IPS sensors
Intrusion Protection
FortiGate Version 4.0 Administration Guide
462
01-400-89802-20090424
Adding an IPS sensor
An IPS sensor must be created before it can be configured by adding filters and overrides.
To create an IPS sensor, go to
UTM > Intrusion Protection > IPS Sensor
and select
Create New
.
Figure 296: New IPS sensor
Configuring IPS sensors
Each IPS sensor consists of two parts: filters and overrides. Overrides are always
checked before filters.
Each filter consists of a number of signatures attributes. All of the signatures with those
attributes, and only those attributes, are checked against traffic when the filter is run. If
multiple filters are defined in an IPS Sensor, they are checked against the traffic one at a
time, from top to bottom. If a match is found, the FortiGate unit takes the appropriate
action and stops further checking.
A signature override can modify the behavior of a signature specified in a filter. A signature
override can also add a signature not specified in the sensor’s filters. Custom signatures
are included in an IPS sensor using overrides.
The signatures in the overrides are first compared to network traffic. If the IPS sensor
does not find any matches, it then compares the signatures in each filter to network traffic,
one filter at a time, from top to bottom. If no signature matches are found, the IPS sensor
allows the network traffic.
To view an IPS sensor, go to
UTM > Intrusion Protection > IPS Sensor
and select the
Edit
icon of any IPS sensor. The
Edit IPS Sensor
window is divided into three parts: the sensor
attributes,
Filters
, and
Overrides
.
all_default
Includes all signatures. The sensor is set to use the default enable
status and action of each signature.
all_default_pass
Includes all signatures. The sensor is set to use the default enable
status of each signature, but the action is set to pass.
protect_client
Includes only the signatures designed to detect attacks against clients;
uses the default enable status and action of each signature.
protect_email_server
Includes only the signatures designed to detect attacks against
servers and the SMTP, POP3, or IMAP protocols; uses the default
enable status and action of each signature.
protect_http_server
Includes only the signatures designed to detect attacks against
servers and the HTTP protocol; uses the default enable status and
action of each signature.
Name
Enter the name of the new IPS sensor.
Comment
Enter an optional comment to display in the IPS sensor list.
Summary of Contents for Gate 60D
Page 705: ...www fortinet com...
Page 706: ...www fortinet com...