Solved

Fortinet firewall

Posted on 2013-05-10
5
1,751 Views
Last Modified: 2013-11-29
We are using fortinet firewalls and have enabled the ips service.  We are trying to setup rules that drop all traffic from certain ip addresses, to keep them for alerting in IPS.  We also want a whitelist of known good ip addresses, so the IPS doesn't stop them.  We have tried creating a policy for a blacklist and whitelist and doing a deny or allow for the ip we want.  It is still alerting us on ip addresses we know are bad, and it still blocks the ip addresses that we know are good.  Is there anyway to do this with fortinets?
0
Comment
Question by:bnussbaum
  • 4
5 Comments
 
LVL 62

Expert Comment

by:btan
ID: 39158102
This may be useful doc
http://docs.fortinet.com/fgt/techdocs/fortigate-utm.pdf

When IPS is enabled, an IPS sensor is selected in a protection profile, the protection
profile is selected in the firewall policy, and all network traffic matching the policy will be
checked for the signatures in the IPS sensor.

For best results in configuring IPS scanning, follow the procedures in the order given.
Also, note that if you perform any additional actions between procedures, your
configuration may have different results.
1 Create an IPS sensor.
2 Create filters and/or overrides in the IPS sensor. The filters and overrides specify which
signatures the IPS engine will look for in the network traffic.
3 Select a protection profile or create a new one.
4 In the protection profile, enable IPS Sensor and select the IPS sensor.
5 Select a firewall policy or create a new one.
6 In the firewall policy, select the Protection Profile check box and select the protection
profile.

 Before an override can affect network traffic, you must add it to a filter, and you must
select the filter in a protection profile applied to a policy. An override does not have the
ability to affect network traffic until these steps are taken

To create an IPS signature override
1 Go to UTM > Intrusion Protection > IPS Sensor.
2 Select the Edit icon of the IPS sensor to which you want to add the override.
3 Select either Add Pre-defined Override or Add Custom Override, depending on the
type of IPS signature override you require.
4 For the Action, select Pass, Block, or Reset. When the override is enabled, the action
determines what the FortiGate will do with traffic containing the specified signature.

Custom signature keywords: All custom signatures follow a particular syntax. Each begins with a header and is followed by one or more keywords. One of them i was thinking is the

:IP header keywords such as --dst_addr [!]<ipv4>; --src_addr [!]<ipv4>;
0
 
LVL 62

Assisted Solution

by:btan
btan earned 500 total points
ID: 39158106
Other useful link to explore with support

http://kb.fortinet.com/kb/microsites/msbrowse.do
http://www.mynetworkgear.com/Home/fortinet-knowledge_center-tips_howto

 How do I block an IP address?
Description  How to block an IP address.
Components  All FortiGate units running FortiOS 2.8 or 3.0.
Steps or Commands  
To block an IP address, create an address entry and create a firewall policy to block the address.
Add an Address

To add an address entry
Go to Firewall > Address.
Select Create New.
Enter a name for the address.
Enter the IP address and subnet.

Note that if you are blocking an internal IP address, set the netmask to 255.255.255.255, or /32. Otherwise you could block the entire subnet.
Add a Firewall Policy

To add a firewall policy
Go to Firewall > Policy.
Select Create new.
Configure the firewall policy as required. For the Source and/or Destination address, select the address name added above.
Set the Action to Deny.
Move the firewall policy to the top of the policy list.
0
 
LVL 8

Expert Comment

by:myramu
ID: 39159209
Make sure that deny and allow firewall policies (without IPS) are moved to top of all policies.

Good Luck!
0
 
LVL 62

Expert Comment

by:btan
ID: 39159220
Yap - FW "whitelist" traffic followed by a eventual deny ALL
0
 
LVL 62

Accepted Solution

by:
btan earned 500 total points
ID: 39255004
hope the above helped, good to hear from you :)
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Macbook Sierra OS OpenVPN issue 13 79
Couldn't join Lync meeting - Security certificate isnt trusted 5 27
Cisco WAP POE power 28 71
server core and windows updates 3 36
The 21st century solution to antiquated pagers.
How do we balance the user experience (UX) with reasonable security measures? It can be done, if you keep these fundamentals in mind.
Viewers will learn how to connect to a wireless network using the network security key. They will also learn how to access the IP address and DNS server for connections that must be done manually. After setting up a router, find the network security…
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…

816 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now