306
01-28006-0010-20041105
Fortinet Inc.
Anomaly
IPS
Anomaly
The FortiGate IPS uses anomaly detection to identify network traffic that does not fit
known or preset traffic patterns. The FortiGate IPS identifies the four statistical
anomaly types for the TCP, UDP, and ICMP protocols.
You can enable or disable logging for each anomaly, and you can control the IPS
action in response to detecting an anomaly. In many cases you can also configure the
thresholds that the anomaly uses to detect traffic patterns that could represent an
attack.
You can also use the command line interface (CLI) to configure session control based
on source and destination network address. See
“Anomaly CLI configuration” on
page 309
.
The anomaly detection list can be updated only when the FortiGate firmware image is
upgraded.
Anomaly list
Figure 148:The Anomaly list
!
Caution:
Restoring the custom signature list overwrites the existing file.
Flooding
If the number of sessions targeting a single destination in one second is
over a threshold, the destination is experiencing flooding.
Scan
If the number of sessions from a single source in one second is over a
threshold, the source is scanning.
Source session
limit
If the number of concurrent sessions from a single source is over a
threshold, the source session limit is reached.
Destination
session limit
If the number of concurrent sessions to a single destination is over a
threshold, the destination session limit is reached.
Note:
It is important to know the normal and expected traffic on your network before changing
the default anomaly thresholds. Setting the thresholds too low could cause false positives, and
setting the thresholds too high could miss some attacks.
Name
The anomaly names.
Enable
The status of the anomaly. A white check mark in a green circle indicates the
anomaly is enabled. A white X in a grey circle indicates the anomaly is
disabled.
Logging
The logging status for each anomaly. A white check mark in a green circle
indicates logging is enabled for the anomaly. A white X in a grey circle
indicates logging is disabled for the anomaly.
Summary of Contents for FortiGate 3000
Page 18: ...Contents 18 01 28006 0010 20041105 Fortinet Inc ...
Page 52: ...52 01 28006 0010 20041105 Fortinet Inc Changing the FortiGate firmware System status ...
Page 78: ...78 01 28006 0010 20041105 Fortinet Inc FortiGate IPv6 support System network ...
Page 86: ...86 01 28006 0010 20041105 Fortinet Inc Dynamic IP System DHCP ...
Page 116: ...116 01 28006 0010 20041105 Fortinet Inc FortiManager System config ...
Page 122: ...122 01 28006 0010 20041105 Fortinet Inc Access profiles System administration ...
Page 252: ...252 01 28006 0010 20041105 Fortinet Inc CLI configuration Users and authentication ...
Page 390: ...390 01 28006 0010 20041105 Fortinet Inc Glossary ...
Page 398: ...398 01 28006 0010 20041105 Fortinet Inc Index ...