Fortinet Network Device IPS Manuel d'utilisateur

www.fortinet.comFortiGateIPS User GuideVersion 3.0 MR7USER GUIDE

FortiGate IPS User Guide Version 3.0 MR710 01-30007-0080-20080916Network performance IPS overview and general configurationTo create an IPS sensor, go

IPS overview and general configuration Monitoring the network and dealing with attacksFortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916

FortiGate IPS User Guide Version 3.0 MR712 01-30007-0080-20080916Monitoring the network and dealing with attacks IPS overview and general configuratio

IPS overview and general configuration Monitoring the network and dealing with attacksFortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916

FortiGate IPS User Guide Version 3.0 MR714 01-30007-0080-20080916Using IPS sensors in a protection profile IPS overview and general configurationUsing

IPS overview and general configuration Using IPS sensors in a protection profileFortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 15Addi

FortiGate IPS User Guide Version 3.0 MR716 01-30007-0080-20080916Using IPS sensors in a protection profile IPS overview and general configuration

Predefined signatures IPS predefined signaturesFortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 17Predefined signaturesThis section des

FortiGate IPS User Guide Version 3.0 MR718 01-30007-0080-20080916Viewing the predefined signature list Predefined signaturesBy default, the signatures

Predefined signatures Viewing the predefined signature listFortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 19You should also review ex

FortiGate IPS User GuideVersion 3.0 MR7September 16, 200801-30007-0080-20080916© Copyright 2008 Fortinet, Inc. All rights reserved. No part of this pu

FortiGate IPS User Guide Version 3.0 MR720 01-30007-0080-20080916Viewing the predefined signature list Predefined signatures

Custom signatures IPS custom signaturesFortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 21Custom signaturesCustom signatures provide th

FortiGate IPS User Guide Version 3.0 MR722 01-30007-0080-20080916Custom signature configuration Custom signaturesCustom signature configurationAdd cus

Custom signatures Creating custom signaturesFortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 23Creating custom signaturesCustom signatu

FortiGate IPS User Guide Version 3.0 MR724 01-30007-0080-20080916Creating custom signatures Custom signaturesCustom signature syntaxTable 2: Informati

Custom signatures Creating custom signaturesFortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 25Table 4: Content keywordsKeyword and val

FortiGate IPS User Guide Version 3.0 MR726 01-30007-0080-20080916Creating custom signatures Custom signatures--byte_test <bytes_to_convert>, <

Custom signatures Creating custom signaturesFortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 27--context {uri | header | body | host};S

FortiGate IPS User Guide Version 3.0 MR728 01-30007-0080-20080916Creating custom signatures Custom signatures--pcre [!]"(/<regex>/|m<del

Custom signatures Creating custom signaturesFortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 29Table 5: IP header keywordsKeyword and V

Contents FortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 3ContentsIntroduction ...

FortiGate IPS User Guide Version 3.0 MR730 01-30007-0080-20080916Creating custom signatures Custom signaturesTable 6: TCP header keywordsKeyword and V

Custom signatures Creating custom signaturesFortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 31--tcp_flags <FSRPAU120>[!|*|+] [,&

FortiGate IPS User Guide Version 3.0 MR732 01-30007-0080-20080916Creating custom signatures Custom signaturesTable 7: UDP header keywordsKeyword and V

Custom signatures Creating custom signaturesFortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 33Example custom signaturesCustom signatur

FortiGate IPS User Guide Version 3.0 MR734 01-30007-0080-20080916Creating custom signatures Custom signaturesThe FortiGate unit will limit its search

Custom signatures Creating custom signaturesFortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 35Example 2: signature to block the SMTP ‘

FortiGate IPS User Guide Version 3.0 MR736 01-30007-0080-20080916Creating custom signatures Custom signaturesUse the --protocol tcp keyword to limit t

Protocol decoders Protocol decodersFortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 37Protocol decodersThis section describes:• Protoco

FortiGate IPS User Guide Version 3.0 MR738 01-30007-0080-20080916Viewing the protocol decoder list Protocol decodersViewing the protocol decoder listT

IPS sensors Viewing the IPS sensor listFortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 39IPS sensorsYou can group signatures into IPS

FortiGate IPS User Guide Version 3.0 MR74 01-30007-0080-20080916Creating custom signatures...

FortiGate IPS User Guide Version 3.0 MR740 01-30007-0080-20080916Configuring IPS sensors IPS sensorsAdding an IPS sensorAn IPS sensor must be created

IPS sensors Configuring IPS sensorsFortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 41To view an IPS sensor, go to Intrusion Protection

FortiGate IPS User Guide Version 3.0 MR742 01-30007-0080-20080916Configuring IPS sensors IPS sensorsIPS sensor overrides:Configuring filtersTo configu

IPS sensors Configuring IPS sensorsFortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 43The signatures included in the filter are only th

FortiGate IPS User Guide Version 3.0 MR744 01-30007-0080-20080916Configuring IPS sensors IPS sensorsTo edit a pre-defined or custom override, go to In

DoS sensors FortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 45DoS sensorsThe FortiGate IPS uses a traffic anomaly detection feature to

FortiGate IPS User Guide Version 3.0 MR746 01-30007-0080-20080916Viewing the DoS sensor list DoS sensorsViewing the DoS sensor listTo view the anomaly

DoS sensors Configuring DoS sensorsFortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 47Figure 13: Edit DoS SensorDoS sensor attributes:A

FortiGate IPS User Guide Version 3.0 MR748 01-30007-0080-20080916Understanding the anomalies DoS sensorsProtected addresses:Each entry in the protecte

DoS sensors Understanding the anomaliesFortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 49tcp_dst_session If the number of concurrent T

Introduction The FortiGate IPSFortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 5IntroductionThis section introduces you to the FortiGat

FortiGate IPS User Guide Version 3.0 MR750 01-30007-0080-20080916Understanding the anomalies DoS sensors

SYN flood attacks What is a SYN flood attack?FortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 51SYN flood attacksThis section describes

FortiGate IPS User Guide Version 3.0 MR752 01-30007-0080-20080916The FortiGate IPS Response to SYN flood attacks SYN flood attacksAfter the handshakin

SYN flood attacks The FortiGate IPS Response to SYN flood attacksFortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 53A true SYN proxy ap

FortiGate IPS User Guide Version 3.0 MR754 01-30007-0080-20080916Configuring SYN flood protection SYN flood attacksConfiguring SYN flood protectionTo

ICMP sweep attacks What is an ICMP sweep?FortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 55ICMP sweep attacksThis section describes:•

FortiGate IPS User Guide Version 3.0 MR756 01-30007-0080-20080916The FortiGate IPS response to ICMP sweep attacks ICMP sweep attacksPredefined ICMP si

ICMP sweep attacks The FortiGate IPS response to ICMP sweep attacksFortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 57ICMP sweep anomal

FortiGate IPS User Guide Version 3.0 MR758 01-30007-0080-20080916Configuring ICMP sweep protection ICMP sweep attacksConfiguring ICMP sweep protection

Index FortiGate Version 3.0 MR7 IPS User Guide01-30007-0080-20080916 59IndexAalert emailconfiguring 11anomalieslog messages 13anomalydestination sessi

FortiGate IPS User Guide Version 3.0 MR76 01-30007-0080-20080916About this document IntroductionAbout this documentDocument conventionsThe following d

FortiGate Version 3.0 MR7 IPS User Guide60 01-30007-0080-20080916IndexTtechnical support 8

www.fortinet.com

www.fortinet.com

Introduction Fortinet documentationFortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 7• FortiGate Installation GuideDescribes how to ins

FortiGate IPS User Guide Version 3.0 MR78 01-30007-0080-20080916Customer service and technical support IntroductionFortinet Knowledge Center Additiona

IPS overview and general configuration The FortiGate IPSFortiGate IPS User Guide Version 3.0 MR701-30007-0080-20080916 9IPS overview and general conf