Intrusion Protection
DoS sensors
FortiGate Version 4.0 Administration Guide
01-400-89802-20090424
469
Figure 301: IPS Packet Log Viewer
5
Select the packet to view the packet in binary and ASCII. Each table row represents a
captured packet.
6
Select
Save
to save the packet data in a PCAP formatted file.
PCAP files can be opened and examined in network analysis software such as Wireshark.
DoS sensors
The FortiGate IPS uses a traffic anomaly detection feature to identify network traffic that
does not fit known or common traffic patterns and behavior. For example, one type of
flooding is the denial of service (DoS) attack that occurs when an attacking system starts
an abnormally large number of sessions with a target system. The large number of
sessions slows down or disables the target system so legitimate users can no longer use
it. This type of attack gives the DoS sensor its name, although it is capable of detecting
and protecting against a number of anomaly attacks.
You can enable or disable logging for each traffic anomaly, and configure the detection
threshold and action to take when the detection threshold is exceeded.
You can create multiple DoS sensors. Each sensor consists of 12 anomaly types that you
can configure. Each sensor examines the network traffic in sequence, from top to bottom.
When a sensor detects an anomaly, it applies the configured action. Multiple sensors
allow great granularity in detecting anomalies because each sensor can be configured to
examine traffic from a specific address, to a specific address, on a specific port, in any
combination.
When arranging the DoS sensors, place the most specific sensors at the top and the most
general at the bottom. For example, a sensor with one protected address table entry that
includes all source addresses, all destination addresses, and all ports will match all traffic.
If this sensor is at the top of the list, no subsequent sensors will ever execute.
The traffic anomaly detection list can be updated only when the FortiGate firmware image
is upgraded.
Summary of Contents for Gate 60D
Page 705: ...www fortinet com...
Page 706: ...www fortinet com...