Solved

Fortinet firewall

Posted on 2013-05-10
5
1,697 Views
Last Modified: 2013-11-29
We are using fortinet firewalls and have enabled the ips service.  We are trying to setup rules that drop all traffic from certain ip addresses, to keep them for alerting in IPS.  We also want a whitelist of known good ip addresses, so the IPS doesn't stop them.  We have tried creating a policy for a blacklist and whitelist and doing a deny or allow for the ip we want.  It is still alerting us on ip addresses we know are bad, and it still blocks the ip addresses that we know are good.  Is there anyway to do this with fortinets?
0
Comment
Question by:bnussbaum
  • 4
5 Comments
 
LVL 61

Expert Comment

by:btan
ID: 39158102
This may be useful doc
http://docs.fortinet.com/fgt/techdocs/fortigate-utm.pdf

When IPS is enabled, an IPS sensor is selected in a protection profile, the protection
profile is selected in the firewall policy, and all network traffic matching the policy will be
checked for the signatures in the IPS sensor.

For best results in configuring IPS scanning, follow the procedures in the order given.
Also, note that if you perform any additional actions between procedures, your
configuration may have different results.
1 Create an IPS sensor.
2 Create filters and/or overrides in the IPS sensor. The filters and overrides specify which
signatures the IPS engine will look for in the network traffic.
3 Select a protection profile or create a new one.
4 In the protection profile, enable IPS Sensor and select the IPS sensor.
5 Select a firewall policy or create a new one.
6 In the firewall policy, select the Protection Profile check box and select the protection
profile.

 Before an override can affect network traffic, you must add it to a filter, and you must
select the filter in a protection profile applied to a policy. An override does not have the
ability to affect network traffic until these steps are taken

To create an IPS signature override
1 Go to UTM > Intrusion Protection > IPS Sensor.
2 Select the Edit icon of the IPS sensor to which you want to add the override.
3 Select either Add Pre-defined Override or Add Custom Override, depending on the
type of IPS signature override you require.
4 For the Action, select Pass, Block, or Reset. When the override is enabled, the action
determines what the FortiGate will do with traffic containing the specified signature.

Custom signature keywords: All custom signatures follow a particular syntax. Each begins with a header and is followed by one or more keywords. One of them i was thinking is the

:IP header keywords such as --dst_addr [!]<ipv4>; --src_addr [!]<ipv4>;
0
 
LVL 61

Assisted Solution

by:btan
btan earned 500 total points
ID: 39158106
Other useful link to explore with support

http://kb.fortinet.com/kb/microsites/msbrowse.do
http://www.mynetworkgear.com/Home/fortinet-knowledge_center-tips_howto

 How do I block an IP address?
Description  How to block an IP address.
Components  All FortiGate units running FortiOS 2.8 or 3.0.
Steps or Commands  
To block an IP address, create an address entry and create a firewall policy to block the address.
Add an Address

To add an address entry
Go to Firewall > Address.
Select Create New.
Enter a name for the address.
Enter the IP address and subnet.

Note that if you are blocking an internal IP address, set the netmask to 255.255.255.255, or /32. Otherwise you could block the entire subnet.
Add a Firewall Policy

To add a firewall policy
Go to Firewall > Policy.
Select Create new.
Configure the firewall policy as required. For the Source and/or Destination address, select the address name added above.
Set the Action to Deny.
Move the firewall policy to the top of the policy list.
0
 
LVL 8

Expert Comment

by:myramu
ID: 39159209
Make sure that deny and allow firewall policies (without IPS) are moved to top of all policies.

Good Luck!
0
 
LVL 61

Expert Comment

by:btan
ID: 39159220
Yap - FW "whitelist" traffic followed by a eventual deny ALL
0
 
LVL 61

Accepted Solution

by:
btan earned 500 total points
ID: 39255004
hope the above helped, good to hear from you :)
0

Featured Post

Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

Join & Write a Comment

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now