Fortinet Gate 60D - Adding an IPS Sensor; Configuring IPS Sensors

To Next Page

To Previous Page

IPS sensors Intrusion Protection

FortiGate Version 4.0 Administration Guide

462 01-400-89802-20090424

http://docs.fortinet.com/ • Feedback

Adding an IPS sensor

An IPS sensor must be created before it can be configured by adding filters and overrides.

To create an IPS sensor, go to UTM > Intrusion Protection > IPS Sensor and select

Create New.

Figure 296: New IPS sensor

Configuring IPS sensors

Each IPS sensor consists of two parts: filters and overrides. Overrides are always

checked before filters.

Each filter consists of a number of signatures attributes. All of the signatures with those

attributes, and only those attributes, are checked against traffic when the filter is run. If

multiple filters are defined in an IPS Sensor, they are checked against the traffic one at a

time, from top to bottom. If a match is found, the FortiGate unit takes the appropriate

action and stops further checking.

A signature override can modify the behavior of a signature specified in a filter. A signature

override can also add a signature not specified in the sensor’s filters. Custom signatures

are included in an IPS sensor using overrides.

The signatures in the overrides are first compared to network traffic. If the IPS sensor

does not find any matches, it then compares the signatures in each filter to network traffic,

one filter at a time, from top to bottom. If no signature matches are found, the IPS sensor

allows the network traffic.

To view an IPS sensor, go to UTM > Intrusion Protection > IPS Sensor and select the Edit

icon of any IPS sensor. The Edit IPS Sensor window is divided into three parts: the sensor

attributes, Filters, and Overrides.

all_default Includes all signatures. The sensor is set to use the default enable

status and action of each signature.

all_default_pass Includes all signatures. The sensor is set to use the default enable

status of each signature, but the action is set to pass.

protect_client Includes only the signatures designed to detect attacks against clients;

uses the default enable status and action of each signature.

protect_email_server Includes only the signatures designed to detect attacks against

servers and the SMTP, POP3, or IMAP protocols; uses the default

enable status and action of each signature.

protect_http_server Includes only the signatures designed to detect attacks against

servers and the HTTP protocol; uses the default enable status and

action of each signature.

Name Enter the name of the new IPS sensor.

Comment Enter an optional comment to display in the IPS sensor list.