Wednesday, December 9, 2015

fortigate IPS diagnostics via cli commands

One of the cool things about the Fortigate IPS,  it's simple to run diagnostics. I will show you some tips & know transfers.

One of the first issues you need to know,  is to see what sessions are handled by ips. The cli cmd "diag ips session list" will list all sessions handled by the ips-engine. This gives you and ideal of what's being handle and inspected by any ips rule.

e.g ( here's a custom ips rule in a ips sensor for ftp for example  )

The cli cmds "diag ips session performance" "diag ips signature status" will provide also details on  sessions by the engine and matches counts.

The cli cmd  "diag ips sign   hit" is also great for determining  if hits are being match. This go along with the cli cmd "diag ips  packet status" to get status of the ips actions; ( drop, pass, reset, etc.....)

One thing you need to be aware of, the IPS sensor could be populated, but traffic is not properly handle. So you will need to kill off the  process for the IPS engine &  have it restart.

I've seen IPS sensors that are configured , but get's hanged up and needs a warm-reload without reboot the appliance.

The fnsysctl cli cmd ( a hidden command ) can be execute to find the process by looking for the ipsengine proc-id. You only need to kill the  parent proc-id and you can use  fnsysctl for that also

e.g ( killing process id #1234 with KILLSIGNAL 9 )

     fnsysctl kill -9  1234

Most cases when you have a few hundred rules and sensors, you want to use the filter and ensure you monitor traffic for that items specified. In this example I will apply a filter for   tcp and port 21

    diag ips  filter port 21
    diag ips  filter proto 6
    diag ips  filter status

Now running the cli cmd "diag ips  session list" will generate information for the above defined filters only. Here's a typical output.

Note: Ensure you clear any filters after performing any diagnostic. It's best to  clear any filters b4 you apply new filters;  


diag ips  filter  clear

The fortigate cli cmd  diag debug flow command is also a must and to ensure the policy is being matched and the traffic is  kicked to the IPS engine.


 If you are finding packets not shown punted to the IPS, than 1> check your policy(s) 2> ensue the sensor is correct 3> check the ordering of the policy(s) being matched

In  summary;
  • check for ips_sensors place within the fw-policies
  • monitor the security  logs  ips
  • diag debug flow is your friend
  • ensure packets are hitting the correct filters
  • don't be afraid to use the filters with the diag ips  cmds

The logs will show you what signature fired off,  date/time,  the resulting action ( block, alert,etc...). The sensor name, direction ,  interfaces, and threat level. If the signature that fired is a fortigate can'd signature the  fortinet  VID ( vulnerability ID ) will be listed for reference



And finally all alert should be analyze to determine true or false positive and any post-alert remediations.

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com

     ^      ^
=(  @  @ )=
        /  \

1 comment:

  1. Hi, this blog is excellent, thanks for sharing.

    I have a question, ¿what is the meaning of the client and server tag in the ips profile?

    kind regards.