Description
IPs best practices to apply traffic specific IPS signatures.
This can also save some FortiGate resources and save memory CPU.
This article describes this feature.
Solution
FortiGate’s IPs system can detect traffic attempting to exploit this vulnerability.
IPs also detects when infected systems communicate with servers to receive instructions.
Refer to the following list of best practices regarding IPs.
- Enable IPs scanning at the network edge for all services.
- Use FortiClient endpoint IPs scanning for protection against threats that get into the network.
- Subscribe to FortiGuard IPs updates and configure the FortiGate to receive push updates. This will ensure to receive IPs signature updates as soon as available.
- Because it is critical to guard against attacks on services that makes available to the public, configure IPs signatures to block matching signatures. For example, if a web server configures the action of web server signatures to Block.
- Create and use security profiles with specific signatures and anomalies you need per-interface and per-rule.
- Do not use predefined or generic profiles. While these profiles are convenient to supply immediate protection, create profiles to suit the network environment is necessary.
- If the default profiles are used, reduce the IPS signatures/anomalies enabled in the profile to conserve processing time and memory.
- If anomalies are enable, make sure the tune thresholds according to the environment.
- If protection is needed, but not audit information, disable the logging option.
- Tune the IP-protocol parameter accordingly.
Special Notes.
Attached IPs sensors are generic and need to be tweaked further if required to best suit network/traffic environment.
Apply to the policies identifying the traffic going through.
#config ips sensor
edit "protect_http_server"
set comment "Protect against HTTP server-side vulnerabilities."
# config entries
edit 7
set rule 43814
set status enable
set action block
next
edit 8
set rule 47583
set status enable
set action pass
set rate-count 200
set rate-duration 5
next
edit 1
set location server
set protocol HTTP
next
edit 4
set application IIS
next
edit 5
set os Windows
next
edit 6
set protocol HTTPS
next
edit 9
set protocol HTTP
next
end
next
Refer below for gui steps of the same
edit "protect_email_server"
set comment "Protect against email server-side vulnerabilities."
# config entries
edit 1
set location server
set protocol SMTP POP3 IMAP
next
end
next
edit "protect_client"
set comment "Protect against client-side vulnerabilities."
# config entries
edit 1
set location client
next
end
next
edit "high_security"
set comment "Blocks all Critical/High/Medium and some Low severity vulnerabilities"
set block-malicious-url enable
# config entries
edit 1
set severity medium high critical
set status enable
set action block
next
edit 2
set severity low
next
end
next
edit "IPS_NTP"
set comment "NTP"
# config entries
edit 1
set rule 10094 11853 12072 15051 17557 18046 25572 27915 37285 37576 37578 38074 39859 40201 41642 41679 43446 43523 43859 45736 45946 46254
next
end
next
edit "REMOTE_DESKTOP"
set comment "Remote Desktop TCP_3389"
# config entries
edit 1
set rule 33106
set status enable
set action block
set rate-count 200
set rate-duration 10
set quarantine attacker
set quarantine-expiry 1h30m
next
edit 2
set rule 11242 17666 17669 28662 29592 32860 35094
next
end
next
edit "Protect-VOIP-IPS"
# config entries
edit 5
set rule 46575
set status enable
set action block
set rate-count 1000
set rate-duration 10
next
edit 6
set rule 47088
set status enable
set action pass
set rate-count 500
set rate-duration 1
next
edit 3
set os Linux
set status enable
set action pass
next
edit 4
set protocol SIP RTSP RTP RTCP
set status enable
set action pass
next
end
next
end
