Professional Documents
Culture Documents
IPS On ForiGate Firewall
IPS On ForiGate Firewall
An exploit
Is a program, or piece of code, designed to find and take advantage of a security flaw
or vulnerability in an application or computer system, typically for malicious purposes
such as installing malware.
An exploit is not malware itself, but rather it is a method used by cybercriminals to
deliver malware.
Vulnerabilities VS Anomalies
Vulnerabilities are known attacks with known patterns that can be matched by IPS, web
application firewall (WAF) or antivirus signatures.
IPS concepts
✓ Anomaly–based defense
Anomaly-based defense is used when network traffic itself is used as a weapon. A
host can be flooded with far more traffic than it can handle, making the host
inaccessible.
The most common example is the denial of service (DoS) attack
___________________________________________________________________________
How to Configure IPS on FortiGate Firewall | By: Emad Hegazi
Page 1 of 11 #support_team247 #FortiGate | https://www.linkedin.com/in/emadhegazi/
The FortiGate DoS feature will block traffic above a certain threshold from the
attacker and allow connections from other legitimate users.
✓ Signature-based defense
Signature-based defense is used against known attacks or vulnerability exploits.
These often involve an attacker attempting to gain access to your network. The
attacker must communicate with the host in an attempt to gain access and this
communication will include particular commands or sequences of commands and
variables.
The IPS signatures include these command sequences, allowing the FortiGate unit to
detect and stop the attack.
IPS components
✓ Signatures
Every attack can be reduced to a particular string of commands or a sequence
of commands and variables.
Signatures also include characteristics about the attack like the network protocol
in which the attack will appear, the vulnerable operating system, and the
vulnerable application.
To view the complete list of signatures, go to Security Profiles > IPS Signatures.
___________________________________________________________________________
How to Configure IPS on FortiGate Firewall | By: Emad Hegazi
Page 2 of 11 #support_team247 #FortiGate | https://www.linkedin.com/in/emadhegazi/
✓ Protocol decoders
Before examining network traffic for attacks, the IPS engine uses protocol
decoders to identify each protocol appearing in the traffic.
Attacks are protocol-specific, so your FortiGate unit conserves resources by
looking for attacks only in the protocols used to transmit them.
For example, the FortiGate unit will only examine HTTP traffic for the presence of a
signature describing an HTTP attack.
Protocol decoder Parse each packet according to the protocol specification.
Usually, the protocol is detected automatically.
✓ IPS Engine
Once the protocol decoders separate the network traffic by protocol, the IPS
engine examines the network traffic for the attack signatures.
IPS Engine is the software that applies IPS and application control scanning
techniques to content passing through FortiOS.
IPS engine updates include detection and performance improvements and bug
fixes.
___________________________________________________________________________
How to Configure IPS on FortiGate Firewall | By: Emad Hegazi
Page 3 of 11 #support_team247 #FortiGate | https://www.linkedin.com/in/emadhegazi/
• The IPS engine itself changes more frequently, but still infrequently.
• The default automatic update schedule for FortiGuard packages has been
updated. Previously, the frequency was a recurring random interval within two
hours.
Starting with FortiOS 7.0, the frequency is automatic and the update interval is
calculated based on the model and percentage of active subscriptions. The
update interval is within 1 hour.
• The FortiGuard research team identifies and builds new signatures, just like
antivirus signatures. So, if your FortiGuard service contract expires, you can still use
IPS.
However, just like anti-virus scanning, the efficiency of IPS scanning will increase
with the extension of signature time, and old signatures will not be able to defend
against new attacks.
___________________________________________________________________________
How to Configure IPS on FortiGate Firewall | By: Emad Hegazi
Page 4 of 11 #support_team247 #FortiGate | https://www.linkedin.com/in/emadhegazi/
✓ The extended signature database:
• contains additional signatures for attacks that have a high-performance impact,
or that by their nature do not support blocking.
• In fact, due to its big size, the extended database is not suitable for FortiGate
models with smaller disks or memory. However, for high security networks, you may
need to enable the extended signature database.
• the extended database package may be disabled by default on some models,
such as desktop models.
You can only enable the extended IPS database by using the CLI.
--------------------------------------------------------
To enable the extended IPS database:
end
--------------------------------------------------------
• FortiGate models with the CP9 SPU receive the IPS full extended database, and
the other physical FortiGate models receive a slim version of the extended
database.
The slim-extended DB is a smaller version of the full extended DB that contains top
active IPS signatures. It is designed for customers who prefer performance.
From the Security Profiles > Intrusion Prevention pane, you can create new IPS sensors
___________________________________________________________________________
How to Configure IPS on FortiGate Firewall | By: Emad Hegazi
Page 5 of 11 #support_team247 #FortiGate | https://www.linkedin.com/in/emadhegazi/
✓ IPS Signature and Filters
Rate-based signatures
You can also add rate-based signatures to block specific traffic when it exceeds
a threshold for a configured period of time.
___________________________________________________________________________
How to Configure IPS on FortiGate Firewall | By: Emad Hegazi
Page 6 of 11 #support_team247 #FortiGate | https://www.linkedin.com/in/emadhegazi/
Rate-based signatures are a subset of the signatures that are found in the
database that are normally set to monitor.
This group of signatures is for vulnerabilities that are normally only considered a
serious threat when the targeted connections come in multiples, a little like DoS
attacks.
This saves system resources and prevents repeated attacks. FortiGate does not
track statistics for this client, and it is temporarily blocked.
2- By Filters:
Add signatures to sensors by using filters. FortiGate adds all signatures that match
the filter.
✓ Exempt IPs
Sometimes it is desirable to exempt specific source or destination IP addresses
from specific signatures.
This feature is very useful during false positive virus outbreaks. You can temporarily
bypass affected endpoints until you investigate and correct the false positive
issue.
___________________________________________________________________________
How to Configure IPS on FortiGate Firewall | By: Emad Hegazi
Page 7 of 11 #support_team247 #FortiGate | https://www.linkedin.com/in/emadhegazi/
IP exemptions can only be configured on a single signature. Each signature can
have multiple IP exemptions.
✓ IPS Actions
✓ Packet logging:
If enabled, FortiGate saves a copy of packets that match the signature.
Since the botnet database is part of the FortiGuard IPS contract, administrators
can enable scanning for botnet connections to maximize its internal security.
{A botnet refers to a group of computers which have been infected by malware
and have come under the control of a malicious actor. The term botnet is from
the word’s robot and network and each infected device is called a bot.}
Best Practices
✓ Usually, the traffic that needs to be inspected, such as anti-virus and IPS, is
processed by the CPU on the FortiGate. However, there are dedicated chips on
certain FortiGate models that offload these inspection tasks. This frees up CPU
cycles to manage other tasks, and also speeds up sessions that require security
checks.
Troubleshooting
• If there are any indications that the IPS definitions haven't been updated,
you should investigate {Always make sure that FortiGate has proper DNS
resolution for update.fortiguard.net}.
___________________________________________________________________________
How to Configure IPS on FortiGate Firewall | By: Emad Hegazi
Page 10 of 11 #support_team247 #FortiGate | https://www.linkedin.com/in/emadhegazi/
✓ The high CPU usage of the IPS engine is abnormal and needs to be checked. You
can troubleshoot these issues by using CLI, {diagnose test application ipsmonitor}
command
✓ When there is no enough memory in the IPS socket buffer to accommodate new
packets, IPS will enter fail open mode.
What happens in this state depends on the IPS configuration.
Frequent IPS failures to open events usually indicate that the IPS cannot
meet the traffic requirements. So, try to recognize patterns {Has traffic
increased recently? Has throughput demand increased? Are fail-opens
triggered at specific times of the day?}.
Adjust and optimize your IPS configuration.
___________________________________________________________________________
How to Configure IPS on FortiGate Firewall | By: Emad Hegazi
Page 11 of 11 #support_team247 #FortiGate | https://www.linkedin.com/in/emadhegazi/