Fortigate IPS

Fortigate IPS – Intrusion Prevention System

IPS is a way to stop malicious users to attack your Server/PCs by using exploits or any other kind of attacks.

The IPS from the Fortigate uses the following 2 to help you prevent attacks:

1. Protocol Decoders – are used to define abnormal traffic

2. Signatures – it uses already defined signatures to catch malicious traffic.

 

IPS Sensor

This is used to group signatures into sensor for ease of use and it is also made of 2 parts: filters and overrides.

DOS Sensor

This DOS Sensor examines the internet traffic from top to bottom. It uses 4 anomalies for the protocols TCP, UDP and ICMP:
1. Flooding
2. Scanning
3. Source Session Limit
4. Destination Session Limit

The Fortigate is also capable of SYN Proxy. This is used to block SYN attacks.

 

If IPS fails (gets corrupted) it will go to the fail-open by default. This can be change in the CLI only.  For more info about the fail-open mode you can check the article about Fortigate conserve mode.

General Hints about Fortinet Firewall IPS

1. The IPS predefined signatures and the IPS engine are upgraded through the FortiGuard Distribuition Network

2. The pre-defined signatures are periodically updated by the Fortiguard Service, with signatures added to counter new thread. This also works if the filters are already defined, for example if a filter includes all the signatures for the Windows operating system, the filter will automatically incorporate new Windows signatures as they are added.

3. Overrides are checked before the filters and also the overrides can add a custom signatures.

4. IPS can be configured to ignore sessions after a set of traffic has passed through the firewall; by default is 204800bytes (this can be modified through the CLI).

 

Hope this has been informative for you, and if you have any questions please let me know.

2 Responses to “ “Fortigate IPS”

  1. jblastman says:

    Hi, from time to time there some weird thing with the new vulnerabilities coverage on fortiguard’s rss:

    specifically, I see the release date doesn’t match between the coverage page, and inside the link specified on the coverage.

    for instance:
    on coverage http://www.fortiguard.com/advisory/nvc-2012-06-07.html

    check out the vulnerability under threat remediation under critical.

    the release date on the coverage is may 30 2012
    but if I check the referenced link:

    http://www.fortiguard.com/encyclopedia/vulnerability/symantec.client.firewall.dns.response.buffer.overflow.html

    I see it’s say 2006

    is this an error?

    TIA

Leave a Reply

Your email address will not be published. Required fields are marked *