FortiGate Custom IPS Signatures for Application and Traffic Protection

Author

Reads 353

A computer room with a monitor and computer
Credit: pexels.com, A computer room with a monitor and computer

Creating custom IPS signatures for FortiGate is a powerful way to protect your network from emerging threats. With the ability to define custom signatures, you can detect and block specific malicious traffic patterns that traditional signatures may miss.

FortiGate's custom IPS signature feature allows you to define signatures based on specific protocols, ports, and packet contents. This level of granular control gives you the flexibility to tailor your security posture to your organization's unique needs.

Custom IPS signatures can be used to protect specific applications, such as web servers or databases, by blocking traffic that doesn't match a specific pattern. This can help prevent attacks like SQL injection or cross-site scripting.

By creating custom IPS signatures, you can improve the effectiveness of your security posture and reduce the risk of successful attacks.

What is a Custom IPS Signature

A custom IPS signature is a specific rule that defines what constitutes malicious traffic on your network. It's essentially a customized filter that helps identify and block suspicious activity.

Credit: youtube.com, firewall training for beginners - custom IPS signature

To create a custom IPS signature, you need to specify the protocol, service, and pattern you're looking for. For example, if you want to match 'client' traffic only on the HTTP protocol, you would specify 'TCP' as the protocol and 'HTTP' as the service.

Here are some key components of a custom IPS signature:

  • Protocol: This can be TCP, ICMP, or other protocols.
  • Service: This is the specific service you're looking to match, such as HTTP or FTP.
  • Pattern: This is the specific pattern or string you're looking to match.
  • Context: This can include the destination IP address or other specific details.

For instance, if you want to match 'echo' traffic on the ICMP protocol, you would specify 'ICMP' as the protocol and 'type 8' as the echo traffic. You would also specify the destination IP address, such as '8.8.8.8'.

Custom IPS signatures can also include advanced features, such as the ability to match patterns within a specific context, such as the URI. This can be useful for identifying specific types of malicious activity.

Installing

Installing custom IPS signatures on your Fortigate firewall is a straightforward process.

First, browse to the 'Security Profiles' section on the Fortinet GUI.

Choose 'Custom Signatures' and select 'Create New'.

Credit: youtube.com, DHCP Flood Custom IPS Signature

In this case, choose 'IPS Signature' to create a new custom signature.

Drop in the signature you created and assign a name to it.

Click 'OK' to save the signature.

Next, go to 'Security Profiles', 'Intrusion Prevention', and select your profile on the top right corner.

Under 'IPS Signatures', click the 'Add Signatures' button.

Select the two signatures you created and choose 'Use Selected Signatures'.

Custom Application Signatures

Custom Application Signatures are a powerful tool in FortiGate's IPS (Intrusion Prevention System). They allow you to define custom signatures to detect and block specific threats.

A custom application signature can be defined with a specific protocol, such as TCP or ICMP. For example, you can define a signature that matches only 'client' traffic using TCP protocol.

The signature can also be defined to match a specific service, like HTTP. This can be useful for detecting and blocking malicious traffic on your network.

When defining a custom application signature, you can also specify a pattern to match. For instance, you can match traffic to a specific website, such as 'rottentomatoes.com'.

Credit: youtube.com, Build your first IPS Signature

Here's a breakdown of the key components of a custom application signature:

Custom application signatures can also be used to detect and block specific types of traffic, such as echo requests or replies. For example, you can define a signature that matches ICMP type 8 (echo request) or ICMP type 0 (echo reply).

It's worth noting that custom application signatures can be complex and require a good understanding of the protocol and services involved. However, with the right knowledge and expertise, they can be a powerful tool in your network security arsenal.

Supported Options and Parameters

The FortiGate custom IPS signature supports a range of options and parameters that can be used to fine-tune your security settings.

You can enable or disable logging for tasks using the `enable_log` parameter, which is a boolean value that defaults to False.

The `ips_custom` parameter is used to configure IPS custom signatures, and it's supported in version ranges from 6.0.0 to 7.6.2.

Credit: youtube.com, FortiGate Firewall: Intrusion Prevention System (IPS) Tutorial

Here's a list of options that can be used with the `ips_custom` parameter:

The `state` parameter is used to indicate whether to create or remove the object, and it's a required parameter.

Snort 2

Snort 2 has a range of options that can be converted for use with FortiGate IPS Custom Signatures.

The service option in Snort 2 can only handle one service and is used only in Snort 3. In Snort 2, service is in metadata.

The ip proto option in Snort 2 can be converted to either --protocol or --ip[offset] depending on whether operators are present.

Snort 2's ipopts option is converted to --ip_option, but IP option esec is not supported.

TOS is converted to --ip_tos, but the ! operator is not supported.

The ttl option in Snort 2 is converted to --ip.ttl.

Some other options in Snort 2 include icmp_seq, icmp_id, icode, itype, flow, seq, ack, flags, and window, which are all converted to their respective FortiGate options.

Here is a list of some of the Snort 2 options and their FortiGate conversions:

--ip_tosttl--ip.ttlicmp_seq--icmp_seqicmp_id--icmp_idicode--icmp.codeitype--icmp.typeflow--flowseq--seqack--ackflags--tcp_flagswindow--window_size

Supported Options

Person holding tablet with VPN connection screen for secure internet browsing.
Credit: pexels.com, Person holding tablet with VPN connection screen for secure internet browsing.

Supported Options and Parameters are crucial when working with various systems and devices. Let's take a closer look at some of the supported options.

In the context of Snort and FortiGate, supported options are essential for configuring and customizing their behavior. For instance, the Snort option "content" is converted to "--pattern" in FortiGate, and it accepts Snort3 content modifiers as suboptions.

When working with FortiGate, you'll often encounter parameters that need to be configured. For example, the "ips_custom" parameter is used to configure IPS custom signatures, and it's supported in version ranges v6.0.0 to 7.6.2.

To configure IPS custom signatures, you'll need to specify various parameters, such as the signature name, protocol, and operating system. For instance, the "protocol" parameter can be set to a specific protocol, such as "tcp" or "udp".

Here's a table summarizing some of the supported options and parameters:

In addition to these options and parameters, you'll also need to consider the "state" parameter, which indicates whether to create or remove an object. For example, in the context of FortiGate, you can use the "state" parameter to create or remove a custom signature.

Overall, understanding the supported options and parameters is essential for configuring and customizing various systems and devices. By taking the time to learn about these options and parameters, you'll be better equipped to tackle complex tasks and achieve your goals.

Explore further: Azure Create Custom Role

Synopsis and Overview

Credit: youtube.com, how to configure IPS in fortigate firewall intrusion prevention

The FortiGate custom IPS signature module is a powerful tool for configuring your FortiGate or FortiOS device. It allows users to set and modify the IPS feature and custom category.

This module has been tested with specific versions of FortiOS, including FOS v6.0.0 and FOS v6.0.5.

To use this module effectively, you'll need to adjust all parameters and values to match your datasources. This ensures that your configuration is tailored to your specific needs.

The module is designed to work with FortiGate or FortiOS devices, making it a versatile tool for network administrators.

Frequently Asked Questions

How to update IPS signatures on FortiGate?

To update IPS signatures on FortiGate, log in to the GUI and navigate to System > FortiGuard > IPS & Application Control > Upgrade Database > Upload. This process allows you to upload the latest version of the IPS database.

Tiffany Kozey

Junior Writer

Tiffany Kozey is a versatile writer with a passion for exploring the intersection of technology and everyday life. With a keen eye for detail and a knack for simplifying complex concepts, she has established herself as a go-to expert on topics like Microsoft Cloud Syncing. Her articles have been widely read and appreciated for their clarity, insight, and practical advice.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.