Configure Ips Fortigate for Performance and Security

Author

Reads 155

A sleek home technology setup featuring a router, glass decoration, and television.
Credit: pexels.com, A sleek home technology setup featuring a router, glass decoration, and television.

Configuring your FortiGate for performance and security is crucial to ensure your network runs smoothly and securely. To start, you need to enable the FortiGuard service, which can be done by navigating to System > Feature Select, and checking the box next to FortiGuard.

The FortiGuard service provides threat intelligence and protection against various types of malware and viruses. You can also configure the FortiGate to scan incoming traffic for malware by going to Security Profiles > Virus Outbreak Prevention.

To optimize performance, you should also consider adjusting the CPU and memory settings on your FortiGate. This can be done by navigating to System > Advanced > System Resources.

By following these simple steps, you can significantly improve the performance and security of your FortiGate, ensuring your network runs smoothly and securely.

Configuring Firewall

You can create a set of IPS signatures or filters to block specific types of traffic. Click create new under IPS signatures and filters to start the process.

Worth a look: Fortinet Ips

Credit: youtube.com, FortiGate Firewall: Intrusion Prevention System (IPS) Tutorial

IPS sensors can be created for specific types of traffic. These sensors can be configured to use filters when new signatures match with filter specifications.

FortiGuard periodically adds predefined signatures to update and counter new threats. These signatures are included automatically in IPS sensors configured to use filters.

You should regularly update your IPS sensors to stay ahead of new threats and keep your network secure.

Additional reading: Fortigate Custom Ips Signature

Firewall Basics

FortiGate intrusion prevention is designed to provide real-time threat protection for networks.

There are three operational modes to choose from, each with its own benefits and limitations.

L3 (NAT/route mode) places an L3 network where traffic is routed, with IP addresses configured statically or dynamically on each interface.

MAC based policies are applicable for IPS policy source address in NAT route mode.

In Virtual wire mode, FortiGate operates like a virtual wire and does not perform routing or NAT.

It is deployed between two network segments.

In Transparent mode, FortiGate acts like a bridge, with all interfaces in the same VDOM in the same L2 forwarding domain.

Here's a quick rundown of the three modes:

  • L3 (NAT/route mode)
  • Virtual wire mode
  • Transparent mode

Performance Optimization

Credit: youtube.com, one IPS setting that you must know - firewall training

To optimize performance on your FortiGate, it's essential to configure your IP addresses correctly. This includes setting up static IP addresses for your network devices.

You should also prioritize traffic by configuring Quality of Service (QoS) settings, which can help ensure critical applications receive sufficient bandwidth.

For example, you can set up a policy to limit bandwidth for non-essential traffic during peak hours. This can be achieved by setting a limit on the bandwidth for certain traffic types, such as HTTP or FTP.

Hardware Acceleration for Flow-Based Security Profiles (NTurbo)

NTurbo is a feature that offloads flow-based firewall sessions to network processors, making it a valuable tool for performance optimization.

Some FortiGate models support NTurbo, and you can check if your model has this feature by looking for the np-accel-mode option.

The none option disables NTurbo, and the basic option (which is the default) enables NTurbo.

This means that if you're not using NTurbo, you're potentially losing out on some serious performance gains.

If your FortiGate model supports NTurbo, it's a good idea to enable it to get the most out of your device.

By doing so, you'll be offloading flow-based processing to network processors, which can help improve your overall security and performance.

Buffer Size

Credit: youtube.com, Will changing the logger buffer size improve my device's performance?

Increasing the IPS socket buffer size can reduce the chances of overloading the IPS engine, but be cautious not to set it too high, as this may cause the system to enter conserve mode more frequently.

The default socket size varies by model, so it's essential to check your specific setup to determine the optimal buffer size.

Setting the socket-size too low can cause the system to enter IPS fail-open mode too frequently, which is something you'll want to avoid.

If you do decide to modify the default value, make sure to weigh the potential benefits against the increased memory usage by the IPS engine.

Here are some key things to keep in mind when adjusting the buffer size:

Testing

Testing is an essential part of performance optimization, and it's often overlooked.

To test your FortiGate IPS, you can use a tool like KALI Linux with Armitage, which is a Metasploit tool.

Launch Armitage and connect using the default settings, then search for a known vulnerability like MS12_020.

Security Logo
Credit: pexels.com, Security Logo

This will allow you to launch an attack on a Windows server, which should be blocked by the IPS.

If the IPS is working correctly, you should see the attack blocked and logged in the FortiGate logs within a couple of minutes.

To verify this, go to Log and Report > Intrusion Prevention, where you should see the blocked attack listed.

Security Settings

To secure your FortiGate, you'll want to configure the security settings properly.

The default admin password for the FortiGate is 'password', which you should change immediately.

You can access the security settings by navigating to System > Admin > Users. From there, you can create new users, edit existing ones, and even set up two-factor authentication to add an extra layer of security.

Make sure to set up a strong password policy to prevent unauthorized access. A good password should be at least 12 characters long and contain a mix of uppercase and lowercase letters, numbers, and special characters.

OT Threat Definitions

A close-up image of an illuminated security keypad mounted on a wall.
Credit: pexels.com, A close-up image of an illuminated security keypad mounted on a wall.

OT Threat Definitions are used to protect Industrial Control Systems, Operational Technology, and SCADA systems, which are critical infrastructure used by manufacturing industries.

These definitions require an OT Security Service license to use the signature database, which is excluded by default but can be configured in the CLI.

Enabling OT threat definitions may impact IPS performance, as it increases the number of signatures to scan.

To optimize IPS performance, you should only enable the IPS signature packages that are needed.

Here's a list of key considerations for OT threat definitions:

  • Requires an OT Security Service license
  • Excluded by default, but can be configured in the CLI
  • May impact IPS performance
  • Only enable necessary IPS signature packages

Fail Open

Fail Open is a security setting that allows traffic to continue flowing without IPS scanning when the IPS engine is overwhelmed. This setting is useful for preventing network congestion.

By default, the IPS engine drops sessions when it's unable to keep up with the traffic. However, enabling Fail Open allows traffic to bypass the IPS engine, which can be beneficial in certain scenarios.

Credit: youtube.com, What is the difference between failing close and failing open?

Fail Open affects all protocols inspected by FortiOS IPS protocol decoders, including HTTP, HTTPS, FTP, and more. This means that even if the IPS engine is overwhelmed, traffic will still flow without being scanned.

Note that sessions offloaded to Nturbo do not support Fail Open. When the Nturbo data path is overloaded, traffic will be dropped regardless of the Fail Open setting.

Sensors on

Enabling sensors is an essential part of security settings. It allows your device to collect and analyze data from various sources, enhancing its overall security.

Having sensors on can help detect potential threats, such as unauthorized access or malicious activity, by monitoring system logs and network traffic.

For example, if you have a sensor that monitors system logs, it can alert you to suspicious login attempts or unusual system behavior.

Additional reading: Ip Telephone System

General Settings

To configure general settings on your FortiGate, you'll need to access the system settings. This can be done by navigating to System > Settings.

In the system settings, you can configure the time zone and date format. For example, if you're in the United States, you can set the time zone to Eastern Standard Time and the date format to MM/DD/YYYY.

Take a look at this: Setup Vpn in Azure

Engine Count

Smart home wireless network router device
Credit: pexels.com, Smart home wireless network router device

The engine count setting is a crucial aspect of configuring your FortiGate unit. The recommended and default setting is 0, which allows the FortiGate unit to determine the optimum number of IPS engines.

The engine-count CLI command allows you to specify how many IPS engines to use at the same time. This can be useful if you need to prioritize certain IPS engines over others.

The key thing to note is that you can run one or more IPS engines concurrently on FortiGate units with multiple processors.

Extended Database

The Extended Database is a powerful tool that can be enabled on some FortiGate models. You can only enable it through the CLI.

If you have a FortiGate model with a CP9 SPU, you'll receive the full extended database. However, if you have a non-CP9 SPU model, you'll need to upgrade to a CP9 SPU model to get full IPS signature coverage.

All FortiGate models 200 (E and F) and higher come with a CP9 SPU, so you're good to go if you have one of those. But if you're using a FortiGate VM, you'll need at least eight cores to run the full extended database.

Here's a quick rundown of what you need to know about the Extended Database:

Enable

Credit: youtube.com, How to Configure General Settings - V4Freedom

Enabling certain settings on your FortiGate is a straightforward process.

To enable FortiGate IPS, you simply need to go into your Firewall Policy or IPv4 Policy, depending on your code version.

Enabling IPS inside a normal Firewall Policy is a common practice.

You can enable the IPS Policy you require inside your Firewall Policy like so.

Readers also liked: Firewall Fortigate

Display and Navigation

To configure IPS on FortiGate, you'll need to navigate to the System > Feature Visibility page and enable the Intrusion Prevention System (IPS) feature.

The IPS feature is located under the Security Profiles section, which can be accessed by going to Policy & Objects > Security Profiles.

IPS profiles can be created and managed under the Policy & Objects section, where you can also assign them to specific policies.

To view and manage IPS settings, go to Policy & Objects > Security Profiles > IPS.

Frequently Asked Questions

How to update IPS in FortiGate?

To update IPS in FortiGate, navigate to System > FortiGuard > Intrusion Prevention > Actions > Upgrade Database and upload the new IPS Engine file. This process ensures your FortiGate device has the latest intrusion prevention capabilities.

How to enable IPS in firewall?

To enable IPS in your firewall, select "Detection" or "Protection" in the Intrusion System Mode menu and choose a signature list from the IPS Signature List menu. This will activate the Intrusion Prevention System to detect and block malicious traffic.

Patricia Dach

Junior Copy Editor

Patricia Dach is a meticulous and detail-oriented Copy Editor with a passion for refining written content. With a keen eye for grammar and syntax, she ensures that articles are polished and error-free. Her expertise spans a range of topics, from technology to lifestyle, and she is well-versed in various style guides.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.