Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.


Optimizing IPS Signature workflows to minimize False Positives with FortiOS 6.4.2

Today's ever changing threat landscape drives the need for security services to constantly stay ahead of the latest threats. This means that security teams have to constantly update the IPS signatures that relate to latest and relevant threats to their specific organization. With new vulnerabilities and new malware being discovered every day, means that the security vendors have are creating new signatures every day to mitigate against the new threats. Every network is unique with its own traffic patterns and unique requirements and typically that means that most security teams test the signatures on their Intrusion Prevention Systems or Network Firewalls if they are using the consolidated IPS capability to ensure there is no adverse impact of the new signatures on their existing traffic in other terms trying to catch or minimize false positives.

Lets take a look at the features released in FortiOS 6.4.2 that deliver significant enhancements to the IPS workflows for monitoring signatures and reducing false positives.

FortiOS 6.4.2 release includes two new IPS Signature filter options:

  • Hold Time
  • CVE Pattern

Hold Time

The hold-time option allows you to set the amount of time that signatures are held after a FortiGuard IPS signature update per VDOM. During the holding period, the signature's mode is monitor. The new signatures are enabled after the hold-time, to avoid false positives. The hold-time can be from 0 days and 0 hours (default) up to 7 days, in the format ##d##h

How to enable Hold Time:

To configure the amount of time to hold and monitor IPS signatures:

config system ips

set signature-hold-time 3d12h

set override-signature-hold-by-id enable


Customer Benefit:

This features allows security teams to optimize their workflows for new signatures as they are released and minimize the chances of a false positive trigger with the new signature, thereby eliminating any negative impact on the network by blocking any legitimate traffic and application.  




CVE Pattern

The CVE pattern option allows you to filter IPS signatures based on CVE IDs or with a CVE wildcard, ensuring that any signatures tagged with that CVE are automatically included.

Customer Benefit

This feature enhances the response time of the security teams to respond to threats. With this capability they can quickly search based on the CVE ID what IPS signatures to turn on for a specific vulnerability.

How to Implement CVE Pattern

To configure CVE patterns for CVE-2010-0177 and all CVE-2017 CVEs:

config ips sensor

    edit "cve"

        set comment "cve"

        config entries

            edit 1

                set cve "cve-2010-0177"

                set status enable

                set log-packet enable

                set action block


            edit 2

                set cve "cve-2017"

                set action reset