Presentation is loading. Please wait.

Presentation is loading. Please wait.

FortiGate IPS operation training

Published byBenedict Allen Modified over 7 years ago

Similar presentations

Presentation on theme: "FortiGate IPS operation training"— Presentation transcript:

1 FortiGate IPS operation training
5. 8 Alvin Lee from Korea

2 FortiGate reference site

3 FortiGate reference site
kc.fortinet.com docs.fortinet.com www. Fortiguardcenter.com

4 IPS Signature

5 Predefined Signature provide over 4300 signatures and 4500 patterns

6 IPS Performance Tune-up
Fine tuning IPS predefined signatures for enhanced system performance In FortiOS the FortiGate unit will have most of the predefined signatures enabled and will log all of them by default. Fine tuning enables you to turn off features that you are not using. By turning off signatures and logs that you do not use. Not all systems require you to scan for all signatures of the IPS suite all the time. Note that in FortiOS v2.80 releases, enabling IM/P2P detection can help IPS performance. The reason is that after the FortiGate unit detects the IM/P2P sessions from the first couple of packets, it will ignore these sessions without scanning, thus improve the overall performance. In FortiOS v3.0 releases, the default is set to get the best performance. disable not to use signature and log reduce turn off features that you are not using through IPS Sensor limit and adjust not to be appropriate signature column through IPS Sensor limit protection target through firewall 5 tuples rule matching and avoid useless IPS DB scanning

7 Protocol Decoder FortiGate IPS function identify abnormal(not to proper protocol stardnard and requirement) traffic pattern through Protocol Decoder And this is maintained always up-to-date through FortiGuard Distribute Network(FDN).

8 Custom IPS signature syntax
HEADER KEYWORD VALUE F-SBID(--KEYWORD VALUE;) FortiOS 3.0 MR6 support max 255 custom signatures by each VDOM HEADER Total 1000 characters under HEADER have to start F-SBID KEYWORD Total 64 KEYWORD VALUE English or using ‘_’ between English words 1-19 characters VALUE - if value is NULL, take a place space between KEYWORD and VALUE - if it’s space or ‘/’ or ‘;’ then using “ ” - Value are case sensitive.

9 Custom IPS signature syntax
KEYWORD Informational keywords attack_id name Session keywords flow service Contents keywords content uri pattern pcre context offset depth distance within no_case byte_test byte_jump 4. IP header keywords ip_tos ip_id ip_option ip_ttl src_addr dst_addr protocol 5. TCP header keywords src_port dst_port tcp_flags seq ack window_size 5. UDP header keywords 6. ICMP keywords icmp_type icmp_code icmp_id icmp_seq 7. Other keywords same_ip 겣_num data_size data_at For more detail, look for the FortiGate_IPS_Guide

10 packet interception procedure
프로그램 차단(IM, P2P등) To block the special programs first you need to trace the packet and block the unwanted IP address and port because these programs will first connects to some predefined servers. Also you can block those applications using custom IPS signature. packet sniffing and choose adjust pattern in stream contents

11 Custom IPS signature example
Name Signature Another attack F-SBID( --name "Another attack"; --attack_id 6149; --protocol tcp; --flow from_client; --content "the_attack"; --no_case) Block.HTTP.POST F-SBID( --attack_id 1509; --name "Block.HTTP.POST"; --protocol tcp; --service HTTP; --flow from_client; --pattern "POST";) Block.SMTP.VRFY.CMD F-SBID( --attack_id 6714; --name "Block.SMTP.VRFY.CMD"; --protocol tcp; --service SMTP; --pattern "vrfy"; --no_case; --context header; ) Block.Yahoo F-SBID( --attack_id 9174; --name "Block.Yahoo"; --protocol tcp; --service HTTP; --flow from_client; --pattern "yahoo.com"; --no_case; --context host; ) Detect.Dst.IP F-SBID( --attack_id 1949; --name "Detect.Dst.IP"; --protocol icmp; --dst_addr ; ) MSN.Image.SafeSearch.Off F-SBID( --attack_id 6168; --name "MSN.Image.SafeSearch.Off"; --protocol tcp; --service HTTP; --flow from_client; --parsed_type HTTP_GET; --pattern "/images/"; --context uri; --no_case; --pattern "q="; --context uri; --no_case; --distance 0; --pattern "Referer:"; --no_case; --context header; --pattern ".live.com/"; --no_case; --context header; --distance 0; --within 30; --pattern "Cookie:"; --context header; --no_case; --pattern "ADLT=OFF"; --context header; --no_case; --distance 0; --within 700;) Ping.Death F-SBID( --attack_id 1842; --name "Ping.Death"; --protocol icmp; --data_size >32000; ) TeamViewer.DynGate.Connection.A F-SBID( --attack_id 3073; --name "TeamViewer.DynGate.Connection.A"; --protocol tcp; --service HTTP; --flow from_client; --pattern "/din.aspx?"; --no_case; --context uri; --pattern "client=DynGate"; --no_case; --context uri; --distance 0; ) TeamViewer.DynGate.Connection.B F-SBID( --attack_id 3074; --name "TeamViewer.DynGate.Connection.B"; --protocol tcp; --flow from_client; --seq 1,relative; --pattern "| f 00 a3|"; --within 6,packet; --data_size 164; ) nude F-SBID( --name "nude"; --attack_id 3990; --protocol tcp; --pattern "nude cheerleader"; --no_case)

12 PCRE KEYWORD

13 PCRE KEYWORD F-SBID( --protocol tcp; --pcre "/(^PVER\b/s)(\b[0-9]+\.[0-9]+\b)(\b[0-9]+\.[0-9]+)/" --name "NateOn";)' you can test in PC using perl software. echo "PVER " | perl -ane 'if (/PVER\s+[0-9\.]+\s+[0-9\.]+/) { print "Matched\n" }' 'F-SBID( --protocol tcp; --pcre "/PVER\s+[0-9\.]+\s+[0-9\.]+/" --name "NateOn";)‘ --pcre(perl compatible regular expressions) / : no mean if it’s word not number behind / \s : any blank word ^ : first to target PVER : word itself \b : boundary of word /s : single line () : group(start and end of sub-pattern) [0-9] : numbers of 0-9 (start and end of class definition) ]+ : word is + behind \. : . ifself

14 Custom Signature log

15 IPS Sensor

16 Default IPS Sensor

17 IPS Sensor edit

18 IPS Filter edit apply protection object by severity, Target, OS, protocol, application

19 Configure IPS Override
use when chainging specific signature

20 Custom IPS Override use when adapting specific custom signature

21 DoS Sensor

22 Syn flooding Attack

23 Syn flooding Attack To change default value
SYN packets rate (pps) of new TCP connections, including retransmission, to one destination IP portscan SYN packets rate (pps) of new TCP connections, including retransmission, from one source IP tcp_dst_session # of Concurrent TCP connections to one destination IP tcp_src_session # of Concurrent TCP connections from one source IP udp_flood UDP packets rate (pps) to one destination IP udp_scan UDP session creation rate (pps) from one source IP udp_dst_session # of Concurrent UDP connections to one destination IP udp_src_session # of Concurrent UDP connections from one source IP icmp_flood ICMP packets rate (pps) to one destination IP icmp_sweep ICMP session creation rate (pps) from one source IP icmp_dst_session # of Concurrent ICMP connections to one destination IP icmp_src_session # of Concurrent ICMP connections from one source IP To change default value if lots of network traffic to server(busy web server) then adjust to be high threshold

24 Reference Document FortiGate_IPS_Guide_01_30006_0080_

25 Q & A

Download ppt "FortiGate IPS operation training"

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,

 Dynamic policies o Change as system security state/load changes o GAA architecture  Extended access control lists  Pre-, mid- and post-conditions,
Local Wireless Network - An wireless Access Point (AP) which is the bridge the ethernet network and the wireless network -The AP protect its wireless network.

Local Wireless Network - An wireless Access Point (AP) which is the bridge the ethernet network and the wireless network -The AP protect its wireless network.
Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.

Computer Security Fundamentals by Chuck Easttom Chapter 4 Denial of Service Attacks.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.

TCP/IP Network and Firewall. IP Packet Protocol  1 ICMP packet  6 TCP packet  17 UDP packet.
Ipchains A packet-filtering Firewalls supported by Linux distributions.

Ipchains A packet-filtering Firewalls supported by Linux distributions.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Lesson 19: Configuring Windows Firewall

Lesson 19: Configuring Windows Firewall
COEN 252: Computer Forensics Router Investigation.

COEN 252: Computer Forensics Router Investigation.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau (20086034) Lee Shirly (20095815) Ong Ivy (20095040)

Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.

Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
FIREWALL Mạng máy tính nâng cao-V1.

FIREWALL Mạng máy tính nâng cao-V1.
Penetration Testing Security Analysis and Advanced Tools: Snort.

Penetration Testing Security Analysis and Advanced Tools: Snort.
NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.

NetFilter – IPtables Firewall –Series of rules to govern what Kind of access to allow on your system –Packet filtering –Drop or Accept packets NAT –Network.
ProtectionProfiles. 2 Fortinet Technologies Protection Profiles Protection profiles control t the type of traffic protected t HTTP t FTP t IMAP t POP3.

ProtectionProfiles. 2 Fortinet Technologies Protection Profiles Protection profiles control t the type of traffic protected t HTTP t FTP t IMAP t POP3.
Chapter 6: Packet Filtering

Chapter 6: Packet Filtering
Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

Intrusion Prevention System. Module Objectives By the end of this module, participants will be able to: Use the FortiGate Intrusion Prevention System.

Similar presentations

Ads by Google