FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vprabhu_FTNT
Staff
Staff
Description
IPs best practices to apply traffic specific IPS signatures.

This can also save some FortiGate resources and save memory CPU.

This article describes this feature.

Solution
FortiGate’s IPs system can detect traffic attempting to exploit this vulnerability.

IPs also detects when infected systems communicate with servers to receive instructions.

Refer to the following list of best practices regarding IPs.

- Enable IPs scanning at the network edge for all services.

- Use FortiClient endpoint IPs scanning for protection against threats that get into the network.

- Subscribe to FortiGuard IPs updates and configure the FortiGate to receive push updates. This will ensure to receive IPs signature updates as soon as available.

- Because it is critical to guard against attacks on services that makes available to the public, configure IPs signatures to block matching signatures. For example, if a web server configures the action of web server signatures to Block.

- Create and use security profiles with specific signatures and anomalies you need per-interface and per-rule.

- Do not use predefined or generic profiles. While these profiles are convenient to supply immediate protection, create profiles to suit the network environment is necessary.

- If the default profiles are used, reduce the IPS signatures/anomalies enabled in the profile to conserve processing time and memory.

- If anomalies are enable, make sure the tune thresholds according to the environment.

- If protection is needed, but not audit information, disable the logging option.

- Tune the IP-protocol parameter accordingly.

Special Notes.

Attached IPs sensors are generic and need to be tweaked further if required to best suit network/traffic environment.
Apply to the policies identifying the traffic going through.
#config ips sensor  
    edit "protect_http_server"
        set comment "Protect against HTTP server-side vulnerabilities."
        # config entries
            edit 7
                set rule 43814
                set status enable
                set action block
            next
            edit 8
                set rule 47583
                set status enable
                set action pass
                set rate-count 200
                set rate-duration 5
            next
            edit 1
                set location server
                set protocol HTTP
            next
            edit 4
                set application IIS
            next
            edit 5
                set os Windows
            next
            edit 6
                set protocol HTTPS
            next
            edit 9
                set protocol HTTP
            next
        end
    next
    edit "protect_email_server"
        set comment "Protect against email server-side vulnerabilities."
        # config entries
            edit 1
                set location server
                set protocol SMTP POP3 IMAP
            next
        end
    next
    edit "protect_client"
        set comment "Protect against client-side vulnerabilities."
        # config entries
            edit 1
                set location client
            next
        end
    next
    edit "high_security"
        set comment "Blocks all Critical/High/Medium and some Low severity vulnerabilities"
        set block-malicious-url enable
        # config entries
            edit 1
                set severity medium high critical
                set status enable
                set action block
            next
            edit 2
                set severity low
            next
        end
    next
    edit "IPS_NTP"
        set comment "NTP"
        # config entries
            edit 1
                set rule 10094 11853 12072 15051 17557 18046 25572 27915 37285 37576 37578 38074 39859 40201 41642 41679 43446 43523 43859 45736 45946 46254
            next
        end
    next
    edit "REMOTE_DESKTOP"
        set comment "Remote Desktop TCP_3389"
        # config entries
            edit 1
                set rule 33106
                set status enable
                set action block
                set rate-count 200
                set rate-duration 10
                set quarantine attacker
                set quarantine-expiry 1h30m
            next
            edit 2
                set rule 11242 17666 17669 28662 29592 32860 35094
            next
        end
    next
    edit "Protect-VOIP-IPS"
        # config entries
            edit 5
                set rule 46575
                set status enable
                set action block
                set rate-count 1000
                set rate-duration 10
            next
            edit 6
                set rule 47088
                set status enable
                set action pass
                set rate-count 500
                set rate-duration 1
            next
            edit 3
                set os Linux
                set status enable
                set action pass
            next
            edit 4
                set protocol SIP RTSP RTP RTCP
                set status enable
                set action pass
            next
        end
    next
end

Contributors