Intrusion Protection Anomalies
FortiGate Version 3.0 MR4 Administration Guide
01-30004-0203-20070102 357
Upgrading IPS protocol decoder list
IPS protocol decoders are included in the IPS upgrade package available through
the FortiGuard Distribution Network (FDN). There is no need to wait for firmware
upgrades. The IPS upgrade package will keep the IPS decoder list up to date with
new threats such as the latest versions of existing IM/P2P as well as new
applications.
Anomalies
The FortiGate IPS uses anomaly detection to identify network traffic that does not
fit known or preset traffic patterns.
The FortiGate IPS identifies the four statistical anomaly types for the TCP, UDP,
and ICMP protocols.
Enable or disable logging for each traffic anomaly, and configure the IPS action in
response to detecting an anomaly. In many cases, the thresholds the anomaly
uses to detect traffic patterns that could represent an attack are configurable.
Use the CLI to configure session control based on source and destination network
address.
The traffic anomaly detection list can be updated only when the FortiGate
firmware image is upgraded.
Flooding If the number of sessions targeting a single destination in one second is
over a specified threshold, the destination is experiencing flooding.
Scan If the number of sessions from a single source in one second is over a
specified threshold, the source is scanning.
Source session
limit
If the number of concurrent sessions from a single source is over a
specified threshold, the source session limit is reached.
Destination
session limit
If the number of concurrent sessions to a single destination is over a
specified threshold, the destination session limit is reached.
Note: It is important to know normal and expected network traffic before changing the
default anomaly thresholds. Setting the thresholds too low could cause false positives, and
setting the thresholds too high could miss some attacks.
Note: If virtual domains are enabled on the FortiGate unit, the IPS is configured globally. To
access the IPS, select Global Configuration on the main menu.
To Next Page
Loading...
Need help?
General