Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
DanieleS99
Contributor

Created on ‎02-17-2022 06:45 AM

Fortigate F5 IPS signatures

Hi,

I would need to include only F5 signatures in an IPS policy.
Of course, I know that they can be added individually, only then if new ones come out they won't be added automatically or am I wrong?
Is there a simple and effective way to include only F5 signatures and all new ones in case they come out?
Thank you

Labels:
3120
0 Kudos
1 Solution
Debbie_FTNT
Staff
Staff
In response to DanieleS99

Created on ‎02-21-2022 02:25 AM

Hey Daniele,

I ran a quick test, and there are currently no name-based filters available in IPS sensors as far as I could determine.

-> you can't create an IPS sensor with a filter for "F5*"

-> you could create an automation stitch on the FortiGate for IPS signature update (trigger Event Log, Log ID 32110, https://docs.fortinet.com/document/fortigate/6.4.5/fortios-log-message-reference/32110/32110-log-id-...) to send out an alert if IPS signatures were updated, and check if there are new F5 signatures and then add them manually

-> you could create a broader sensor (for target 'server', OS 'Linux', for example) that all F5 signatures should match into

 

Other than that, the only option would be a feature request to allow IPS sensor filters based on signature name, not just specific characteristics; you can submit a feature request via your local Sales representative.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++

View solution in original post

3091
0 Kudos
9 REPLIES 9
Anthony_E
Community Manager
Community Manager

Created on ‎02-21-2022 12:33 AM

Hello Daniele,

 

Did you try to have a look in our Knowledge Base? You may find an article which could provide a solution.

Just select Knowledge Base, the concerned product and you can easily make a search in our search bar.

 

Do not hestiate to come back to us if you do not find the solution.

 

Regards,

Anthony-Fortinet Community Team.
3061
0 Kudos
DanieleS99
Contributor

Created on ‎02-21-2022 02:00 AM

Hi Anthony,

I try to search for a similar article in the Knowledge base but I didn't find anything.

I hope to find something in a short time because this feature could be important for the building proccess of Intrusion Prevention Sensor.

Thanks

3057
0 Kudos
Anthony_E
Community Manager
Community Manager
In response to DanieleS99

Created on ‎02-21-2022 02:05 AM

Hello Daniele,

 

Sorry to hear that.

I will try to find somebody who can provide you a solution quickly.

 

Regards,

Anthony-Fortinet Community Team.
3056
0 Kudos
Debbie_FTNT
Staff
Staff
In response to DanieleS99

Created on ‎02-21-2022 02:25 AM

Hey Daniele,

I ran a quick test, and there are currently no name-based filters available in IPS sensors as far as I could determine.

-> you can't create an IPS sensor with a filter for "F5*"

-> you could create an automation stitch on the FortiGate for IPS signature update (trigger Event Log, Log ID 32110, https://docs.fortinet.com/document/fortigate/6.4.5/fortios-log-message-reference/32110/32110-log-id-...) to send out an alert if IPS signatures were updated, and check if there are new F5 signatures and then add them manually

-> you could create a broader sensor (for target 'server', OS 'Linux', for example) that all F5 signatures should match into

 

Other than that, the only option would be a feature request to allow IPS sensor filters based on signature name, not just specific characteristics; you can submit a feature request via your local Sales representative.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
3092
0 Kudos
DanieleS99
Contributor
In response to Debbie_FTNT

Created on ‎02-21-2022 02:37 AM

Hi Debbie, 

Thanks for the exhaustive answer.

3050
0 Kudos
DanieleS99
Contributor
In response to Debbie_FTNT

Created on ‎02-23-2022 05:37 AM

Hi Debbie,

Sorry for the further question.

I try to create an automation stitch when the event log 32110 is triggered, but when the IPS DB has updated (yesterday at 9.50 at version 19.263) the fortigate didn't report any logs and the stitch did not go...

I have the severity logging to Informational, so I would expect to see something. What do you think am I doing wrong?

 

Thanks for the support

3007
0 Kudos
Debbie_FTNT
Staff
Staff
In response to DanieleS99

Created on ‎02-23-2022 07:34 AM

Hey Daniele,

can you check under Log & Report if you have System Event logging enabled?

Some event logging categories may be turned off.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
2997
0 Kudos
DanieleS99
Contributor
In response to Debbie_FTNT

Created on ‎02-23-2022 07:36 AM

Cattura3.JPG

This is my configuration.

2996
0 Kudos
Debbie_FTNT
Staff
Staff
In response to DanieleS99

Created on ‎02-24-2022 12:18 AM

In that case, I don't think there's a misconfiguration on your end; to my understanding the FortiGate *should* have logged the IPS signature update and I'm not sure why it didn't. Do you have any update-related logs around the time of the IPS update? You could maybe use one of them in the automation stitch instead.

The only other thing I can suggest is a ticket to figure out why FortiGate is not writing an IPS update log when the IPS update happens.

+++ Divide by Cucumber Error. Please Reinstall Universe and Reboot +++
2984
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.