Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Fortinet firewall

Posted on 2013-05-10
5
Medium Priority
?
2,010 Views
Last Modified: 2013-11-29
We are using fortinet firewalls and have enabled the ips service.  We are trying to setup rules that drop all traffic from certain ip addresses, to keep them for alerting in IPS.  We also want a whitelist of known good ip addresses, so the IPS doesn't stop them.  We have tried creating a policy for a blacklist and whitelist and doing a deny or allow for the ip we want.  It is still alerting us on ip addresses we know are bad, and it still blocks the ip addresses that we know are good.  Is there anyway to do this with fortinets?
0
Comment
Question by:bnussbaum
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
5 Comments
 
LVL 65

Expert Comment

by:btan
ID: 39158102
This may be useful doc
http://docs.fortinet.com/fgt/techdocs/fortigate-utm.pdf

When IPS is enabled, an IPS sensor is selected in a protection profile, the protection
profile is selected in the firewall policy, and all network traffic matching the policy will be
checked for the signatures in the IPS sensor.

For best results in configuring IPS scanning, follow the procedures in the order given.
Also, note that if you perform any additional actions between procedures, your
configuration may have different results.
1 Create an IPS sensor.
2 Create filters and/or overrides in the IPS sensor. The filters and overrides specify which
signatures the IPS engine will look for in the network traffic.
3 Select a protection profile or create a new one.
4 In the protection profile, enable IPS Sensor and select the IPS sensor.
5 Select a firewall policy or create a new one.
6 In the firewall policy, select the Protection Profile check box and select the protection
profile.

 Before an override can affect network traffic, you must add it to a filter, and you must
select the filter in a protection profile applied to a policy. An override does not have the
ability to affect network traffic until these steps are taken

To create an IPS signature override
1 Go to UTM > Intrusion Protection > IPS Sensor.
2 Select the Edit icon of the IPS sensor to which you want to add the override.
3 Select either Add Pre-defined Override or Add Custom Override, depending on the
type of IPS signature override you require.
4 For the Action, select Pass, Block, or Reset. When the override is enabled, the action
determines what the FortiGate will do with traffic containing the specified signature.

Custom signature keywords: All custom signatures follow a particular syntax. Each begins with a header and is followed by one or more keywords. One of them i was thinking is the

:IP header keywords such as --dst_addr [!]<ipv4>; --src_addr [!]<ipv4>;
0
 
LVL 65

Assisted Solution

by:btan
btan earned 2000 total points
ID: 39158106
Other useful link to explore with support

http://kb.fortinet.com/kb/microsites/msbrowse.do
http://www.mynetworkgear.com/Home/fortinet-knowledge_center-tips_howto

 How do I block an IP address?
Description  How to block an IP address.
Components  All FortiGate units running FortiOS 2.8 or 3.0.
Steps or Commands  
To block an IP address, create an address entry and create a firewall policy to block the address.
Add an Address

To add an address entry
Go to Firewall > Address.
Select Create New.
Enter a name for the address.
Enter the IP address and subnet.

Note that if you are blocking an internal IP address, set the netmask to 255.255.255.255, or /32. Otherwise you could block the entire subnet.
Add a Firewall Policy

To add a firewall policy
Go to Firewall > Policy.
Select Create new.
Configure the firewall policy as required. For the Source and/or Destination address, select the address name added above.
Set the Action to Deny.
Move the firewall policy to the top of the policy list.
0
 
LVL 8

Expert Comment

by:myramu
ID: 39159209
Make sure that deny and allow firewall policies (without IPS) are moved to top of all policies.

Good Luck!
0
 
LVL 65

Expert Comment

by:btan
ID: 39159220
Yap - FW "whitelist" traffic followed by a eventual deny ALL
0
 
LVL 65

Accepted Solution

by:
btan earned 2000 total points
ID: 39255004
hope the above helped, good to hear from you :)
0

Featured Post

Automating Your MSP Business

The road to profitability.
Delivering superior services is key to ensuring customer satisfaction and the consequent long-term relationships that enable MSPs to lock in predictable, recurring revenue. What's the best way to deliver superior service? One word: automation.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

IF you are either unfamiliar with rootkits, or want to know more about them, read on ....
With the evolution of technology, we have finally reached a point where it is possible to have home automation features like having your thermostat turn up and door lock itself when you leave, as well as a complete home security system. This is a st…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Monitoring a network: why having a policy is the best policy? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the enormous benefits of having a policy-based approach when monitoring medium and large networks. Software utilized in this v…

609 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question