Posts

Showing posts from December, 2021

Monitoring Intrusion Prevention Events on FortiManager/FortiAnalyzer

Image
 IPS signatures applied to FortiGates generate logging data that can be sent to a FortiAnalyzer (or combined FortiManager/FortiAnalyzer) appliance. To view the top IPS signature (and all other threat) hits, navigate to FortiView -> Threats -> Top Threats.  Any Category designation of IPS on this page was a threat match against an IPS signature. FortiView Top Threats To view the raw IPS logs, navigate to Log View -> Security -> Intrusion Prevention.  This page shows all logs generated by the IPS engine on the logging FortiGates. Intrusion Prevention Security Log View -A
Post a Comment
Read more

Configuring FortiGate Intrusion Prevention via FortiManager

Image
First step is to create the IPS Security Profile within Policy & Objects -> Object Configurations -> Security Profiles -> Intrusion Prevention.  The policy created below is a copy of the default IPS profile.  Let's go through each of the options.   FortiManager IPS Profile There are no specific IPS Signatures enabled for this profile.  Instead, an IPS filter is set for medium, high, and critical severity levels.  These signatures and associated severity levels are published via FortiGuard.  The Action is also set to Default which takes an action (block or pass) based on FortiGuard's recommendation.  If the particular signature has a high probability for false positives, it may be set to pass, for example.   Be sure to keep an active FortiGuard subscription for IPS on your FortiGate!  Without this subscription, the FortiGate will not have the latest IPS signatures and, with how fast cybersecurity threats evolve, will not be effective as an IPS solution.  No reason t
Post a Comment
Read more

Popular posts from this blog

Fix Cisco ISE Messaging Service

Cisco Identity Services Engine 2.6 introduced the concept of the ISE Messaging Service as an encrypted, lightweight protocol to replace syslog communication between the ISE nodes for logging purposes.  The ISE Messaging Services runs over TCP/8671.  In 2.6 Patch 2 and later, the Cisco ISE Messaging Service is enabled by default.   The overall implementation of the ISE Messaging Service has been buggy (but has gotten much better in recent versions) in both new ISE builds and upgrades.  One solution is simply to disable the ISE Messaging Service within Administration > System > Logging.  But then the ISE logging traffic isn't encrypted and the legacy syslog delivery method is not as efficient as the ISE Messaging Service so we will focus the rest of this article on how to identity and fix the ISE Messaging Service. Problem Identification Usually problems with the ISE Messaging Service involve a blank Live Logs page.  You know authentication is working as you have devices/users
Read more

ClearPass MPSK per Device Type with Profiling

Image
Multiple Pre-Shared Key or MPSK helps solve for IOT or other endpoint device types that are not 802.1X capable.  The Aruba ClearPass default implementation of MPSK (the configuration created by the wizard) requires manually registering, enrolling, and managing individual PSK keys per endpoint using the ClearPass Guest dashboard.  While the most secure approach, excluding any sort of API based automation, this can obviously be a nightmare to manage and support due to the sheer number of PSKs.  This approach instead delivers a unique PSK per device type (printer, thermostat, etc.) so that each flavor of endpoint would have its own PSK.  If one PSK was compromised, then only those endpoints would need to be manually re-configured.  PSK rotation would also be limited to only those specific device types allowing rotation to take place slowly over several weeks rather than all devices at the same time on the SSID with a traditional single PSK; lessoning the burden on IT staff and minimizing
Read more

Cisco Designated VIP 2023

I'm happy to announce that I have been recognized as a Cisco Community Designated VIP for 2023 for my assistance in the Cisco Secure Network Access Control community focusing on Identity Services Engine.  Be sure to check out all of the Cisco Community Designated VIPs .
Read more