Link to home
Start Free TrialLog in
Avatar of bnussbaum
bnussbaumFlag for United States of America

asked on

Fortinet firewall

We are using fortinet firewalls and have enabled the ips service.  We are trying to setup rules that drop all traffic from certain ip addresses, to keep them for alerting in IPS.  We also want a whitelist of known good ip addresses, so the IPS doesn't stop them.  We have tried creating a policy for a blacklist and whitelist and doing a deny or allow for the ip we want.  It is still alerting us on ip addresses we know are bad, and it still blocks the ip addresses that we know are good.  Is there anyway to do this with fortinets?
Avatar of btan
btan
This may be useful doc
http://docs.fortinet.com/fgt/techdocs/fortigate-utm.pdf

When IPS is enabled, an IPS sensor is selected in a protection profile, the protection
profile is selected in the firewall policy, and all network traffic matching the policy will be
checked for the signatures in the IPS sensor.

For best results in configuring IPS scanning, follow the procedures in the order given.
Also, note that if you perform any additional actions between procedures, your
configuration may have different results.
1 Create an IPS sensor.
2 Create filters and/or overrides in the IPS sensor. The filters and overrides specify which
signatures the IPS engine will look for in the network traffic.
3 Select a protection profile or create a new one.
4 In the protection profile, enable IPS Sensor and select the IPS sensor.
5 Select a firewall policy or create a new one.
6 In the firewall policy, select the Protection Profile check box and select the protection
profile.

 Before an override can affect network traffic, you must add it to a filter, and you must
select the filter in a protection profile applied to a policy. An override does not have the
ability to affect network traffic until these steps are taken

To create an IPS signature override
1 Go to UTM > Intrusion Protection > IPS Sensor.
2 Select the Edit icon of the IPS sensor to which you want to add the override.
3 Select either Add Pre-defined Override or Add Custom Override, depending on the
type of IPS signature override you require.
4 For the Action, select Pass, Block, or Reset. When the override is enabled, the action
determines what the FortiGate will do with traffic containing the specified signature.

Custom signature keywords: All custom signatures follow a particular syntax. Each begins with a header and is followed by one or more keywords. One of them i was thinking is the

:IP header keywords such as --dst_addr [!]<ipv4>; --src_addr [!]<ipv4>;
SOLUTION
Avatar of btan
btan
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of myramu
myramu
Make sure that deny and allow firewall policies (without IPS) are moved to top of all policies.

Good Luck!
Avatar of btan
btan
Yap - FW "whitelist" traffic followed by a eventual deny ALL
ASKER CERTIFIED SOLUTION
Avatar of btan
btan
Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial