Fortinet Network Device IPS инструкция обслуживания

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

Идти на страницу of

Хорошее руководство по эксплуатации

Законодательство обязывает продавца передать покупателю, вместе с товаром, руководство по эксплуатации Fortinet Network Device IPS. Отсутствие инструкции либо неправильная информация, переданная потребителю, составляют основание для рекламации в связи с несоответствием устройства с договором. В законодательстве допускается предоставлении руководства в другой, чем бумажная форме, что, в последнее время, часто используется, предоставляя графическую или электронную форму инструкции Fortinet Network Device IPS или обучающее видео для пользователей. Условием остается четкая и понятная форма.

Что такое руководство?

Слово происходит от латинского "instructio", тоесть привести в порядок. Следовательно в инструкции Fortinet Network Device IPS можно найти описание этапов поведения. Цель инструкции заключается в облегчении запуска, использования оборудования либо выполнения определенной деятельности. Инструкция является набором информации о предмете/услуге, подсказкой.

К сожалению немного пользователей находит время для чтения инструкций Fortinet Network Device IPS, и хорошая инструкция позволяет не только узнать ряд дополнительных функций приобретенного устройства, но и позволяет избежать возникновения большинства поломок.

Из чего должно состоять идеальное руководство по эксплуатации?

Прежде всего в инструкции Fortinet Network Device IPS должна находится:
- информация относительно технических данных устройства Fortinet Network Device IPS
- название производителя и год производства оборудования Fortinet Network Device IPS
- правила обслуживания, настройки и ухода за оборудованием Fortinet Network Device IPS
- знаки безопасности и сертификаты, подтверждающие соответствие стандартам

Почему мы не читаем инструкций?

Как правило из-за нехватки времени и уверенности в отдельных функциональностях приобретенных устройств. К сожалению само подсоединение и запуск Fortinet Network Device IPS это слишком мало. Инструкция заключает ряд отдельных указаний, касающихся функциональности, принципов безопасности, способов ухода (даже то, какие средства стоит использовать), возможных поломок Fortinet Network Device IPS и способов решения проблем, возникающих во время использования. И наконец то, в инструкции можно найти адресные данные сайта Fortinet, в случае отсутствия эффективности предлагаемых решений. Сейчас очень большой популярностью пользуются инструкции в форме интересных анимаций или видео материалов, которое лучше, чем брошюра воспринимаются пользователем. Такой вид инструкции позволяет пользователю просмотреть весь фильм, не пропуская спецификацию и сложные технические описания Fortinet Network Device IPS, как это часто бывает в случае бумажной версии.

Почему стоит читать инструкции?

Прежде всего здесь мы найдем ответы касательно конструкции, возможностей устройства Fortinet Network Device IPS, использования отдельных аксессуаров и ряд информации, позволяющей вполне использовать все функции и упрощения.

После удачной покупки оборудования/устройства стоит посвятить несколько минут для ознакомления с каждой частью инструкции Fortinet Network Device IPS. Сейчас их старательно готовят или переводят, чтобы они были не только понятными для пользователя, но и чтобы выполняли свою основную информационно-поддерживающую функцию.

Содержание руководства

  • Страница 1

    www.fortinet.com FortiG at e IPS User Guide V ersion 3.0 MR7 USER GUIDE[...]

  • Страница 2

    FortiGate IPS U ser Guide V ersion 3.0 MR7 September 16, 2 008 01-30007-00 80-20080916 © Copyright 2008 Fortine t, Inc. All rights reserved. No part of this publication including text, examples , diagrams or illustrations may be reproduced, tra nsmitted, or translated in any form or by any means, electronic, mechanical, manual, op tical or otherwi[...]

  • Страница 3

    Contents FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 3 Contents Introduction ............... ................................. .............................. .......... 5 The FortiGate IPS.. ................... ................ ................ .................... ................ ...... 5 About this document ........ ......[...]

  • Страница 4

    FortiGate IPS User Guide Version 3.0 MR7 4 01-30007-0080-200809 16 Creating custom signatures ............. ................... .................... ................... .... 23 Custom signature fields ............. ................... .................... ................ .......... 23 Custom signature synt ax ..................... ................[...]

  • Страница 5

    Introduction The FortiGate IPS FortiGate IPS User Gu ide Version 3.0 MR7 01-30007-0080-2008091 6 5 Introduction This section introduces you to the Fort iGate Intrusion Prev ention System (IPS) and the following topics: • The FortiGate IPS • About this doc ument • Fortinet document ation • Customer service and technical support The FortiGate[...]

  • Страница 6

    FortiGate IPS User Guide Version 3.0 MR7 6 01-30007-0080-200809 16 About this document Introduction About this document Document conventions The following document convention s are used in this guide: • In the exa mples, priva te IP addre sses are us ed for both p rivate and public IP addresses. • Notes and Cautions are used to provide import a[...]

  • Страница 7

    Introduction Fortinet documentation FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 7 • FortiGate Installation Guide Describes how to install a FortiGate unit. Includes a hardware reference, default configuration information, insta llation procedures, connection procedures, and basic configura tion pr ocedures. Choose the guide[...]

  • Страница 8

    FortiGate IPS User Guide Version 3.0 MR7 8 01-30007-0080-200809 16 Customer service and technical support Introduction Fortinet Knowledge Center Additional Fortinet technical document ation is available from the Fortinet Knowledge Center . The knowledge center cont ains troubleshooting and how-to articles, F AQs, technical notes, and more. Visit th[...]

  • Страница 9

    IPS overview and gene ral configuration The FortiGate IPS FortiGate IPS User Gu ide Version 3.0 MR7 01-30007-0080-2008091 6 9 IPS overview and general configuration This section contains th e following topics: • The FortiGate IPS • Network performance • Monitoring the network and dealing with att acks • Using IPS sensors in a protection pro[...]

  • Страница 10

    FortiGate IPS User Guide Version 3.0 MR7 10 01-30007-0080-200809 16 Network performance IPS overview and general configuration T o create an IPS sensor , go to Intrusion Protection > IPS Sensor . See “IPS sensors” on p age 39 for details. T o access the protection profile IPS sensor selection, go to Firewall > Protection Profile , select [...]

  • Страница 11

    IPS overview and gene ral configuration M onitoring the network and dealing with attacks FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 11 Controlling sessions Use this command to ignore sessions af ter a set amount of traf fic has passed. The default is 204800 bytes. config ips global set ignore-session-bytes <byte_integer&g[...]

  • Страница 12

    FortiGate IPS User Guide Version 3.0 MR7 12 01-30007-0080-200809 16 Monitoring the network and dealing with atta cks IPS overview and general configuration 5 Select and configure authentication if re quired and enter the email addresses that will receive the alert email. 6 Enter the time interval to wait before sending log messages for each logging[...]

  • Страница 13

    IPS overview and gene ral configuration M onitoring the network and dealing with attacks FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 13 Anomaly The following log messag e is generated when an attack anomaly is de tected: The FortiGuard Center The FortiGuard Center combine s the knowledge base of the Fortinet technical team in[...]

  • Страница 14

    FortiGate IPS User Guide Version 3.0 MR7 14 01-30007-0080-200809 16 Using IPS sensors in a protection profil e IPS overview and general configuration Using IPS sensors in a protection profile IPS can be combined with othe r FortiGate fe atures – antivi rus, spam filtering, web filtering, a nd web category filtering – to c reate protec tion prof[...]

  • Страница 15

    IPS overview and gene ral configuration Us ing IPS sensors in a protection profile FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 15 Adding protection profiles to user groups When creating a user gr oup, select a protec tion profile that applies to that group. Then, when configuring a firewall policy that includ es user authenti[...]

  • Страница 16

    FortiGate IPS User Guide Version 3.0 MR7 16 01-30007-0080-200809 16 Using IPS sensors in a protection profil e IPS overview and general configuration[...]

  • Страница 17

    Predefined signatures IPS predefined signatures FortiGate IPS User Gu ide Version 3.0 MR7 01-30007-0080-2008091 6 17 Predefined signatures This section describes: • IPS predefined signature s • Viewin g the predefined signature list IPS predefined signatures Predefined signatur es are arranged in alphabetical order. By d efault, some signatures[...]

  • Страница 18

    FortiGate IPS User Guide Version 3.0 MR7 18 01-30007-0080-200809 16 Viewing the predefined signature list Predefined signature s By default, the signatures are sorted by name. T o sort the t able by another column, select the re quired column header name. Fine tuning IPS predef ined signatures fo r enhanced system performance In FortiOS the FortiGa[...]

  • Страница 19

    Predefined signatures Viewing the predefined signature list FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 19 Y ou should also review exactly how y ou use the information provided by the logging feature. If you find th at you do not review the information, it is best to turn off IPS logging. Logging is best us ed to provide acti[...]

  • Страница 20

    FortiGate IPS User Guide Version 3.0 MR7 20 01-30007-0080-200809 16 Viewing the predefined signature list Predefined signature s[...]

  • Страница 21

    Custom signatures IPS custom signatures FortiGate IPS User Gu ide Version 3.0 MR7 01-30007-0080-2008091 6 21 Custom signatures Custom signatures provide the power and flexibility to customize the FortiGate Intrusion Prot ection system for diverse network envir onments. The FortiG ate predefined signatures repr esent common attacks. If you use an un[...]

  • Страница 22

    FortiGate IPS User Guide Version 3.0 MR7 22 01-30007-0080-200809 16 Custom signature configuration Custom signatures Custom signature configuration Add custom signatures using th e web-based manager or th e CLI. For more information about custom signature synta x, see “Creating custom s ignatures” on page 23 and “Custom signa ture syntax” o[...]

  • Страница 23

    Custom signatures Creating custom signatures FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 23 Creating custom signatures Custom signatures are added sep arately to each VDOM. In each VDOM, there can be a maximum of 255 custom signatures. A custom signat ure definition is limited to a ma ximum length of 512 characters. A definit[...]

  • Страница 24

    FortiGate IPS User Guide Version 3.0 MR7 24 01-30007-0080-200809 16 Creating custom signatures Custom signatures Custom signature syntax T able 2: Information keywords Keyword and value Description --attack_id <id_int>; This optional value is used to identify the signa ture. It cannot be the same value as any other custom rules within the sam[...]

  • Страница 25

    Custom signatures Creating custom signatures FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 25 T able 4: Content keywo rds Keyword and value Description --byte_jump <bytes_to_convert>, <offset>[, relative] [, big] [, little] [, string] [, hex] [, dec] [, oct] [, align]; Use the byte_jump option to e xtract a number o[...]

  • Страница 26

    FortiGate IPS User Guide Version 3.0 MR7 26 01-30007-0080-200809 16 Creating custom signatures Custom signatures --byte_test <bytes_to_convert>, <operator>, <value>, <offset>[, relative] [, big] [, little] [, string] [, hex] [, dec] [, oct]; The FortiGa te unit comp ares a byte field against a specific value (with operator).[...]

  • Страница 27

    Custom signatures Creating custom signatures FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 27 --context {uri | header | body | host}; S pecify the protocol field that the pattern should be looked for . If context is not specified for a p attern, the FortiGate unit searches for the pattern anywhere in the packet buf fer . The av[...]

  • Страница 28

    FortiGate IPS User Guide Version 3.0 MR7 28 01-30007-0080-200809 16 Creating custom signatures Custom signatures --pcre [!]"(/<regex>/|m<delim>< regex><delim>)[ismxAEGRU B]"; Similar to the pattern keyword, pcre is used to specify a pattern using Perl-compatible regular expressions (PCRE). A pcre keyword can be fol[...]

  • Страница 29

    Custom signatures Creating custom signatures FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 29 T able 5: IP header keywor ds Keyword and V alue Description --dst_addr [!]<ipv4>; The destination IP address. T o have the FortiGate search for a packet that does not contain the specified address, add an exclamation mark (!) be[...]

  • Страница 30

    FortiGate IPS User Guide Version 3.0 MR7 30 01-30007-0080-200809 16 Creating custom signatures Custom signatures T able 6: T CP header keywords Keyword and V alue Description --ack <ack_int>; Check for the specified TCP acknowledge number . --dst_port [!]{<port_int> | :<port_int> | <port_int>: | <port_int>:<port_int[...]

  • Страница 31

    Custom signatures Creating custom signatures FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 31 --tcp_flags <FSRPAU120>[!|*|+] [,<FSRPAU120>]; S pecify the TCP flags to match in a packet. • S : Match the SYN flag. • A : Match the ACK flag. • F : Match the FIN flag. • R : Match the RST flag. • U : Match the U[...]

  • Страница 32

    FortiGate IPS User Guide Version 3.0 MR7 32 01-30007-0080-200809 16 Creating custom signatures Custom signatures T able 7: UDP header key words Keyword and V alue Description --dst_port [!]{<port_int> | :<port_int> | <port_int>: | <port_int>:<port_int>}; The destination port numbe r . Y o u can specify a single port or[...]

  • Страница 33

    Custom signatures Creating custom signatures FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 33 Example custom signatures Custom signature fields and syntax are fully d escribed in this chapter , though using them to build a custom sig nature can be complex. It’s best to start with a simpler signature. Example 1: signature to b[...]

  • Страница 34

    FortiGate IPS User Guide Version 3.0 MR7 34 01-30007-0080-200809 16 Creating custom signatures Custom signatures The FortiGate unit will limit its search for the pattern to the H TTP protocol. Even though the HTTP prot ocol uses only TCP traffi c, the FortiGate will search for HTTP prot ocol commu nication in TCP , UDP , and ICMP traffic. This is a[...]

  • Страница 35

    Custom signatures Creating custom signatures FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 35 Example 2: signature to bl ock the SMTP ‘vrfy’ command The SMTP vrfy command can be used to verify the existence of a single email address, or it can be used to list all of the valid email account s on an email server . A spammer c[...]

  • Страница 36

    FortiGate IPS User Guide Version 3.0 MR7 36 01-30007-0080-200809 16 Creating custom signatures Custom signatures Use the --protocol tcp keyword to limit the effect of the custom signature to only TCP traffic. This will save system re sources by not unnecessarily scanning UDP and ICMP traffic. F-SBID( --name "Block.SMTP.VRFY.CMD"; --patter[...]

  • Страница 37

    Protocol decoders Protocol decoders FortiGate IPS User Gu ide Version 3.0 MR7 01-30007-0080-2008091 6 37 Protocol decoders This section describes: • Protocol decoders • Upgrading the IPS protocol decoder list • Viewin g the protocol decoder list Protocol decoders The FortiGate IPS uses protocol decoders to ide ntify the abnormal traffic p att[...]

  • Страница 38

    FortiGate IPS User Guide Version 3.0 MR7 38 01-30007-0080-200809 16 Viewing the protocol decoder list Protocol decoders V iewing the protocol decoder list T o view the decoder list, go to Intrusion Prot ection > Signature > Protocol Decoder . Figure 6: The protoc ol decoder list Protocols The protocol decoder names. Port The port number or nu[...]

  • Страница 39

    IPS sensors Viewing the IPS sensor list FortiGate IPS User Gu ide Version 3.0 MR7 01-30007-0080-2008091 6 39 IPS sensors Y ou can group signat ures into IPS sensors for e asy selection in protection profiles. Y ou can define signatures for s pecific types of traffic in sep arate IPS sensors, and then select those sensors in profiles designed to han[...]

  • Страница 40

    FortiGate IPS User Guide Version 3.0 MR7 40 01-30007-0080-200809 16 Configuring IPS sensors IPS sensors Adding an IPS sensor An IPS sensor must be created be fore it can be configured by adding filter s and overrides. T o create an IPS sensor , go to Intrusion Protec tion > IPS Sensor and select Create New . Figure 8: New IPS sens or Configuring[...]

  • Страница 41

    IPS sensors Configuring IPS sensors FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 41 T o view an IPS sensor , go to Intrusion Protection > IPS Sensor and select the Edit icon of any IPS sensor . The Edit IP S Sensor window is divided into three part s: the sensor attributes, the filters, and the overrides. Figure 9: Edit IPS[...]

  • Страница 42

    FortiGate IPS User Guide Version 3.0 MR7 42 01-30007-0080-200809 16 Configuring IPS sensors IPS sensors IPS sensor overrides: Configuring filters T o configure a filter , go to Intrusion Protection > IPS Sen sor . Select the Edit icon of the IPS sensor containing the filter you want to edit. When the se nsor window opens, select the Edit icon of[...]

  • Страница 43

    IPS sensors Configuring IPS sensors FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 43 The signatures included in the filter are only those matching every attribute specified. When created, a new filter ha s every attribute set to “all” wh ich causes every signature to be included in th e filter . If the severity is change d [...]

  • Страница 44

    FortiGate IPS User Guide Version 3.0 MR7 44 01-30007-0080-200809 16 Configuring IPS sensors IPS sensors T o edit a pre-defined or custom overr ide, go to Intrusion Protection > IPS Sensor and select the Edit ic on of the IPS sensor contain ing the override you want to edit. When the sensor window op ens, se lect the Edit icon of the override you[...]

  • Страница 45

    DoS sensors FortiGate IPS User Gu ide Version 3.0 MR7 01-30007-0080-2008091 6 45 DoS sensors The FortiGate IPS u ses a traf fic anomaly detection fe ature to identify network traffic that does n ot fit known or co mmon traffic p atterns and behavior . For example, one type of flooding is th e deni al of service (DoS) att ack that occurs when an att[...]

  • Страница 46

    FortiGate IPS User Guide Version 3.0 MR7 46 01-30007-0080-200809 16 Viewing the DoS sensor list DoS sensors V iewing the DoS sensor list T o view the anomaly list, go to Intrusion Protection > DoS Sensor . Figure 12: The DoS sensor list Configuring DoS sensors Because an improperly configured DoS sensor can interfere with network traffic, no DoS[...]

  • Страница 47

    DoS sensors Configuring DoS sensors FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 47 Figure 13: Edit DoS Sensor DoS sensor attributes: Anomaly configuration: Name Enter or change the DoS sensor name. Comment s Enter or change an optional description of the DoS sensor . This descri ption will appear in the DoS sensor list. Name [...]

  • Страница 48

    FortiGate IPS User Guide Version 3.0 MR7 48 01-30007-0080-200809 16 Understanding the anomalies DoS sensors Protected addresses: Each entry in the protec ted addres s table includes a so urce and des tination IP address as well as a destination port. Th e DoS sens or will be applied to traffic matching the three attributes in any t able entry . Und[...]

  • Страница 49

    DoS sensors Understanding the anomalies FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 49 tcp_dst_session If the number of concurrent TCP con nections to one destination IP address exceeds the configured th reshold valu e, the action is executed. ud p_flood If the UDP traffic to one destination IP address exceeds the configured [...]

  • Страница 50

    FortiGate IPS User Guide Version 3.0 MR7 50 01-30007-0080-200809 16 Understanding the anomalies DoS sensors[...]

  • Страница 51

    SYN flood attacks What is a SYN flood a ttack? FortiGate IPS User Gu ide Version 3.0 MR7 01-30007-0080-2008091 6 51 SYN flood att acks This section describes: • What is a SYN flood attack? • How SYN floods work • The FortiGate IPS Response to SYN flood att acks • Configuring SYN flood protection • Suggested settings for different network [...]

  • Страница 52

    FortiGate IPS User Guide Version 3.0 MR7 52 01-30007-0080-200809 16 The FortiGate IPS Response to SYN flood attacks SYN flood attacks After the handsh aking process is comp lete the connection is open and dat a exchange can begin betwee n the originator and the receiver , in this case the web browser and the web ser ver . Between steps 2 a nd 3 how[...]

  • Страница 53

    SYN flood attacks The FortiGate IP S Response to SYN flood att acks FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 53 A true SYN proxy approach r equires that all three packet s (SYN, SYN/ACK, and ACK) are cached and replayed even befor e it is known if a TCP connection request is legitimate. Th e FortiGate I PS pseu do SYN prox[...]

  • Страница 54

    FortiGate IPS User Guide Version 3.0 MR7 54 01-30007-0080-200809 16 Configuring SYN flood p rotection SYN flood attacks Configuring SYN flood protection T o configure the SYN flood prot ection 1 Go to Intrusion Protection > DoS Sensor . 2 Select Create New . 3 Configure the options for tcp_syn_flood. 4 Select OK. Figure 18: Configuring the syn _[...]

  • Страница 55

    ICMP sweep attacks What is an ICMP sweep? FortiGate IPS User Gu ide Version 3.0 MR7 01-30007-0080-2008091 6 55 ICMP sweep att acks This section describes: • What is an ICMP sweep? • How ICMP sweep attacks work • The FortiGate IPS response to ICMP sweep att acks • Configuring ICMP sweep prot ection • Suggested settings for different networ[...]

  • Страница 56

    FortiGate IPS User Guide Version 3.0 MR7 56 01-30007-0080-200809 16 The FortiGate IPS response to IC MP sweep attacks ICMP sweep attacks Predefined ICMP signatures Ta b l e 1 1 describes all the ICMP-related pr edefined signatu res and the default settings for each. Note: The predefined signature descriptio ns in T able 1 1 are accurate as of the I[...]

  • Страница 57

    ICMP sweep attacks The FortiGate I PS response to ICMP sweep attacks FortiGate IPS Us er Guide V ersion 3.0 MR7 01-30007-0080-20080 916 57 ICMP sweep anomalies The FortiGate unit also detect s ICMP sw eep s that do not have a predefined signature to block them. The FortiGate IPS monito rs traffic to ensu re that ICMP messages do not exceed the defa[...]

  • Страница 58

    FortiGate IPS User Guide Version 3.0 MR7 58 01-30007-0080-200809 16 Configuring ICMP sweep protection ICMP sweep attacks Configuring ICMP sweep protection T o configure the ICMP sweep anomaly pr otection settings 1 Go to Intrusion Protection > DoS Sensor . 2 Select Create New . 3 Configure the options for icmp_swee p, icmp_src_session, and icmp_[...]

  • Страница 59

    Index FortiGate V ersion 3.0 MR7 IPS User Guide 01-30007-0080-2008091 6 59 Index A alert email configuring 11 anomalies log messages 13 anomaly destination session l imit 48 flooding 48 scan 48 source session limit 48 attack log messages 12 anomalies 13 signature 12 C comments, documentation 8 Create New firewall policy 39 custom signature adding 2[...]

  • Страница 60

    FortiGate V ersion 3.0 MR 7 IPS User Guide 60 01-30007-0080-200809 16 Index T technical support 8[...]

  • Страница 61

    www.fortinet.com[...]

  • Страница 62

    www.fortinet.com[...]