Showing posts from December, 2021

Monitoring Intrusion Prevention Events on FortiManager/FortiAnalyzer

 IPS signatures applied to FortiGates generate logging data that can be sent to a FortiAnalyzer (or combined FortiManager/FortiAnalyzer) appliance. To view the top IPS signature (and all other threat) hits, navigate to FortiView -> Threats -> Top Threats.  Any Category designation of IPS on this page was a threat match against an IPS signature. FortiView Top Threats To view the raw IPS logs, navigate to Log View -> Security -> Intrusion Prevention.  This page shows all logs generated by the IPS engine on the logging FortiGates. Intrusion Prevention Security Log View -A

Configuring FortiGate Intrusion Prevention via FortiManager

First step is to create the IPS Security Profile within Policy & Objects -> Object Configurations -> Security Profiles -> Intrusion Prevention.  The policy created below is a copy of the default IPS profile.  Let's go through each of the options.   FortiManager IPS Profile There are no specific IPS Signatures enabled for this profile.  Instead, an IPS filter is set for medium, high, and critical severity levels.  These signatures and associated severity levels are published via FortiGuard.  The Action is also set to Default which takes an action (block or pass) based on FortiGuard's recommendation.  If the particular signature has a high probability for false positives, it may be set to pass, for example.   Be sure to keep an active FortiGuard subscription for IPS on your FortiGate!  Without this subscription, the FortiGate will not have the latest IPS signatures and, with how fast cybersecurity threats evolve, will not be effective as an IPS solution.  No reason t

Popular posts from this blog

Fix Cisco ISE Messaging Service

ClearPass MPSK per Device Type with Profiling

Cisco Designated VIP 2023