Configuring an anomaly, 285 configuring an anomaly – Fortinet 100A User Manual

IPS

Custom

FortiGate-100A Administration Guide

01-28007-0068-20041203

285

Configuring an anomaly

Each anomaly is preset with a recommended configuration. By default all anomaly
signatures are enabled. You can use the recommended configurations or you can
modify the recommended configurations to meet the needs of your network.

For more information on minimum, maximum, and recommended thresholds for the
anomalies with configurable thresholds, see the FortiGate IPS Anomaly Thresholds
and Dissector Values Technical Bulletin.

Figure 150:Editing the portscan IPS anomaly

Figure 151:Editing the syn_fin IPS anomaly

Action

The action set for each anomaly. Action can be Pass, Drop, Reset, Reset

Client, Reset Server, Drop Session, Clear Session, or Pass Session.

Modify

The Edit and Reset icons. If you have changed the settings for an anomaly,

you can use the Reset icon to change the settings back to the

recommended settings.

Name

The anomaly name.

Enable

Select the Enable box to enable the anomaly or clear the Enable box to

disable the anomaly.

Logging

Select the Logging box to enable logging for the anomaly or clear the

Logging box to disable logging for the anomaly.

Action

Select an action for the FortiGate unit to take when traffic triggers this

anomaly.

Pass

The FortiGate unit lets the packet that triggered the anomaly pass

through the firewall. If logging is disabled and action is set to Pass, the

anomaly is effectively disabled.

Drop

The FortiGate unit drops the packet that triggered the anomaly. Fortinet

recommends using an action other than Drop for TCP connection based

attacks.