FortiGate IPS User Guide Version 3.0 MR7
40
01-30007-0080-20080916
Configuring IPS sensors
IPS sensors
Adding an IPS sensor
An IPS sensor must be created before it can be configured by adding filters and
overrides. To create an IPS sensor, go to
Intrusion Protection > IPS Sensor
and
select Create New.
Figure 8: New IPS sensor
Configuring IPS sensors
Each IPS sensor consists of two parts: filters and overrides. Overrides are always
checked before filters.
Each filter consists of a number of signatures attributes. All of the signatures with
those attributes, and only those attributes, are checked against traffic when the
filter is run. If multiple filters are defined in an IPS Sensor, they are checked
against the traffic one at a time, from top to bottom. If a match is found, the
FortiGate unit takes the appropriate action and stops further checking.
A signature override can modify the behavior of a signature specified in a filter. A
signature override can also add a signature not specified in the sensor’s filters.
Custom signatures are included in an IPS sensor using overrides.
The signatures in the overrides are first compared to network traffic. If the IPS
sensor does not find any matches, it then compares the signatures in each filter to
network traffic, one filter at a time, from top to bottom. If no signature matches are
found, the IPS sensor allows the network traffic.
protect_client
Includes only the signatures designed to detect attacks
against clients; uses the default enable status and action of
each signature.
protect_email_server
Includes only the signatures designed to detect attacks
against servers and the SMTP, POP3, or IMAP protocols;
uses the default enable status and action of each signature.
protect_http_server
Includes only the signatures designed to detect attacks
against servers and the HTTP protocol; uses the default
enable status and action of each signature.
Name
Enter the name of the new IPS sensor.
Comment
Enter an optional comment to display in the IPS sensor list.