Description
This article describes how to test IPS working and logging of the detection.
Scope
FortiGate.
Solution
In this example, create a new IPS sensor and include a filter that detects the EICAR test file and saves a packet log when it is found. This is an ideal first experience with packet logging because the EICAR test file can cause no harm, and it is freely available for testing purposes.
Create an IPS senor.
- Go to Security Profiles -> Intrusion Protection.
- Select Create New.
- Name the new IPS sensor EICAR_test.
- Under IPS Signatures, select 'Add Signatures'.A new window will appear.
- Type- Select Signature. Default is filter.
- Enter 'EICAR' in the Search field.
- Select the Eicar.Virus.Test.File signature to highlight it.
- Select 'Use Selected Signatures'.It will return to the IPS Sensor page.
- Select the 'Action' column for the signature and select 'Block'.
- Select the 'Packet Logging' column and scroll down to the bottom of the menu that appears to enable packet logging.
- Select 'OK' to save the IPS sensor.
Add the IPS sensor to the security policy allowing Internet access.
- Go to Policy & Objects -> IPv4 Policy.
- Select the security policy that allows to access the Internet.
- Select the 'Edit' icon.
- Enable the IPS option under Security Profiles and choose the EICAR test from the available IPS sensors.
- Enable 'SSL/SSH Inspection' and select 'deep-inspection'.
- Enable 'Log Allowed Traffic' under 'Logging Options' and select 'All Sessions'.
- Select 'OK'.
With the IPS sensor configured and selected in the security policy, the FortiGate blocks any attempt to download the EICAR test file.
Testing the IPS sensor.
- Using the web browser, go to https://www.eicar.org and select the 'Download Anti Malware Testfile' button.
- Scroll to the bottom of the page and select 'eicar.com' from the row labeled as using the secure, SSL-enabled HTTPS protocol.
- The browser attempts to download the requested file and,
- If the file is successfully downloaded, the custom signature configuration fails at some point. Check the custom signature, the IPS sensor, and the firewall profile.
- If the download is blocked with a high-security alert message explaining that it is not permitted to download the file, the EICAR test file was blocked by the FortiGate antivirus scanner before the IPS sensor can examine it. Disable antivirus scanning and try to download the EICAR test file again.
- If no file is downloaded and the browser eventually times out, the custom signature successfully detects the EICAR test file and blocks the download.
Viewing the packet log.
- Go to Log & Report -> Forward Traffic.
- Locate the log entry that recorded the blocking of the EICAR test file block. The Message field data will be tools: EICAR.AV.Test.File.Download.
- Select the View Packet Log icon in the Packet Log column.
- The packet log viewer is displayed.
Notes: