These are usually zero-day or DoS attacks on a system or network.
Anomalies are detected by behavioral-based analysis, using:
Rate-based IPS signatures
DoS policies
Protocol constraints inspection
Exploits are a known, confirmed attack.
Exploits can be identified when a file or network traffic matches a signature pattern.
Signature patterns are:
IPS signatures
WAR signatures
Antivirus signatures
Uses flow-based detection and blocking mechanism.
Uses signature databases to identify known attacks and threats.
FortiGuard provides updates to the IPS.
If the license is expired, the IPS will continue would but will not contain the latest updates to identify and block newer threats.
Regular updates are required for the IPS.
The botnet signature subscription is part of the FortiGuard IPS license.
To check the IPS license, go to System > FortiGuard
FortiGate uses protocol decoders to parse packets to identify potential threats.
If a network or application protocol contains malform data, the IPS engine will detect the errors.
The IPS engine does not require the standard ports, it automatically selects the decoder for each layer of OSI or TCP/IP.
Regular – The IPS engine uses this database to identify and block common attacks using fast identifications. This is a smaller database.
Extended – This larger database which additional signatures. This database not available on FortiGate systems with smaller disk. However, in higher secure environments, this database can be enabled.
To enable the Extended IPS database, go to System > FortiGuard > enable 'Use extended IPS signature package'.
IPS updates provides new signatures to detect new threats.
To view a list of IPS signatures, go to Security Profile > Intrusion Prevention
IPS profiles are applied to a Firewall Policy.
You can add individual signatures
You can add groups of signatures using filters
Go to, Security Profile > Intrusion Prevention > create a new IPS Sensor > click on Create New (IPS Signature and Filters) > Type can be Filter or Signature.
Rate-based signatures can be used to block traffic when a threshold is exceeded for a time.
When inserting additional signatures, new entries are places at the bottom of the list.
IPS signatures are processed top-down.
You can configure IP exemptions on an IPS signature.
Allow – Allow the traffic and do not log
Monitor – Allow the traffic and generate logs
Block – Restrict the traffic, that is drop packets and log
Quarantine – Block the traffic and log traffic until the expiration interval
Reset – reset the connection
Default – perform the default action for the signature.
This feature maximizes the protection of internal endpoints.
Can be enabled within an IPS security profile.
Actions:
Block
Monitor
Once enabled, IPS logs are generated.
When applying IPS profile on a Firewall Policy, the following are the logging options:
Security Events – Logs are generated for security events only.
All Sessions – This option will log all sessions by the profile.
To view the security/IPS logs, go to Log & Report > Security Event.
To block a DoS attack, create a DoS Policy on the FortiGate.
Go to, Policy & Objects > IPv4 DoS Policy
DoS Protection can be applied to the following protocols:
TCP
UDP
ICMP
SCP
Anomaly protection to detect the following:
Flood – Detects large amounts of network traffic
Sweep/scan - Detects probes
Source – Detects large amounts of traffic from a source IP address
Destination – Detect large amounts of traffic going to a destination IP address.
Not all policies requires an IPS
Try to not enable IPS on internal to internal traffic
Monitor logs for anomalies
Tune the IPS profiles based on observation
Optional, enable SSL/SSH Inspection to inspected encrypted traffic, go to Security Profile > SSL/SSH Inspection.