FortiGate 60D—How to Enable IPS Scanning

Introduction:

An IPS, also known as an intrusion prevention system, is a monitor that is setup to scan traffic on your network, identify any potential threats, and take the steps needed to eliminate the threat. An IPS device, much like a firewall, will sit in-line on your network and be able to take automatic action on all network traffic flows. In this instance, the IPS scanner will be a feature of the Firewall (FortiGate 60D). Fortigate use signature-based detection to identify threats (the other detection method is statistical anomaly-based detection).

Prerequisites:

In order to perform the following steps, you must be in possession of a FortiGate 60D with an active subscriptions to Fortinet's signature database.

Step 1: Create an IPS Sensor

First step would be to create an IPS sensor by going to Security Profiles then Intrusion Protection.

Select "Create New" by clicking on top of the Edit IPS Sensor window.

Create a name for your new IPS Sensor and an optional comment for future clarity.

Press OK to save changes.

Step 2: Create a filter for your IPS Sensor

The second step would be to add an IPS filter to the originally created sensor. Go back to Intrusion Protection on the configuration page and select your recently created IPS sensor.

Under IPS Filters, select "Add Filter".

Configure the filter based on your internal network needs. Signatures that match any characteristics you specificy will be applied. Once done, select Use Filters and click Apply.

Step 3: Set actions for the filter based on signature trigger

The next step would be to choose an action when the IPS detects a signature. You can Pass, Monitor, Block, Reset, Default, Quarantine or Log Packets. Depending on your needs, you can cater the actions to your network.

Step 4: Enable IPS in Security Policy

Head to the Security Policy page and turn on IPS. Make sure to select the IPS Sensor you created from the list.

More from Tutorials