12.03.2015 Views

FortiGate Administration Guide - FirewallShop.com

FortiGate Administration Guide - FirewallShop.com

FortiGate Administration Guide - FirewallShop.com

SHOW MORE
SHOW LESS

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

Anomalies<br />

Intrusion Protection<br />

To configure the protocol decorder port settings<br />

1 Go to Intrusion Protection > Signature > Protocol Decorder.<br />

2 Select the Configure icon for the decorder.<br />

3 Modify the port number or port numbers as required.<br />

4 Select OK.<br />

Upgrading IPS protocol decoder list<br />

IPS protocol decoders are included in the IPS upgrade package available through<br />

the FortiGuard Distribution Network (FDN). There is no need to wait for firmware<br />

upgrades. The IPS upgrade package will keep the IPS decoder list up to date with<br />

new threats such as the latest versions of existing IM/P2P as well as new<br />

applications.<br />

Anomalies<br />

The <strong>FortiGate</strong> IPS uses anomaly detection to identify network traffic that does not<br />

fit known or <strong>com</strong>mon traffic patterns and behavior. For example, if one host keep<br />

sending a number of session within a second, the destination will experience<br />

traffic flooding. In this case, the <strong>FortiGate</strong> IPS uses session thresholds to prevent<br />

flooding.<br />

The <strong>FortiGate</strong> IPS identifies the four statistical anomaly types for the TCP, UDP,<br />

and ICMP protocols.<br />

Flooding<br />

Scan<br />

Source session<br />

limit<br />

Destination<br />

session limit<br />

If the number of sessions targeting a single destination in one second is<br />

over a specified threshold, the destination is experiencing flooding.<br />

If the number of sessions from a single source in one second is over a<br />

specified threshold, the source is scanning.<br />

If the number of concurrent sessions from a single source is over a<br />

specified threshold, the source session limit is reached.<br />

If the number of concurrent sessions to a single destination is over a<br />

specified threshold, the destination session limit is reached.<br />

Enable or disable logging for each traffic anomaly, and configure the IPS action in<br />

response to detecting an anomaly. In many cases, the thresholds the anomaly<br />

uses to detect traffic patterns that could represent an attack are configurable.<br />

Note: It is important to know normal and expected network traffic before changing the<br />

default anomaly thresholds. Setting the thresholds too low could cause false positives, and<br />

setting the thresholds too high could miss some attacks.<br />

Use the CLI to configure session control based on source and destination network<br />

address.<br />

The traffic anomaly detection list can be updated only when the <strong>FortiGate</strong><br />

firmware image is upgraded.<br />

Note: If virtual domains are enabled on the <strong>FortiGate</strong> unit, the IPS is configured globally. To<br />

access the IPS, select Global Configuration on the main menu.<br />

<strong>FortiGate</strong> Version 3.0 MR5 <strong>Administration</strong> <strong>Guide</strong><br />

420 01-30005-0203-20070830

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!