Fortinet Security - Intrusion Prevention System (IPS)
Introduction
Increasingly sophisticated and persistent threats are targeting today's expanding attack surface. Isolated security and management systems along with an increasing skills gap make it difficult for organizations to detect and respond to these threats. The most effective approach starts with a unified next-generation firewall (NGFW) security platform. One of the most essential additions to any NGFW is a fully integrated intrusion prevention system (IPS) that can analyze all communication traffic via deep packet inspection (DPI).
The team at the WWT Advanced Technology Center (ATC) tested the core functionality and usability of Fortinet FortiGate Firewalls IPS feature set including:
- Device management and configuration
- Protocol analysis and DPI of encrypted SSL traffic
- Real-time event logging and analysis
- Reporting
The next sections will provide further details from our testing results.
Lab Topology
A virtual topology was created in the ATC to focus on validating the IPS capabilities of Fortinet FortiGate NGFW. FortiManager and FortiAnalyzer virtual appliances were included to provide centralized management and detailed logging of the FortiGate NGFWs. After the network topology was built and configured successfully, end-to-end communication was verified. All configuration was completed exclusively using FortiManager as the configuration interface.
Ixia Breaking Point was introduced for traffic generation. Two types of traffic profiles were applied, one common enterprise traffic (good traffic) mix and a WWT IPS strike pack (bad traffic). The strike pack was used to evaluate the efficacy of the IPS Engine and up-to-date FortiGuard default signature list. The enterprise traffic was evaluated to ensure normal enterprise applications were not impacted by IPS activities.
Testing Components
| Device Description | Hardware Model | O/S Version |
| FortiManager | FMG-VM64 | v7.2.1-build1215 |
| FortiGate | FGT-VM64 | v7.2.3-build1262 |
| FortiAnalyzer | FAZ-VM64 | v7.2.1-build1215 |
| Windows Server | Windows Server 2019 Datacenter | v2019 Datacenter – build17763 |
| Windows Desktop | Windows 10 Pro | v22H2-build19045.2364 |
| Ubuntu Server | Ubuntu VM | v20.04.02 |
| Traffic Jam | Traffic Jam VM | v3.0.2 |
| Breaking Point | Breaking Point VM | v9.20 |
| VMware vSphere | vSphere | v7.0.3-build20395099 |
| Cisco UCS | Cisco UCS 5108 AC2 Chassis | UCSB-5108-AC2 |
| Cisco UCS B200 M4 Servers | Cisco UCS B200 M4 Servers | UCSB-B200-M4 |
| Cisco UCS Fabric Interconnects | Cisco UCS 6324 | UCS-FI-M-6324 |
| FGT IPS Definitions | n/a | v22.00483 |
| FGT IPS Engine | n/a | v7.00234 |
| FGT Malicious URLs | n/a | v4.00602 |
| FGT Botnet IPs | n/a | v7.02997 |
| FGT Botnet Domains | n/a | v3.00168 |
IPS Testing Highlights
The IPS validation was conducted following a detailed test plan to validate each of the following core functions. Overall testing was very straightforward, and no major issues were encountered. Fortinet IPS performing favorably against the Ixia Breaking Point testing suite. After some light tuning of signature policies, the IPS engine successfully prevented 98.569 percent of strikes, an achievement that puts Fortinet in the upper echelon of IPS solutions.
Figure 2: Evaluated Test Cases
Role-Based Access Controls
Administrator accounts are used to control access to FortiManager. Local and remote authentication is supported, as well as two-factor authentication. Administrator profiles define different types of administrators and the level of access they have to the FortiManager unit, as well as its authorized devices.
In FortiManager, a restricted administrator profile can be created to allow an administrator to configure IPS settings without interfering with other FortiManager configurations. Restricted administrators can create new profiles and signatures, add signatures and filters to a profile, and define the action (allow, monitor, block, reset, default, quarantine) that will occur for detected signatures. They are also able to view IPS diagnostics, FortiGuard package status, licenses, and services, and create IPS templates.
Several administrator accounts were configured and tested in the evaluation and each account functioned as expected. The firewall admin could push policy and utilize IPS signatures created by the IPS admin but could not edit the signatures. The IPS admin could create IPS signatures that could be utilized by the firewall admin. The full Admin account provided full access to FortiManager which could then be used to create custom administrative accounts that would be needed by customers.
IPS Evaluation
The FortiGate was configured with the prebuilt 'all_default' IPS security profile. The 'all_default' security profile enables all predefined signatures with default setting. The action was set to 'block' and the status was changed to 'enabled' to override the default per-signature defined action. The industrial signature database was enabled using the 'default ips global exclude-signatures none' setting to detect the strikes from the FortiGuard Industrial Security Service which requires a license that can be purchased la carte or as part of the Enterprise Protection Bundle.
Breaking point was used to send valid HTTPS traffic, malware HTTPS traffic and strike packs from the Internet facing interface to the DC facing interface. The strike pack contained 982 strikes with a CVSS score of 10.0. As seen in the summary below, the IPS engine successfully prevented 98.569 percent of strikes that were sent.
Figure 3: IXIA Breaking Point Results
Next, a new IPS profile was created that blocks approximately 15,800 signatures at the firewall when originating from the Branch location. This profile and policy were pushed while Breaking Point sent traffic in the background and shows no packet loss.
Event Logging
Event logging was validated using both SNMP and syslog. A test case was completed that created an SNMPv3 user for an assigned SNMP server to forward events, validate the settings were pushed to the FortiGate, and receipt of the encrypted SNMPv3 events at the server. An additional test case configured to send syslog messages to a syslog server. FortiManager System Templates were used to assign a SNMP server and Syslog server to the FortiGate.
Figure 4: SNMP traps received at the SNMP Server
Figure 5: Syslog message at the defined Syslog Server
In the lab environment, FortiAnalyzer was configured to receive all logs from FortiGate.
FortiAnalyzer is a powerful log management, analytics, and reporting platform. Alerts and event logs from Fortinet devices are processed and correlated in a format that is easy to understand. FortiView (part of FortiAnalyzer) is a comprehensive monitoring solution that provides multi-level views and summaries of real-time critical alerts and information.
Figure 6: FortiAnalyzer Log View for FortiGate Traffic
FortiView was able to provide lists and maps of threats in the form of top threats, threat maps and threat monitors that include various views of threat activity. Most views are customizable, sortable, and filterable on many fields. The monitor views are more dashboard-style and can be customized with the available widgets to meet your needs. Drill-down is also available for threats that show various specifics about that threat such as source, destination, threat type, etc., along with URL links to Fortinet details and NIST details about that threat.
Figure 11: FortiView Top Applications
The thread map provides a real-time view of active threats occurring based on the events received from all the FortiGate NGFWs in the environment.
Figure 7: FortiView Threat Map
The FortiManager Incidents and Events Dashboard provides a correlated view of all the events. Events listed are all actionable and can be acknowledged, with the ability to add comments, assign to someone, view log, create new incident or add to existing incident. The dashboard has many built-in event handlers and offers the creation of custom event handlers that can do things such as send emails, create SNMP/Syslog traps, etc.
Figure 8: Incidents & Events Dashboard
More advanced event handling scenarios can integrate and open tickets with ServiceNow using the FortiSOC component of FortiAnalyzer and playbooks.
Figure 9: FortiSOC Critical Intrusion Incident Playbook
Reporting
While many canned reports are available on the system, the IPS report was set up to run weekly on Wednesdays. All reports created are available for viewing under the generated reports tab. Output profiles can be used to define the email recipients of the reports, what formats to use for the report (HTML, PDF, XML, CSV, JSON) and whether the reports should be archived out to an FTP, SFTP or SCP Server repository.
Figure 10: IPS Report Main Page
Conclusion
Criteria | Experience | Commentary |
| Device Management | 🟢 | Remote Access Configuration: Within the role-based access and control (RBAC) configuration, a new role of "Restricted Admin" for IPS Admins provided granular administration of signature updates and custom signature creation without allowing access to other device functions. Management Configuration: Traditional SNMPv3 access and Syslog IPS logging operated as expected, however adding the FortiAnalyzer integration supplied further detail for IPS Events for Logging, Real-time and Historical Events. No technical issues were encountered for device management. |
| IPS Evaluation | 🟢 | Change Management: As desired, neither signature updates nor policy updates disrupted active traffic flows. Detailed Analysis: Packet captures of both non-encrypted and encrypted traffic (using SSL Decryption/Encryption at the Firewall) demonstrated the depth of investigation that Fortinet offers. From the imparted analysis, Fortinet performed different actions for IPS events, such as resetting a traffic flow or just dropping the traffic altogether. No technical issues were encountered for IPS evaluation. |
| Monitoring | 🟢 | Monitoring Dashboard: The FAZ FortiView application offered real-time monitoring with customizable dashboards showing map views, traffic views, top threats, and other metrics from the FAZ analytics. Other valuable capabilities included a robust historical event viewer and filter, and an event handler to acknowledge events and send notifications. Alerting and Reporting: The FAZ FortiSOC application further bolstered the event handling capabilities. Playbooks were configured to run elaborate reports and create incidents. Playbooks could be triggered or scheduled, and the results automatically distributed via email. No technical issues were encountered for monitoring. |
🟢 Satisfies Expectations, 🟡 Neutral Score, 🔴 Needs Improvement
Lab Services Note
A minor caveat (ID 883600) was encountered during the FortiManager signature set configuration of test 2.1.6. As a workaround, the configuration was applied directly on the FortiGate endpoint. This caveat has been resolved in FortiOS 7.2.5 and 7.4.0. Command line snippet below.
config ips global
set exclude-signatures none
endReferences
- https://www.fortinet.com/content/dam/fortinet/assets/solution-guides/sb-fortigate-nextgen-ips.pdf
- https://www.fortinet.com/content/dam/fortinet/assets/white-papers/wp-a-definitive-guide-to-the-ips-technology-landscape.pdf
- https://www.fortinet.com/support/support-services/fortiguard-security-subscriptions/intrusion-prevention
- https://www.fortinet.com/support/support-services/fortiguard-security-subscriptions/industrial-security
- https://docs.fortinet.com/document/fortigate/7.2.3/administration-guide/565562
- https://docs.fortinet.com/document/fortimanager/7.2.2/administration-guide/146476/intrusion-prevention-restricted-administrator
- https://docs.fortinet.com/document/fortimanager/7.2.0/new-features/407925/new-firewall-admin-role-with-no-rw-permission-on-ips-objects