Signatures Intrusion Protection
FortiGate Version 4.0 MR1 Administration Guide
532 01-410-89802-20090903
http://docs.fortinet.com/ • Feedback
Using Intrusion Protection, you can configure the FortiGate unit to check for and
automatically download updated attack definition files containing the latest signatures, or
download the updated attack definition file manually. Alternately, you can configure the
FortiGate unit to allow push updates of the latest attack definition files as soon as they are
available from the FortiGuard Distribution Network.
You can also create custom attack signatures for the FortiGate unit to use in addition to an
extensive list of predefined attack signatures.
Whenever the Intrusion Protection system detects or prevents an attack, it generates an
attack log message. You can configure the FortiGate unit to add the message to the attack
log and send an alert email to administrators, as well as schedule how often it should send
this alert email. You can also reduce the number of log messages and alerts by disabling
signatures for attacks that will not affect your network. For example, you do not need to
enable signatures to detect web attacks when there is no web server to protect.
You can also use the packet logging feature to analyze packets for false positive
detection.
For more information about FortiGate logging and alert email, see “Log&Report” on
page 709.
Intrusion Protection settings and controls
You can configure the Intrusion Protection system and then select IPS sensors in
individual firewall protection profiles.
For information about creating IPS sensors, see “Configuring IPS sensors” on page 538.
For information about accessing and modifying the protection profile IPS sensor selection,
see “IPS options” on page 492. For information about creating DoS Sensors, see “DoS
sensors” on page 545.
When to use Intrusion Protection
Intrusion Protection is best for large networks or for networks protecting highly sensitive
information. Using IPS effectively requires monitoring and analysis of the attack logs to
determine the nature and threat level of an attack. An administrator can adjust the
threshold levels to ensure a balance between performance and intrusion prevention.
Small businesses and home offices without network administrators may be overrun with
attack log messages and not have the networking background required to configure the
thresholds and other IPS settings.
However, the other protection features in the FortiGate unit, such as antivirus (including
grayware), spam filters, and web filters offer excellent protection for all networks.
Signatures
The FortiGate Intrusion Protection system can use signatures once you have grouped the
required signatures in an IPS sensor, and then selected the IPS sensor in the protection
profile. If required, you can override the default settings of the signatures specified in an
IPS sensor. The FortiGate unit provides a number of pre-built IPS sensors, but you should
check their settings before using them, to ensure they meet your network requirements.
Note: If virtual domains are enabled on the FortiGate unit, the Intrusion Protection settings
are configured separately in each VDOM. All sensors and custom signatures will appear
only in the VDOM in which they were created.
To Next Page
Loading...
Need help?
General
