- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- Re: IPS signatures categories confusion
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPS signatures categories confusion
Dear All,
I would like to make different ips security policies for different services (accepted by the appropriate firewall policies), however I have a confusion with signature categories. First I thought that for the https web services it is enough to make an ips sensor that includes the https from the protocol entries when editing the signatures filter, but I found something strange.
Before when I used an ips policy including every signatures I found a line in my fortianalyzer, that shows "action:dropped, service:HTTPS, attack name: Bladabindi.Botnet". Then I checked this attack name in fortigate ips signatures and in the protocol section it only shows TCP, but not HTTPS. I think this means if I only add the HTTPS protocols to my custom ips filter, this attack is not checked.
My question how should I make custom ips sensors for different protocols (an ips for http, an other to all email protocols) in order to not leave out any relevant signatures?
thank you
chr
Solved! Go to Solution.
Labels:
- Labels:
-
FortiGate
1 Solution
Created on 04-06-2023 05:16 AM Edited on 04-06-2023 05:19 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You define the sensor based on the flow of traffic you are trying to protect, so for example (and this is purely all example based), if this is a email server you are trying to protect, then that sensor would be filtered accordingly with whatever target (Server or Client), Severity (information, low, medium, high, critical), Protocol (SMTP, POP3, IMAP, etc...), OS (Linux, Windows, etc...), Application (Ipswitch, MS Exchange, SendMail, etc...)...don't know what email server you have, or what OS it's on, or totality of protocols it's providing (maybe this is also serving users email via a web interface, so HTTP and HTTPS might also need to be added for this sensor), etc...
So after creating this custom sensor, you would place that sensor on the flow of traffic incoming to that server, so typically this is a WAN to LAN (or DMZ if your server resides in that zone) and I normally will do a proxy based policy as I want the utmost accuracy in inspection on that traffic (you sacrifice some speed for more accuracy with proxy). If you are concerned about protection for your client, that would be a different traffic policy incoming to your clients and thus a different custom sensor (i.e... client instead of server, maybe you only care about high and medium severity issues, maybe you clients only make secure SMTP requests, maybe these are macOS clients, etc...) you get my point. But on this traffic flow, maybe you want speed over more accurate inspection, so that policy would be flow based.
5 REPLIES 5
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Have a look at this best practice link for IPS (https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPs-best-practices/ta-p/198360), it will give you some examples for https and email, but the gist is, you can filter based on your environment, so if you have a windows web server that listens only on port 443 (HTTPS) for example and you don't care about the low severity ones, then your filter would look something like this:
Same type of filtering can be applied for an internal email server sensor making sure your include whatever protocols you are serving (i.e... SMTP, POP3, IMAP)
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for reply.
It is strange: the default ips filter includes three severity levels from the middle orange category. This includes 9451 signatures from all (9861). If I add more filters to these that will not narrow the signature numbers. So it seems that those three severities includes most signatures, so maybe it should leave out in your example (your suggested best practices doesn't include severities if I see well).
Now the picture is a little cleaner, however the TCP categories confuses me. In your link in the "Protect-VOIP-IPS"
there are four main sections: protocols, os and on top of these two rules. It is ok.
The rule id 47088 is the SIP.Register.Brute.Force which protocol category is UDP and SIP, while the SIP is already in the bottom protocol filter section, this separate one has a specific rate settings, so it is to add it again.
But rule id 46575 (Linux.Kernel.TCP.Segment.Out.Of.Order.Processing.DoS) has only the TCP protocol category, and it is not included other sections.
The TCP protocols category itself includes 9364 signatures, so it is include the most of signatures (like severities from the orange category up), and it seems to add TCP protocol category to a filter bad idea if you want to narrow the number of signatures. (in the link includes only one sig. from these tcp category, which seems reasonable)
But TCP has some signatures which can be worth to add a filter, because no other protocol category includes that.
How can know which ones not included in my filters, but should be added to? I don't want to leave out any signatures, (even if that has high severity), but want to narrow the signature list.
So it is unclear how to make a filter, which includes the most relevant and only those signatures.
Thank you
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, it is clear now, that not only the protocol category exists, but there are os, target categories also, which includes the appropriate TCP only signatures....
A new question:
I would like to protect an email server. Should the filter include the client target as well (because of the vulnerabilities transfer via email) or it is already includes the smtp,pop,imap protocol filters?
If I choose the server, smtp, pop, imap categories those are protect only the server as an attack target, or it is also includes protection for client that maybe attacked in the email transit traffic?
thank you
Created on 04-06-2023 05:16 AM Edited on 04-06-2023 05:19 AM
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You define the sensor based on the flow of traffic you are trying to protect, so for example (and this is purely all example based), if this is a email server you are trying to protect, then that sensor would be filtered accordingly with whatever target (Server or Client), Severity (information, low, medium, high, critical), Protocol (SMTP, POP3, IMAP, etc...), OS (Linux, Windows, etc...), Application (Ipswitch, MS Exchange, SendMail, etc...)...don't know what email server you have, or what OS it's on, or totality of protocols it's providing (maybe this is also serving users email via a web interface, so HTTP and HTTPS might also need to be added for this sensor), etc...
So after creating this custom sensor, you would place that sensor on the flow of traffic incoming to that server, so typically this is a WAN to LAN (or DMZ if your server resides in that zone) and I normally will do a proxy based policy as I want the utmost accuracy in inspection on that traffic (you sacrifice some speed for more accuracy with proxy). If you are concerned about protection for your client, that would be a different traffic policy incoming to your clients and thus a different custom sensor (i.e... client instead of server, maybe you only care about high and medium severity issues, maybe you clients only make secure SMTP requests, maybe these are macOS clients, etc...) you get my point. But on this traffic flow, maybe you want speed over more accurate inspection, so that policy would be flow based.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for helping me!
Related Posts
- IPS signatures categories confusion 1269 Views
- Block One drive client 2488 Views
- The Botnet category is no longer... 4630 Views
- Application control categories via API 1743 Views
- To upgrade or not upgrade? 262 Views
Labels
-
FortiGate
6,457 -
FortiClient
1,290 -
5.2
801 -
5.4
639 -
FortiManager
562 -
6.0
416 -
FortiAnalyzer
411 -
5.6
362 -
FortiSwitch
331 -
FortiAP
327 -
FortiClient EMS
259 -
6.2
251 -
FortiMail
239 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
148 -
6.4
128 -
FortiNAC
103 -
FortiGuard
102 -
FortiGateCloud
86 -
FortiSIEM
85 -
FortiCloud Products
82 -
FortiToken
69 -
Customer Service
69 -
IPsec
68 -
4.0MR3
64 -
Wireless Controller
58 -
SSL-VPN
54 -
FortiProxy
44 -
FortiADC
42 -
Fortivoice
41 -
FortiEDR
38 -
FortiGate v5.4
34 -
FortiDNS
34 -
FortiExtender
31 -
FortiSandbox
30 -
FortiSwitch v6.4
28 -
FortiConnect
23 -
SD-WAN
23 -
FortiWAN
22 -
FortiConverter
21 -
High Availability
20 -
Firewall policy
20 -
VLAN
18 -
FortiPortal
17 -
ZTNA
16 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
FortiMonitor
14 -
Certificate
14 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
SAML
11 -
BGP
11 -
DNS
11 -
Interface
11 -
FortiGate v5.0
10 -
FortiRecorder
10 -
VDOM
10 -
FortiWeb v5.0
9 -
LDAP
9 -
FortiManager v5.0
9 -
4.0MR2
9 -
Logging
9 -
RADIUS
8 -
Traffic shaping
8 -
Virtual IP
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
fortilink
7 -
FortiAnalyzer v5.0
7 -
NAT
7 -
FortiAuthenticator
7 -
Admin
7 -
FortiGate v4.0 MR3
7 -
4.0
7 -
Fortigate Cloud
6 -
IP address management - IPAM
6 -
SSID
5 -
Security profile
5 -
Traffic shaping policy
5 -
Authentication
5 -
FortiBridge
5 -
SNMP
5 -
SSO
5 -
Application control
5 -
Static route
5 -
FortiManager v4.0
5 -
FortiDirector
4 -
SSL SSH inspection
4 -
WAN optimization
4 -
Web application firewall profile
4 -
DNS Filter
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Proxy policy
4 -
packet capture
3 -
FortiToken Cloud
3 -
Automation
3 -
Intrusion prevention
3 -
DoS policy
3 -
FortiTester
3 -
Port policy
3 -
FortiDB
3 -
IPS signature
3 -
FortiDeceptor
2 -
FortiInsight
2 -
Antivirus profile
2 -
VoIP profile
2 -
Traffic shaping profile
2 -
Web profile
2 -
FortiAP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
trunk
2 -
NAC policy
1 -
SDN connector
1 -
4.0MR1
1 -
Users
1 -
Subscription Renewal Policy
1 -
FortiCWP
1 -
FortiNDR
1 -
Web rating
1 -
Application signature
1 -
Authentication rule and scheme
1 -
Multicast routing
1 -
Zone
1 -
FortiManager-VM
1 -
Fabric connector
1 -
Internet Service Database
1 -
Fortinet Engage Partner Program
1 -
System settings
1 -
Explicit proxy
1 -
TACACS
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.