This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.
Today's ever changing threat landscape drives the need for security services to constantly stay ahead of the latest threats. This means that security teams have to constantly update the IPS signatures that relate to latest and relevant threats to their specific organization. With new vulnerabilities and new malware being discovered every day, means that the security vendors have are creating new signatures every day to mitigate against the new threats. Every network is unique with its own traffic patterns and unique requirements and typically that means that most security teams test the signatures on their Intrusion Prevention Systems or Network Firewalls if they are using the consolidated IPS capability to ensure there is no adverse impact of the new signatures on their existing traffic in other terms trying to catch or minimize false positives.
Lets take a look at the features released in FortiOS 6.4.2 that deliver significant enhancements to the IPS workflows for monitoring signatures and reducing false positives.
FortiOS 6.4.2 release includes two new IPS Signature filter options:
Hold Time
The hold-time option allows you to set the amount of time that signatures are held after a FortiGuard IPS signature update per VDOM. During the holding period, the signature's mode is monitor. The new signatures are enabled after the hold-time, to avoid false positives. The hold-time can be from 0 days and 0 hours (default) up to 7 days, in the format ##d##h
How to enable Hold Time:
To configure the amount of time to hold and monitor IPS signatures:
config system ips
set signature-hold-time 3d12h
set override-signature-hold-by-id enable
end
Customer Benefit:
This features allows security teams to optimize their workflows for new signatures as they are released and minimize the chances of a false positive trigger with the new signature, thereby eliminating any negative impact on the network by blocking any legitimate traffic and application.
------------------------------------
CVE Pattern
The CVE pattern option allows you to filter IPS signatures based on CVE IDs or with a CVE wildcard, ensuring that any signatures tagged with that CVE are automatically included.
Customer Benefit
This feature enhances the response time of the security teams to respond to threats. With this capability they can quickly search based on the CVE ID what IPS signatures to turn on for a specific vulnerability.
How to Implement CVE Pattern
To configure CVE patterns for CVE-2010-0177 and all CVE-2017 CVEs:
config ips sensor
edit "cve"
set comment "cve"
config entries
edit 1
set cve "cve-2010-0177"
set status enable
set log-packet enable
set action block
next
edit 2
set cve "cve-2017"
set action reset
next
end
next
end
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.