manualshive.com logo in svg

Fortinet FortiGate 3.0 MR7, User Manual

The Fortinet FortiGate 3.0 MR7 User Manual is essential for understanding and optimizing the features of this powerful security solution. Download it for free from manualshive.com to get step-by-step instructions on installation, configuration, and troubleshooting. Ensure maximum protection for your network with this comprehensive manual.

Share
Download
background image

Custom signatures 

Creating custom signatures

FortiGate IPS User Guide Version 3.0 MR7
01-30007-0080-20080916

35

Example 2: signature to block the SMTP ‘vrfy’ command

The SMTP vrfy command can be used to verify the existence of a single email 
address, or it can be used to list all of the valid email accounts on an email server. 
A spammer could potentially use this command to obtain a list of all valid email 
users and direct spam to their inboxes.

In this example, we will create a custom signature to block the use of the vrfy 
command. Since the custom signature blocks the vrfy command from coming 
through the FortiGate unit, the administrator can still use the command on the 
internal network.

1

Custom signature basic format

All custom signatures have a header, and at least one keyword/value pair. The 
header is always the same:

F-SBID( )

The keyword/value pairs appear within the parentheses and each pair is followed 
by a semicolon.

2

Choosing a name for the custom signature

Every custom signature requires a name, so it is good practice to assign a name 
before any other keywords are added.

Use the 

--name

 keyword to assign the custom signature a name. The name 

value follows the keyword after a space. Enclose the name value in double-
quotes:

F-SBID( --name "Block.SMTP.VRFY.CMD"; )

The signature, as it appears here, will not do anything if used. It has a name, but 
doesn’t look for any patterns in network traffic. You must specify a pattern for the 
FortiGate unit to search for.

3

Adding a signature pattern

Use the 

--pattern

 keyword to specify what the FortiGate unit will search for:

F-SBID( --name "Block.SMTP.VRFY.CMD"; --pattern "vrfy"; )

The signature will now detect the vrfy command appearing in network traffic. The 
custom signature should only detect the command in SMTP traffic, however. Any 
other traffic with the pattern should be allowed to pass. For example, an Email 
message discussing the vrfy command should not be stopped.

4

Specifying the service

Use the 

--service

 keyword to limit the effect of the custom signature to only the 

HTTP protocol.

F-SBID( --name "Block.SMTP.VRFY.CMD"; --pattern "vrfy"; 

--service SMTP; )

The FortiGate unit will limit its search for the pattern to the SMTP protocol.

Even though the SMTP protocol uses only TCP traffic, the FortiGate will search 
for SMTP protocol communication in TCP, UDP, and ICMP traffic. This is a 
needless waste of system resources.

5

Specifying the traffic type.

Summary of Contents for FortiGate 3.0 MR7

Page 1: ...www fortinet com FortiGate IPS User Guide Version 3 0 MR7 U S E R G U I D E...

Page 2: ...Fortinet Inc Trademarks Dynamic Threat Prevention System DTPS APSecure FortiASIC FortiBIOS FortiBridge FortiClient FortiGate FortiGate Unified Threat Management System FortiGuard FortiGuard Antispam F...

Page 3: ...g the buffer size 11 Monitoring the network and dealing with attacks 11 Configuring logging and alert email 11 Attack log messages 12 The FortiGuard Center 13 Using IPS sensors in a protection profile...

Page 4: ...s 45 Viewing the DoS sensor list 46 Configuring DoS sensors 46 Understanding the anomalies 48 SYN flood attacks 51 What is a SYN flood attack 51 How SYN floods work 51 The FortiGate IPS Response to SY...

Page 5: ...g corporate networks An attack or intrusion can be launched to steal confidential information force a costly web site crash or use network resources to launch other attacks The FortiGate IPS detects i...

Page 6: ...FortiGate QuickStart Guide Provides basic information about connecting and installing a FortiGate unit Note Highlights useful additional information Caution Warns you about commands or procedures tha...

Page 7: ...nformation about the log messages that are generated by FortiGate units FortiGate High Availability User Guide Contains in depth information about the FortiGate high availability feature and the Forti...

Page 8: ...nter at http kc forticare com Comments on Fortinet technical documentation Please send information about any errors or omissions in this document or any Fortinet technical documentation to techdoc for...

Page 9: ...common attacks Both the IPS predefined signatures and the IPS engine are upgraded through the FortiGuard Distribution Network FDN These upgrades provide the latest protection against IM P2P and other...

Page 10: ...und required to configure the thresholds and other IPS settings In addition the other protection features in the FortiGate unit such as antivirus including grayware spam filters and web filters offer...

Page 11: ...comprehensive Attack Encyclopedia to help decide what actions to take to further protect the network This section describes Configuring logging and alert email Attack log messages The FortiGuard Cent...

Page 12: ...erval is reached the messages are combined and sent out as one alert email Message ID 70000 Severity Alert Message attack_id value_attack_id src ip_address dst ip_address src_port port_num dst_port po...

Page 13: ...lert Message attack_id value_attack_id src ip_address dst ip_address src_port port_num dst_port port_num interface interface_name src_int interface_name dst_int interface_name status clear_session det...

Page 14: ...eating a protection profile that uses IPS sensors To create a protection profile using the web based manager 1 Go to Firewall Protection Profile 2 Select Create New Figure 2 New Protection Profile 3 E...

Page 15: ...to user groups When creating a user group select a protection profile that applies to that group Then when configuring a firewall policy that includes user authentication select one or more user group...

Page 16: ...FortiGate IPS User Guide Version 3 0 MR7 16 01 30007 0080 20080916 Using IPS sensors in a protection profile IPS overview and general configuration...

Page 17: ...define which signatures are included in your IPS sensors The signature list also displays the default action the default logging status and whether the signature is enabled by default To view the pred...

Page 18: ...re Severity The severity rating of the signature The severity levels from lowest to highest are Information Low Medium High and Critical Target The target of the signature Servers clients or both Prot...

Page 19: ...uld also review exactly how you use the information provided by the logging feature If you find that you do not review the information it is best to turn off IPS logging Logging is best used to provid...

Page 20: ...FortiGate IPS User Guide Version 3 0 MR7 20 01 30007 0080 20080916 Viewing the predefined signature list Predefined signatures...

Page 21: ...he custom signature list Custom signature configuration Creating custom signatures IPS custom signatures The FortiGate predefined signatures cover common attacks If an unusual or specialized applicati...

Page 22: ...Edit icon to edit a custom signature Figure 5 Edit Custom Signature 3 Enter a name for the custom signature 4 Enter the Signature 5 Select OK Adding custom signatures using the CLI After adding the c...

Page 23: ...uired within the 512 character limit Custom signature fields Table 1shows the valid characters for custom signature fields Table 1 Valid characters for custom signature fields Field Valid Characters U...

Page 24: ...ffer_Overflow Table 3 Session keywords Keyword and value Description flow from_client from_server bi_direction Specify the traffic direction and state to be inspected They can be used for all IP traff...

Page 25: ...rn matches to take into account numerical values found in network data The available keyword options include bytes_to_convert The number of bytes to examine from the packet offset The number of bytes...

Page 26: ...ents within the specified number of bytes after the starting point defined by the offset keyword If no offset is specified the offset is assumed to be equal to 0 If the value of the depth keyword is s...

Page 27: ...atch offset offset_int The FortiGate unit starts looking for the contents the specified number of bytes into the payload The specified number of bytes is an absolute value in the payload Follow the of...

Page 28: ...e as E Set to match only at the end of the subject string Without E also matches immediately before the final character if it is a newline but not before any other newlines G Invert the greediness of...

Page 29: ...Check if IP NOP no op option is present ts Check if IP TS time stamp option is present sec Check if IP SEC IP security option is present lsrr Check if IP LSRR loose source routing option is present ss...

Page 30: ...e specified port and all lower numbered ports port_int includes the specified port and all higher numbered ports port_int port_int includes the two specified ports and all ports in between seq seq_int...

Page 31: ...nes the bits that must present for a successful match For example tcp_flags AP only matches the case where both A and P bits are set The second part FSRPAU120 is optional and defines the additional bi...

Page 32: ...er numbered ports port_int port_int includes the two specified ports and all ports in between Table 8 ICMP keywords Keyword and Value Usage icmp_code code_int Specify the ICMP code to match icmp_id id...

Page 33: ...e name value in double quotes F SBID name Block example com The signature as it appears here will not do anything if used It has a name but doesn t look for any patterns in network traffic You must sp...

Page 34: ...pattern example com service HTTP no_case Unlike all of the other keywords in this example the no_case keyword has no value Only the keyword is required 7 Limiting pattern scans to only traffic sent f...

Page 35: ...Use the name keyword to assign the custom signature a name The name value follows the keyword after a space Enclose the name value in double quotes F SBID name Block SMTP VRFY CMD The signature as it...

Page 36: ...ic 6 Ignoring case sensitivity By default patterns are case sensitive If a user directed his or her browser to Example com the custom signature would not recognize the URL as a match Use the no_case k...

Page 37: ...nitors the HTTP traffic to identify any HTTP packets that do not meet the HTTP protocol standards On the Intrusion Protection Signature Protocol Decoder page you can view the decoders and the port num...

Page 38: ...ol decoder list Protocol decoders Viewing the protocol decoder list To view the decoder list go to Intrusion Protection Signature Protocol Decoder Figure 6 The protocol decoder list Protocols The prot...

Page 39: ...ifications will automatically be included in those filters For example if you have a filter that includes all signatures for the Windows operating system your filter will automatically incorporate new...

Page 40: ...ignature specified in a filter A signature override can also add a signature not specified in the sensor s filters Custom signatures are included in an IPS sensor using overrides The signatures in the...

Page 41: ...the attack The targets are client and server Protocol The protocols to which the signatures apply Examples include HTTP POP3 H323 and DNS OS The operating systems to which the signatures apply Applica...

Page 42: ...the window that appears and select OK View Rules icon Open a window listing all of the signatures included in the filter Add Pre defined Override Select to create an override based on a pre defined si...

Page 43: ...d as info pose a much smaller threat Target Select All or select Specify and then the type of systems targeted by the attack The choices are server or client OS Select All or Select Specify and then s...

Page 44: ...K Enable Select to enable the signature override Action Select one of Pass Block or Reset When the override is enabled the action determines what the FortiGate will do with traffic containing the spec...

Page 45: ...ach sensor examines the network traffic in sequence from top to bottom When a sensor detects an anomaly it applies the configured action Multiple sensors allow great granularity in detecting anomalies...

Page 46: ...to create a new DoS sensor Create New Add a new DoS sensor to the bottom of the list ID A unique identifier for each DoS sensor The ID does not indicate the sequence in which the sensors examine netw...

Page 47: ...n the header row will enable sensing of all anomalies Logging Select the check box to enable the DoS sensor to log when the anomaly occurs Selecting the check box in the header row will enable logging...

Page 48: ...ination address destination port and source address select Add to add protected address to the Protected Addresses list The DoS sensor will be invoked only on traffic matching all three of the entered...

Page 49: ...s the configured threshold value the action is executed udp_dst_session If the number of concurrent UDP connections to one destination IP address exceeds the configured threshold value the action is e...

Page 50: ...FortiGate IPS User Guide Version 3 0 MR7 50 01 30007 0080 20080916 Understanding the anomalies DoS sensors...

Page 51: ...full it is not possible to establish any new connections and the web site on the server becomes inaccessible This section provides information about SYN flood attacks and the FortiGate IPS methods of...

Page 52: ...PS proxy device synthesizes and sends the SYN ACK packet back to the originator and waits for the final ACK packet After the proxy device receives the ACK packet from the originator the IPS device the...

Page 53: ...d detection Since the pseudo SYN proxy in the IPS uses a best effect algorithm to determine whether a TCP connection is legitimate or not some legitimate connections may be falsely detected as incompl...

Page 54: ...the syn_flood anomaly Suggested settings for different network conditions The main setting that impacts the efficiency of the pseudo SYN proxy in detecting SYN floods is the threshold value The defaul...

Page 55: ...uests or other ICMP messages that require a reply to multiple addresses on the target network Live hosts will reply with an ICMP echo or other reply message An ICMP sweep basically works the same as s...

Page 56: ...message notifying the source or apparent source of the filtered packet Since this signature may be triggered by legitimate traffic the default action is to pass but log the traffic so it can be monito...

Page 57: ...network scanning tool for Windows from Foundstone Inc Superscan could be used maliciously to perform an ICMP sweep ICMP echo request messages sent using this software contain special characters that...

Page 58: ...3 Configure the options for icmp_sweep icmp_src_session and icmp_dst_session 4 Select OK Suggested settings for different network conditions Enable or disable the ICMP predefined signatures depending...

Page 59: ...rvice 8 Fortinet documentation 6 Fortinet Knowledge Center 8 FortiProtect Attack Encyclopedia 13 FortiProtect center 13 I ICMP attack signatures 56 ICMP sweep anomalies 57 configuring protection 58 in...

Page 60: ...FortiGate Version 3 0 MR7 IPS User Guide 60 01 30007 0080 20080916 Index T technical support 8...

Page 61: ...www fortinet com...

Page 62: ...www fortinet com...

Reviews:

No comments

Related manuals for FortiGate 3.0 MR7

McDATA OPENconnectors Command Line Interface Manual preview
OPENconnectors
Brand: McDATA Pages: 170
Vaisala Veriteq viewLinc 4.0 Administrator'S Manual preview
Veriteq viewLinc 4.0
Brand: Vaisala Pages: 168
Novell LOGIN SCRIPTS Manual preview
LOGIN SCRIPTS
Brand: Novell Pages: 64
Xerox 701P40211 System Manual preview
701P40211
Brand: Xerox Pages: 110
VMware CLOUD DIRECTOR 1.0 Using preview
CLOUD DIRECTOR 1.0
Brand: VMware Pages: 3
VMware VmWare ESX Server 2.12 Deployment Deployment Manual preview
VmWare ESX Server 2.12 Deployment
Brand: VMware Pages: 34
VMware VCM 5.3 Manual preview
VCM 5.3
Brand: VMware Pages: 34
Draytek SmartMonitor User Manual preview
SmartMonitor
Brand: Draytek Pages: 60
KINGDOM COMPUTER OPERATED VIDEO CAMERA SYSTEM Installation & User Manual preview
COMPUTER OPERATED VIDEO CAMERA SYSTEM
Brand: KINGDOM Pages: 21
Access ATOMIZER Operator'S Manual preview
ATOMIZER
Brand: Access Pages: 16
Juniper TePM Agent Release Note preview
TePM Agent
Brand: Juniper Pages: 9
da Vinci Technologies EE Pro User Manual preview
EE Pro
Brand: da Vinci Technologies Pages: 249
Autodesk AUTOCAD PANDID Brochure preview
AUTOCAD PANDID
Brand: Autodesk Pages: 6
Autodesk 23802-091408-9020 - PSG Dwf Composer 2 Tips And Tricks Manual preview
23802-091408-9020 - PSG Dwf Composer 2
Brand: Autodesk Pages: 12
MACROMEDIA BREEZE-USING THE MACROMEDIA BREEZE MANAGER Use Manual preview
BREEZE-USING THE MACROMEDIA BREEZE MANAGER
Brand: MACROMEDIA Pages: 146
KAPERSKY ANTI-VIRUS 7.0 User Manual preview
ANTI-VIRUS 7.0
Brand: KAPERSKY Pages: 235
FARONICS INSIGHT - TEACHER Quick Start Manual preview
INSIGHT - TEACHER
Brand: FARONICS Pages: 9
Tascam CD-R624M Installation Manual preview
CD-R624M
Brand: Tascam Pages: 9

Brands by name

Popular brands

Load more brands