Hi,
I would need to include only F5 signatures in an IPS policy.
Of course, I know that they can be added individually, only then if new ones come out they won't be added automatically or am I wrong?
Is there a simple and effective way to include only F5 signatures and all new ones in case they come out?
Thank you
Solved! Go to Solution.
Hey Daniele,
I ran a quick test, and there are currently no name-based filters available in IPS sensors as far as I could determine.
-> you can't create an IPS sensor with a filter for "F5*"
-> you could create an automation stitch on the FortiGate for IPS signature update (trigger Event Log, Log ID 32110, https://docs.fortinet.com/document/fortigate/6.4.5/fortios-log-message-reference/32110/32110-log-id-...) to send out an alert if IPS signatures were updated, and check if there are new F5 signatures and then add them manually
-> you could create a broader sensor (for target 'server', OS 'Linux', for example) that all F5 signatures should match into
Other than that, the only option would be a feature request to allow IPS sensor filters based on signature name, not just specific characteristics; you can submit a feature request via your local Sales representative.
Hello Daniele,
Did you try to have a look in our Knowledge Base? You may find an article which could provide a solution.
Just select Knowledge Base, the concerned product and you can easily make a search in our search bar.
Do not hestiate to come back to us if you do not find the solution.
Regards,
Hi Anthony,
I try to search for a similar article in the Knowledge base but I didn't find anything.
I hope to find something in a short time because this feature could be important for the building proccess of Intrusion Prevention Sensor.
Thanks
Hello Daniele,
Sorry to hear that.
I will try to find somebody who can provide you a solution quickly.
Regards,
Hey Daniele,
I ran a quick test, and there are currently no name-based filters available in IPS sensors as far as I could determine.
-> you can't create an IPS sensor with a filter for "F5*"
-> you could create an automation stitch on the FortiGate for IPS signature update (trigger Event Log, Log ID 32110, https://docs.fortinet.com/document/fortigate/6.4.5/fortios-log-message-reference/32110/32110-log-id-...) to send out an alert if IPS signatures were updated, and check if there are new F5 signatures and then add them manually
-> you could create a broader sensor (for target 'server', OS 'Linux', for example) that all F5 signatures should match into
Other than that, the only option would be a feature request to allow IPS sensor filters based on signature name, not just specific characteristics; you can submit a feature request via your local Sales representative.
Hi Debbie,
Thanks for the exhaustive answer.
Hi Debbie,
Sorry for the further question.
I try to create an automation stitch when the event log 32110 is triggered, but when the IPS DB has updated (yesterday at 9.50 at version 19.263) the fortigate didn't report any logs and the stitch did not go...
I have the severity logging to Informational, so I would expect to see something. What do you think am I doing wrong?
Thanks for the support
Hey Daniele,
can you check under Log & Report if you have System Event logging enabled?
Some event logging categories may be turned off.
This is my configuration.
In that case, I don't think there's a misconfiguration on your end; to my understanding the FortiGate *should* have logged the IPS signature update and I'm not sure why it didn't. Do you have any update-related logs around the time of the IPS update? You could maybe use one of them in the automation stitch instead.
The only other thing I can suggest is a ticket to figure out why FortiGate is not writing an IPS update log when the IPS update happens.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1736 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.