Firewall Wizards mailing list archives

fortigate firewall IPS capabilities

From: "Maarten Hartsuijker" <secfocusNOSPAM () jizzle net>
Date: Mon, 25 Oct 2004 12:07:04 +0200 (CEST)
I have been performing some basic tests of the IPS capabilities of our
fortigate v2.80 - MR5. I started out testing the device's portscan
protection rules but have so far been unable to prevent the portscans from
being succesfull. From the logs, I notice that the fortigate detects the
scan, but allows it anyway.
I tested the device using the following scenario:
1. I opened all the ports between 2 fortigate interfaces
2. I configured all IPS options related to portscans. I enabled them and
set the action to drop (and in other tests "clear session" and "drop
session")
3. I created my own profile ("maarten"), configured it to follow IPS rules
and attached it to the firewall policy that allows sessions betweed the
wan1 and internal ports.
4. I enabled logging, so I would be able to follow the device's reponse
=== scantop === fortigate === victim (host with ports listening on 22/TCP
and 8080/TCP)
When scanning my victim using nmap, all open ports are reported acurately.
It seems like the fortigate is not blocking my portscan, like you would
expect from an IPS....
====================================================
NMAP and SYSLOG output:
====================================================
Starting nmap 3.70 ( http://www.insecure.org/nmap ) at 2004-10-25 10:18 W.
Europ
Interesting ports on 192.168.1.1:
(The 65533 ports scanned but not shown below are in state: closed)
PORT     STATE SERVICE
22/tcp   open  ssh
8080/tcp open  http-proxy
Nmap run completed -- 1 IP address (1 host up) scanned in 654.401 seconds

====================================================
The fortigate logs:
Oct 25 10:17:33 FG.CORP.LAN date=2004-10-25 time=10:12:21
device_id=FGT-602803030270 log_id=0421073001 type=ips subtype=anomaly
pri=alert attack_id=100663398 src=172.16.152.162 dst=192.168.1.1
src_port=58020 dst_port=44993 src_int=n/a dst_int=n/a status=dropped
proto=6 service=44993/tcp msg="anomaly: portscan, 1001 > threshold 1000,
repeated 67 times[Reference: http://www.fortinet.com/ids/ID100663398]";
Oct 25 10:17:35 FG.CORP.LAN date=2004-10-25 time=10:12:23
device_id=FGT-602803030270 log_id=0421073001 type=ips subtype=anomaly
pri=alert attack_id=100663402 src=172.16.152.162 dst=192.168.1.1
src_port=58020 dst_port=48556 src_int=n/a dst_int=n/a status=detected
proto=6 service=48556/tcp msg="anomaly: tcp_src_session, 2001 > threshold
2000, repeated 67 times[Reference:
http://www.fortinet.com/ids/ID100663402]";
Oct 25 10:17:49 FG.CORP.LAN date=2004-10-25 time=10:12:37
device_id=FGT-602803030270 log_id=0421073001 type=ips subtype=anomaly
pri=alert attack_id=100663409 src=172.16.152.162 dst=192.168.1.1
src_port=58020 dst_port=53739 src_int=n/a dst_int=n/a status=detected
proto=6 service=53739/tcp msg="anomaly: tcp_dst_session, 5001 > threshold
5000, repeated 3434 times[Reference:
http://www.fortinet.com/ids/ID100663409]";
Oct 25 10:17:53 FG.CORP.LAN date=2004-10-25 time=10:12:41
device_id=FGT-602803030270 log_id=0022010001 type=traffic subtype=allowed
pri=notice vd=root SN=10561 duration=20 rule=7 policyid=7 proto=554/tcp
service=554/tcp status=accept src=172.16.152.162 srcname=172.16.152.162
dst=192.168.1.1 dstname=192.168.1.1 src_int=n/a dst_int=n/a sent=40
rcvd=40 sent_pkt=1 rcvd_pkt=1 src_port=58020 dst_port=554 vpn=n/a
tran_ip=0.0.0.0 tran_port=0 dir_disp=org tran_disp=noop
Oct 25 10:17:53 FG.CORP.LAN date=2004-10-25 time=10:12:41
device_id=FGT-602803030270 log_id=0022010001 type=traffic subtype=allowed
pri=notice vd=root SN=10562 duration=20 rule=7 policyid=7 proto=dns
service=dns status=accept src=172.16.152.162 srcname=172.16.152.162
dst=192.168.1.1 dstname=192.168.1.1 src_int=n/a dst_int=n/a sent=40
rcvd=40 sent_pkt=1 rcvd_pkt=1 src_port=58020 dst_port=53 vpn=n/a
tran_ip=0.0.0.0 tran_port=0 dir_disp=org tran_disp=noop
Oct 25 10:17:53 FG.CORP.LAN date=2004-10-25 time=10:12:41
device_id=FGT-602803030270 log_id=0022010001 type=traffic subtype=allowed
pri=notice vd=root SN=10567 duration=20 rule=7 policyid=7 proto=3389/tcp
service=3389/tcp status=accept src=172.16.152.162 srcname=172.16.152.162
dst=192.168.1.1 dstname=192.168.1.1 src_int=n/a dst_int=n/a sent=40
rcvd=40 sent_pkt=1 rcvd_pkt=1 src_port=58020 dst_port=3389 vpn=n/a
tran_ip=0.0.0.0 tran_port=0 dir_disp=org tran_disp=noop
Oct 25 10:17:53 FG.CORP.LAN date=2004-10-25 time=10:12:41
device_id=FGT-602803030270 log_id=0022010001 type=traffic subtype=allowed
pri=notice vd=root SN=10568 duration=20 rule=7 policyid=7 proto=389/tcp
service=389/tcp status=accept src=172.16.152.162 srcname=172.16.152.162
dst=192.168.1.1 dstname=192.168.1.1 src_int=n/a dst_int=n/a sent=40
rcvd=40 sent_pkt=1 rcvd_pkt=1 src_port=58020 dst_port=389 vpn=n/a
tran_ip=0.0.0.0 tran_port=0 dir_disp=org tran_disp=noop
=========================================================
As you can see, the fortigate firewall/IPS detects the anomaly, but still
allows the portscan to continue. There is no IPS response that blocks the
entire portscan. I had a tcpdump running on my victim to see if maybe port
22 and 8080 had been scanned before the threhold of the rules had been
met. However, this did not seem to be the case. tcpdump reported a probe
of port 8080 over a minute after the fortigate first detected the scan.

I was wondering if any of you have noticed the same behaviour on your
fortigates, or if you have different test results. I have included some
details of my configuration below.

Kind regards, Maarten Hartsuijker

Version:Fortigate-60 2.80,build250,040914
ids-db:2.139(10/19/2004 15:14)

config ips group "scan"
        config rule "Nmap.TCP"
            set action drop (tried "clear session" and "drop session"
options as well)
        end
        config rule "SYNScan.Portscan"
            set action drop (tried "clear session" and "drop session"
options as well)
        end
end

config ips anomaly "portscan"
    set action drop (tried "clear session" and "drop session" options as
well)
    set threshold "1000"
end
config ips anomaly "syn_flood"
    set threshold "2000"
end


config firewall profile
    .......
    edit "maarten"
        set imap fragmail
        set pop3 fragmail
        set smtp fragmail
        set ips signature anomaly
    next
end
config firewall policy
    ...
    edit 2
        set srcintf "internal"
        set dstintf "dmz"
        set srcaddr "all"
        set dstaddr "all"
        set action accept
        set schedule "always"
        set service "ANY"
        set profile_status enable
        set profile "maarten"
    next
    ...
end





_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:

fortigate firewall IPS capabilities Maarten Hartsuijker (Oct 25)
- Re: fortigate firewall IPS capabilities Danny (Oct 26)
- <Possible follow-ups>
- Re: fortigate firewall IPS capabilities Mark Teicher (Oct 26)
- RE: fortigate firewall IPS capabilities Teicher, Mark (Oct 27)