Firewall Policy Using one-arm sniffer policies to detect network attacks
FortiGate Version 4.0 MR1 Administration Guide
01-410-89802-20090903 407
http://docs.fortinet.com/ • Feedback
To configure one-arm IDS, you need to configure one or more FortiGate interfaces to
operated in one-arm sniffer mode. To do this, go to System > Network > Interface, edit an
interface and select Enable one-arm sniffer mode. When you configure an interface to
operate in one-arm sniffer mode it cannot be used for any other purpose. For example,
you cannot add firewall policies for the interface and you cannot add the interface to a
zone.
After you have configured the interface for one-arm sniffer mode, connect the interface to
a hub or to the SPAN port of a switch that is processing network traffic.
Figure 218: One-arm IDS topology
Then you can go to Firewall > Policy > Sniffer Policy and add Sniffer policies for that
FortiGate interface that include a DoS sensor, an IPS sensors, and an Application
black/white list to detect attacks and other activity in the traffic that the FortiGate interface
receives from the hub or switch SPAN port.
In one-arm sniffer mode, the interface receives packets accepted by sniffer mode policies
only. All packets not received by sniffer model policies are dropped. All packets received
by sniffer mode policies go through IPS inspection and are dropped after then are
analyzed by IPS.
One-arm IDS cannot block traffic. However, if you enable logging in the DoS and IPS
sensors and the application black/white lists, the FortiGate unit records log messages for
all detected attacks and applications.
This section provides an introduction to configuring sniffer policies. For more information
see the FortiGate UTM User Guide.
Viewing the sniffer policy list
The sniffer policy list displays sniffer policies in their order of matching precedence for
each interface, source/destination address pair, and service.
Note: If you add VLAN interfaces to an interface configured for one-arm sniffer operation
this VLAN interface also operates in one-arm sniffer mode and you can add sniffer policies
for this VLAN interface.
Hub or switch
SPAN
port
Internet
Internal
network
To Next Page
Loading...
Need help?
General
