Solved

Fortinet firewall

Posted on 2013-05-10
5
1,888 Views
Last Modified: 2013-11-29
We are using fortinet firewalls and have enabled the ips service.  We are trying to setup rules that drop all traffic from certain ip addresses, to keep them for alerting in IPS.  We also want a whitelist of known good ip addresses, so the IPS doesn't stop them.  We have tried creating a policy for a blacklist and whitelist and doing a deny or allow for the ip we want.  It is still alerting us on ip addresses we know are bad, and it still blocks the ip addresses that we know are good.  Is there anyway to do this with fortinets?
0
Comment
Question by:bnussbaum
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
5 Comments
 
LVL 64

Expert Comment

by:btan
ID: 39158102
This may be useful doc
http://docs.fortinet.com/fgt/techdocs/fortigate-utm.pdf

When IPS is enabled, an IPS sensor is selected in a protection profile, the protection
profile is selected in the firewall policy, and all network traffic matching the policy will be
checked for the signatures in the IPS sensor.

For best results in configuring IPS scanning, follow the procedures in the order given.
Also, note that if you perform any additional actions between procedures, your
configuration may have different results.
1 Create an IPS sensor.
2 Create filters and/or overrides in the IPS sensor. The filters and overrides specify which
signatures the IPS engine will look for in the network traffic.
3 Select a protection profile or create a new one.
4 In the protection profile, enable IPS Sensor and select the IPS sensor.
5 Select a firewall policy or create a new one.
6 In the firewall policy, select the Protection Profile check box and select the protection
profile.

 Before an override can affect network traffic, you must add it to a filter, and you must
select the filter in a protection profile applied to a policy. An override does not have the
ability to affect network traffic until these steps are taken

To create an IPS signature override
1 Go to UTM > Intrusion Protection > IPS Sensor.
2 Select the Edit icon of the IPS sensor to which you want to add the override.
3 Select either Add Pre-defined Override or Add Custom Override, depending on the
type of IPS signature override you require.
4 For the Action, select Pass, Block, or Reset. When the override is enabled, the action
determines what the FortiGate will do with traffic containing the specified signature.

Custom signature keywords: All custom signatures follow a particular syntax. Each begins with a header and is followed by one or more keywords. One of them i was thinking is the

:IP header keywords such as --dst_addr [!]<ipv4>; --src_addr [!]<ipv4>;
0
 
LVL 64

Assisted Solution

by:btan
btan earned 500 total points
ID: 39158106
Other useful link to explore with support

http://kb.fortinet.com/kb/microsites/msbrowse.do
http://www.mynetworkgear.com/Home/fortinet-knowledge_center-tips_howto

 How do I block an IP address?
Description  How to block an IP address.
Components  All FortiGate units running FortiOS 2.8 or 3.0.
Steps or Commands  
To block an IP address, create an address entry and create a firewall policy to block the address.
Add an Address

To add an address entry
Go to Firewall > Address.
Select Create New.
Enter a name for the address.
Enter the IP address and subnet.

Note that if you are blocking an internal IP address, set the netmask to 255.255.255.255, or /32. Otherwise you could block the entire subnet.
Add a Firewall Policy

To add a firewall policy
Go to Firewall > Policy.
Select Create new.
Configure the firewall policy as required. For the Source and/or Destination address, select the address name added above.
Set the Action to Deny.
Move the firewall policy to the top of the policy list.
0
 
LVL 8

Expert Comment

by:myramu
ID: 39159209
Make sure that deny and allow firewall policies (without IPS) are moved to top of all policies.

Good Luck!
0
 
LVL 64

Expert Comment

by:btan
ID: 39159220
Yap - FW "whitelist" traffic followed by a eventual deny ALL
0
 
LVL 64

Accepted Solution

by:
btan earned 500 total points
ID: 39255004
hope the above helped, good to hear from you :)
0

Featured Post

Schedule a Tour of the ATEN booth at InfoComm 2017

Tour the ATEN booth to see the the Latest Addition to the Modular Matrix Switch Series, New 4K HDMI Over IP Extender and more! Enter ATEN's Ultimate Giveaway Sweepstakes for a chance to win one of several great prizes, including an ATEN US7220 2-Port Thunderbolt 2 Sharing Switch!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When it comes to security, close monitoring is a must. According to WhiteHat Security annual report, a substantial number of all web applications are vulnerable always. Monitis offers a new product - fully-featured Website security monitoring and pr…
In this blog we highlight approaches to managed security as a service.  We also look into ConnectWise’s value in aiding MSPs’ security management and indicate why critical alerting is a necessary integration.
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…

690 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question