Intrusion Protection
IPS sensors
FortiGate Version 4.0 Administration Guide
01-400-89802-20090424
467
Packet logging
Packet logging is a way you can debug custom signatures or how any signature is
functioning in your network environment.
If a signature is selected in a custom override, and packet logging is enabled, the
FortiGate unit will save any network packet triggering the signature to memory, the internal
hard drive (if so equipped), a FortiAnalyzer, or the FortiGuard Analysis and Management
Service. These saved packets can be later viewed and saved in PCAP format for closer
examination.
Configuring packet logging
Packet logging saves the network packets containing an IPS signature to the attack log.
The FortiGate unit will save the logged packets to wherever the logs are configured to be
stored, whether memory, internal hard drive, a FortiAnalyzer unit, or the FortiGuard
Analysis and Management Service.
You can enable packet logging only in signature overrides. It not an available option in
IPS sensors or filters because enabling packet logging on a large number of signatures
could produce an unusably large amount of data. Packet logging is designed as focused
diagnostic tool.
There are a number of CLI commands available to further configure packet logging. When
logging to memory, the
packet-log-memory
command defines the maximum amount
of memory is used to store logged packets. This command only takes effect when logging
to memory.
Since only the packet containing the signature is sometimes not sufficient to troubleshoot
a problem, the
packet-log-history
command allows you to specify how many
packets are captured when an IPS signature is found in a packet. If the value is set to
larger than
1
, the packet containing the signature is saved in the packet log, as well as
those preceding it, with the total number of logged packets equalling the value. For
example, if
packet-log-history
is set to
7
, the FortiGate unit will save the packet
containing the IPS signature and the six before it.
Method
Select
Attacker’s IP address
to block all traffic sent from the attacker’s IP
address. The attacker’s IP address is also added to the banned user list. The
target’s address is not affected.
Select
Attacker and Victim IP Addresses
to block all traffic sent from the
attacker’s IP address to the target (victim’s) IP address. Traffic from the
attacker’s IP address to addresses other than the victim’s IP address is
allowed. The attacker’s and target’s IP addresses are added to the banned
user list as one entry.
Select
Attack’s Incoming Interface
to block all traffic from connecting to the
FortiGate interface that received the attack. The interface is added to the
banned user list.
Expires
You can select whether the attacker is banned indefinitely or for a specified
number of days, hours, or minutes.
Exempt IP
Enter IP addresses to exclude from the override. The override will then apply
to all IP addresses except those defined as exempt. The exempt IP
addresses are defined in pairs, with a source and destination, and traffic
moving from the source to the destination is exempt from the override.
Source
The exempt source IP address. Enter
0.0.0.0/0
to include all source IP
addresses.
Destination:
The exempt destination IP address. Enter
0.0.0.0/0
to include all
destination IP addresses.
Summary of Contents for Gate 60D
Page 705: ...www fortinet com...
Page 706: ...www fortinet com...