IPS on Fortigate

Posted on June 19, 2012

1



In this Post I will demonstrate for myself how to create a custom signature and how to modify an IPS Sensor.

1. Custom signature configuration.

The configuration of the IPS happens in the following order.
1. Define a signature
2. Define your IPS sensor
3. Add IPS sensor to the firewall policy

Used Version: v4.0,build0521,120313 (MR3 Patch 6)

1. Custom IPS signature
———————–

1. Define a custom signature.

The custom signature fields documented here:
http://docs.fortinet.com/fgt/archives/2.8MR11/01_28011_0080_20051117_FortiGate_IPS_Guide.pdf

In this example the ftp get command will be monitored through the IPS. It would try to convert the snort rules to the Fortigate IPS rules, maybe this is not that difficult..

config ips custom
    edit "ftp_get"
        set signature "F-SBID( --name \"ftp_get\"; --attack_id 7945;  --protocol tcp; --dst_port 21; --flow from_client; --pattern RETR;)"
    next
end

2. Define your IPS Sensor with the custom signature:

config ips sensor
    edit "LINUX_SERVER"
        set comment "new1"
            config entries
                edit 1
                    set action reset
                    set log-packet enable
                        set rule 7945
                    set status enable
                next
            end
    next
end

3. Edit the Firewall Policy with the IPS sensor.

config firewall policy
    edit 1
        set srcintf "internal"
        set dstintf "External"
            set srcaddr "all"
            set dstaddr "all"
        set action accept
        set schedule "always"
            set service "ANY"
        set utm-status enable
        set logtraffic enable
        set ips-sensor "LINUX_SERVER"
        set profile-protocol-options "default"
        set nat enable
    next
end

2. Customizing IPS Sensor

1. Define the following filter on the IPS sensor.

Filter1:
OS=Linux
Proto=http

Action:
change to block

Filter2:
Ruleid=15229

Action:
Change to block

firewall (root) # show ips sensor LINUX_SERVER
config ips sensor
    edit "LINUX_SERVER"
        set comment "new1"
            config entries
                edit 1
                    set action block
                    set location server
                    set log-packet enable
                    set os Linux
                    set protocol HTTP
                next
                edit 2
                    set action block
                    set log-packet enable
                        set rule 15229
                    set status enable
                next
            end
    next
end

2. Edit the Firewall Policy with the IPS sensor.

see the custom signatures for the details…

3. DoS Sensor configuration.

1. define your DoS policy.

config ips DoS
    edit "DoS_Sensor"
            config anomaly
                edit "tcp_syn_flood"
                    set threshold 2000
                next
                edit "tcp_port_scan"
                    set threshold 1000
                next
                edit "tcp_src_session"
                    set threshold 5000
                next
                edit "tcp_dst_session"
                    set threshold 5000
                next
                edit "udp_flood"
                    set threshold 2000
                next
                edit "udp_scan"
                    set threshold 2000
                next
                edit "udp_src_session"
                    set threshold 5000
                next
                edit "udp_dst_session"
                    set threshold 5000
                next
                edit "icmp_flood"
                    set status enable
                    set log enable
                    set threshold 200
                next
                edit "icmp_sweep"
                    set threshold 100
                next
                edit "icmp_src_session"
                    set threshold 300
                next
                edit "icmp_dst_session"
                    set threshold 1000
                next
                edit "ip_src_session"
                    set threshold 5000
                next
                edit "ip_dst_session"
                    set threshold 5000
                next
            end
    next
end

2. Edit the Firewall Policy with the IPS Dos Sensor.

config firewall interface-policy
    edit 2
        set interface "internal"
            set srcaddr "all"
            set dstaddr "all"
            set service "ANY"
        set ips-DoS-status enable
        set ips-DoS "DoS_Sensor"
    next
    edit 1
        set interface "internal"
            set srcaddr "all"
            set dstaddr "all"
            set service "ANY"
        set ips-DoS-status enable
        set ips-DoS "block_flood"
    next
end
Advertisements
Posted in: Fortigate, IPS, Security