Configuring pre-defined and custom overrides – Fortinet Network Device IPS User Manual

IPS sensors

Configuring IPS sensors

FortiGate IPS User Guide Version 3.0 MR7
01-30007-0080-20080916

43

The signatures included in the filter are only those matching every attribute
specified. When created, a new filter has every attribute set to “all” which causes
every signature to be included in the filter. If the severity is changed to high, and
the target is changed to server, the filter includes only signatures checking for high
priority attacks targeted at servers.

Configuring pre-defined and custom overrides

Pre-defined and custom overrides are configured and work mainly in the same
way as filters. Unlike filters, each override defines the behavior of one signature.

Overrides can be used in two ways:

• To change the behavior of a signature already included in a filter. For example,

to protect a web server, you could create a filter that includes and enables all
signatures related to servers. If you wanted to disable one of those signatures,
the simplest way would be to create an override and mark the signature as
disabled.

• To add an individual signature, not included in any filters, to an IPS sensor.

This is the only way to add custom signatures to IPS sensors.

When a pre-defined signature is specified in an override, the default status and
action attributes have no effect. These settings must be explicitly set when
creating the override.

Name

Enter or change the name of the IPS filter.

Severity

Select All, or select Specify and then one or more severity ratings.

Severity defines the relative importance of each signature. Signatures

rated critical detect the most dangerous attacks while those rated as

info pose a much smaller threat.

Target

Select All, or select Specify and then the type of systems targeted by the

attack. The choices are server or client.

OS

Select All, or Select Specify and then select one or more operating

systems that are vulnerable to the attack.
Signatures with an OS attribute of All affect all operating systems.

These signatures will be automatically included in any filter regardless

of whether a single, multiple, or all operating systems are specified.

Protocol

Select All, or select Specify to list what network protocols are used by

the attack. Use the Right Arrow to move the ones you want to include in

the filter from the Available to the Selected list, or the Left Arrow to

remove previously selected protocols from the filter.

Application

Select All, or select Specify to list the applications or application suites

vulnerable to the attack. Use the Right Arrow to move the ones you

want to include in the filter from the Available to the Selected list, or the

Left Arrow to remove previously selected protocols from the filter.

Enable

Select from the options to specify what the FortiGate unit will do with the

signatures included in the filter: enable all, disable all, or enable or

disable each according to the individual default values shown in the

signature list.

Logging

Select from the options to specify whether the FortiGate unit will create

log entries for the signatures included in the filter: enable all, disable all,

or enable or disable logging for each according to the individual default

values shown in the signature list.

Action

Select from the options to specify what the FortiGate unit will do with

traffic containing a signature match: pass all, block all, reset all, or block

or pass traffic according to the individual default values shown in the

signature list.