no enough memory in the IPS socket buffer to accommodate new
packets, IPS will enter fail open mode.
What happens in this state depends on the IPS configuration.

• If the fail-open setting is enabled, some new packets (depending on system

load) will pass through without being inspected.
• If this setting is disabled, new packets will be dropped.

Frequent IPS failures to open events usually indicate that the IPS cannot
meet the traffic requirements. So, try to recognize patterns {Has traffic
increased recently? Has throughput demand increased? Are fail-opens
triggered at specific times of the day?}.
Adjust and optimize your IPS configuration.

___________________________________________________________________________
How to Configure IPS on FortiGate Firewall | By: Emad Hegazi
Page 11 of 11 #support_team247 #FortiGate | https://www.linkedin.com/in/emadhegazi/