FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vprabhu_FTNT
Staff
Staff
Article Id 198360

Description


This article describes best IPS practices to apply specific IPS signatures to traffic. This can save FortiGate resources and save memory and CPU.

 

Scope

 

FortiGate.

Solution


See the documentation for best IPS practices.

Attached IPS sensors are generic and need to be tweaked further if required to best suit the network/traffic environment.
Apply the following configuration as appropriate to the policies identifying the traffic going through:

 

config ips sensor

edit "protect_http_server"

set comment "Protect against HTTP server-side vulnerabilities."

config entries

edit 7

set rule 43814
set status enable
set action block

next

edit 8

set rule 47583
set status enable
set action pass
set rate-count 200
set rate-duration 5

next

edit 1

set location server
set protocol HTTP

next

edit 4

set application IIS

next

edit 5

set os Windows

next

edit 6

set protocol HTTPS

next

edit 9

set protocol HTTP

next

end

next

edit "protect_email_server"

set comment "Protect against email server-side vulnerabilities."

config entries

edit 1

set location server
set protocol SMTP POP3 IMAP

next

end

next

edit "protect_client"

set comment "Protect against client-side vulnerabilities."

config entries

edit 1

set location client

next

end

next

edit "high_security"

set comment "Blocks all Critical/High/Medium and some Low severity vulnerabilities"
set block-malicious-url enable

config entries

edit 1

set severity medium high critical
set status enable
set action block

next

edit 2

set severity low

next

end

next

edit "IPS_NTP"

set comment "NTP"

config entries

edit 1

set rule 10094 11853 12072 15051 17557 18046 25572 27915 37285 37576 37578 38074 39859 40201 41642 41679 43446 43523 43859 45736 45946 46254

next

end

next

edit "REMOTE_DESKTOP"

set comment "Remote Desktop TCP_3389"

config entries

edit 1

set rule 33106
set status enable
set action block
set rate-count 200
set rate-duration 10
set quarantine attacker
set quarantine-expiry 1h30m

next

edit 2

set rule 11242 17666 17669 28662 29592 32860 35094

next

end

next

edit "Protect-VOIP-IPS"

config entries

edit 5

set rule 46575
set status enable
set action block
set rate-count 1000
set rate-duration 10

next

edit 6

set rule 47088
set status enable
set action pass
set rate-count 500
set rate-duration 1

next

edit 3

set os Linux
set status enable
set action pass

next
edit 4

set protocol SIP RTSP RTP RTCP
set status enable
set action pass

next

end

next

end

 

Refer to the following screenshot below for the corresponding GUI steps:

 

00ips.png