Configuring pre-defined and custom overrides – Fortinet Network Device IPS User Manual
Page 43
IPS sensors
Configuring IPS sensors
FortiGate IPS User Guide Version 3.0 MR7
01-30007-0080-20080916
43
The signatures included in the filter are only those matching every attribute
specified. When created, a new filter has every attribute set to “all” which causes
every signature to be included in the filter. If the severity is changed to high, and
the target is changed to server, the filter includes only signatures checking for high
priority attacks targeted at servers.
Configuring pre-defined and custom overrides
Pre-defined and custom overrides are configured and work mainly in the same
way as filters. Unlike filters, each override defines the behavior of one signature.
Overrides can be used in two ways:
• To change the behavior of a signature already included in a filter. For example,
to protect a web server, you could create a filter that includes and enables all
signatures related to servers. If you wanted to disable one of those signatures,
the simplest way would be to create an override and mark the signature as
disabled.
• To add an individual signature, not included in any filters, to an IPS sensor.
This is the only way to add custom signatures to IPS sensors.
When a pre-defined signature is specified in an override, the default status and
action attributes have no effect. These settings must be explicitly set when
creating the override.
Name
Enter or change the name of the IPS filter.
Severity
Select All, or select Specify and then one or more severity ratings.
Severity defines the relative importance of each signature. Signatures
rated critical detect the most dangerous attacks while those rated as
info pose a much smaller threat.
Target
Select All, or select Specify and then the type of systems targeted by the
attack. The choices are server or client.
OS
Select All, or Select Specify and then select one or more operating
systems that are vulnerable to the attack.
Signatures with an OS attribute of All affect all operating systems.
These signatures will be automatically included in any filter regardless
of whether a single, multiple, or all operating systems are specified.
Protocol
Select All, or select Specify to list what network protocols are used by
the attack. Use the Right Arrow to move the ones you want to include in
the filter from the Available to the Selected list, or the Left Arrow to
remove previously selected protocols from the filter.
Application
Select All, or select Specify to list the applications or application suites
vulnerable to the attack. Use the Right Arrow to move the ones you
want to include in the filter from the Available to the Selected list, or the
Left Arrow to remove previously selected protocols from the filter.
Enable
Select from the options to specify what the FortiGate unit will do with the
signatures included in the filter: enable all, disable all, or enable or
disable each according to the individual default values shown in the
signature list.
Logging
Select from the options to specify whether the FortiGate unit will create
log entries for the signatures included in the filter: enable all, disable all,
or enable or disable logging for each according to the individual default
values shown in the signature list.
Action
Select from the options to specify what the FortiGate unit will do with
traffic containing a signature match: pass all, block all, reset all, or block
or pass traffic according to the individual default values shown in the
signature list.