Description | This article explains how to create custom rate-based settings for specific signatures. |
Scope | FortiGate IPS. |
Solution |
IPS signature patterns are created based on generic Threshold and duration values which can turn out to be false positive events in specific environments based on the traffic flow for which the signature rate values can be modified.
In the below example, SMB.login.Brute.Force is set with the default value of 500 failed attempts in one minute from the below article: https://www.fortiguard.com/encyclopedia/ips/12090
This can be a false positive event in an environment that is expecting more than 500 login failures in a minute for which the below modifications can be made under Security Profile -> Select the IPS profile, select the IPS entry -> Switch Type to Signature.
The threshold value of 500 is switched to 1000 for the selected signature
to make the changes over CLI:
config ips sensor
For more information about IPS sensor entries please review the below article : |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.