Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
andycollin
New Contributor

FortiGate IPS signature exemption

Hi All,

 

Apologies if this has been covered before, I feel like I've read every article I can find but I'm yet to have a clear understanding in my head.

 

I understand that best practice with an Intrusion profile would be to add specific signatures, rather than applying all signatures to a profile, however lets say we started with a base filter for all high / critical signatures and set the action to 'Default'.

 

Then if we started receiving logs for a specific signature triggering, lets say a Netgear one for example, but we had no Netgear devices in our network, or another example, the signature was incorrectly blocking legitimate traffic, what would be the best method to 'silence' those logs and allow the traffic through?

 

All of the articles I have read seem to suggest that you add the specific signature above the original high / critical filter in the rule and set the action to 'Allow' which will no longer log any hits on that signature and allow the traffic through.

 

The problem there is that you then need add another rule in the profile including ALL signatures apart from the signature in question with the action default, replacing all / part of the original high / critical filter, otherwise it would still 'fall down', hit the original high / critical filter and follow the Default action again.

 

I'm obviously not understanding something, as that doesn't seem very efficient? Especially as the new ALL signature rule would need constantly updating after new DB updates?

 

Wouldn't a better method be to add the signature and set it to disabled instead? After all, isn't that what the IP exemptions do for specific IPs /subnets, disable that signature just for those IPs / subnets?

 

Or following on with the IP exemptions, add the signature and set an IP exemption of 0.0.0.0/0, which in theory would exempt ALL IPs from that signature (if that is even possible)?

 

What am I mis-understanding?

 

Many thanks in advance.

Andy

5 REPLIES 5
Jean-Philippe_P
Moderator
Moderator

Hello andycollin, 

 

Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible. 

 

Thanks, 

Jean-Philippe - Fortinet Community Team
andycollin
New Contributor

Hi Jean-Philippe,

 

Thank you, appreciated.

 

Thanks,

Andy

Jean-Philippe_P
Moderator
Moderator

Hello,

 

We are still looking for an answer to your question.

 

We will come back to you ASAP.

 

 

Thanks,

Jean-Philippe - Fortinet Community Team
Markus_M
Staff
Staff

Hi Andy,

 

I am not fully understanding the question honestly. However, keep in mind that firewall policy match is not done with IPS or any security profile. First, the policy is matching based on criteria srcIP:srcport<>dstIP:dstport, schedule and group/authentication if present.

Then the security profile, IPS here, will be applied.

If you need to exempt IPs, go on and create IP address objects for the respective IPs, create a new policy with these address objects as a source and put this as granular matching policy above the regular IPS applying policy. No IPS needed and exempted by lower OSI level information, this means also that the IPS actions do not need to be executed, and the operation is cheaper on the CPU.

I think that covers part of your question at least. I will not be helpful on IPS signatures though.

 

Best regards,

 

Markus

Top Kudoed Authors