One of the first issues you need to know, is to see what sessions are handled by ips. The cli cmd "diag ips session list" will list all sessions handled by the ips-engine. This gives you and ideal of what's being handle and inspected by any ips rule.
e.g ( here's a custom ips rule in a ips sensor for ftp for example )
The cli cmds "diag ips session performance" "diag ips signature status" will provide also details on sessions by the engine and matches counts.
The cli cmd "diag ips sign hit" is also great for determining if hits are being match. This go along with the cli cmd "diag ips packet status" to get status of the ips actions; ( drop, pass, reset, etc.....)
One thing you need to be aware of, the IPS sensor could be populated, but traffic is not properly handle. So you will need to kill off the process for the IPS engine & have it restart.
I've seen IPS sensors that are configured , but get's hanged up and needs a warm-reload without reboot the appliance.
The fnsysctl cli cmd ( a hidden command ) can be execute to find the process by looking for the ipsengine proc-id. You only need to kill the parent proc-id and you can use fnsysctl for that also
e.g ( killing process id #1234 with KILLSIGNAL 9 )
fnsysctl kill -9 1234
Most cases when you have a few hundred rules and sensors, you want to use the filter and ensure you monitor traffic for that items specified. In this example I will apply a filter for tcp and port 21
diag ips filter port 21
diag ips filter proto 6
diag ips filter status
Now running the cli cmd "diag ips session list" will generate information for the above defined filters only. Here's a typical output.
Note: Ensure you clear any filters after performing any diagnostic. It's best to clear any filters b4 you apply new filters;
e.g
diag ips filter clear
The fortigate cli cmd diag debug flow command is also a must and to ensure the policy is being matched and the traffic is kicked to the IPS engine.
e.g
In summary;
- check for ips_sensors place within the fw-policies
- monitor the security logs ips
- diag debug flow is your friend
- ensure packets are hitting the correct filters
- don't be afraid to use the filters with the diag ips cmds
The logs will show you what signature fired off, date/time, the resulting action ( block, alert,etc...). The sensor name, direction , interfaces, and threat level. If the signature that fired is a fortigate can'd signature the fortinet VID ( vulnerability ID ) will be listed for reference
e.g http://www.fortinet.com/ids/VID41500
And finally all alert should be analyze to determine true or false positive and any post-alert remediations.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
Hi, this blog is excellent, thanks for sharing.
ReplyDeleteI have a question, ¿what is the meaning of the client and server tag in the ips profile?
kind regards.