IPS Anomaly
FortiGate-3000 Administration Guide 01-28006-0010-20041105 307
Configuring an anomaly
Each anomaly is preset with a recommended configuration. By default all anomaly
signatures are enabled. You can use the recommended configurations or you can
modify the recommended configurations to meet the needs of your network.
For more information on minimum, maximum, and recommended thresholds for the
anomalies with configurable thresholds, see the FortiGate IPS Anomaly Thresholds
and Dissector Values Technical Bulletin.
Figure 149:Editing the portscan IPS anomaly
Figure 150:Editing the syn_fin IPS anomaly
Action The action set for each anomaly. Action can be Pass, Drop, Reset, Reset
Client, Reset Server, Drop Session, Clear Session, or Pass Session.
Modify The Edit and Reset icons. If you have changed the settings for an anomaly,
you can use the Reset icon to change the settings back to the
recommended settings.
Name The anomaly name.
Enable Select the Enable box to enable the anomaly or clear the Enable box to
disable the anomaly.
Logging Select the Logging box to enable logging for the anomaly or clear the
Logging box to disable logging for the anomaly.
Action Select an action for the FortiGate unit to take when traffic triggers this
anomaly.
Pass The FortiGate unit lets the packet that triggered the anomaly pass
through the firewall. If logging is disabled and action is set to Pass, the
anomaly is effectively disabled.
Drop The FortiGate unit drops the packet that triggered the anomaly. Fortinet
recommends using an action other than Drop for TCP connection based
attacks.
To Next Page
Loading...
Need help?
General