Location via proxy:   [ UP ]  
[Report a bug]   [Manage cookies]                
Scribd
Upload
26 views

LAB 09 IPS and Application Control

Fortigate Labs 7.4

Uploaded by

hedilon740
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
26 views

LAB 09 IPS and Application Control

Fortigate Labs 7.4

Uploaded by

hedilon740
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 18

Lab 9: IPS and Application Control

Sumário
Lab 4: Firewall Authentication .......................................................................... Erro! Indicador não definido.
Objectives ................................................................................................... Erro! Indicador não definido.

2
Lab 9: IPS and Application Control
In this lab, you will set up and monitor intrusion prevention system (IPS) profiles. Next, you will configure and
use application control in profile-based mode to apply an appropriate action to specific application traffic.
Finally, you will analyze the generated logs.

Objectives
• Protect your network against known attacks using IPS signatures

• Configure and test application control in NGFW profile mode

• Read and understand application control logs

Time to Complete

Estimated: 40 minutes

LAB-9 > IPS and Application Control

3
Exercise 1: Blocking Known Exploits
In this exercise, you will configure and monitor IPS inspection on Local-FortiGate.

Configure IPS Inspection


You will configure an IPS sensor that includes the signatures for known attacks based on different severity
levels.

To configure IPS inspection


1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.

2. Click Security Profiles > Intrusion Prevention.

3. Click Create New.

4. In the Name field, type WEBSERVER.

5. In the IPS Signatures and Filters section, click Create New.

6. In the Add Signatures window, click + to add a Filter.

7. In the search bar, type medium, and then click SEV to select the medium-severity filter.

8. In the search bar, delete medium, and then type high.

9. Click SEV to select the high-severity filter.

4
10. In the search bar, delete high, and then type critical.

11. Click SEV to select the critical-severity filter.

12. In the search bar, delete critical, and then type Server.

13. Click TGT to select the server-target filter.

14. Click OK to add the selected filters.

15. In the search bar, delete Server, and then type Apache.

16. Click App to select the Apache application filter.

17. Click OK to add the selected filters.

Because FortiGate adds all signatures that match the filters to the IPS sensor, you must
configure the filters as specifically as possible.

In this exercise, FortiGate protects an Apache server, and takes the default action for the
corresponding signatures.

18. Click OK.

5
Apply an IPS Sensor to a VIP Firewall Policy
You will apply the new IPS sensor to a firewall policy that allows external access to the web server running on
the Local-Client VM.

Take the Expert Challenge!

On the Local-FortiGate GUI, do the following:

• Configure a new virtual IP to map the external IP address 10.200.1.200 to the internal
IP address 10.0.1.10, using port1 as the external interface. Name the virtual IP VIP-
WEB-SERVER.

• Create a new firewall policy to allow all inbound traffic to the virtual IP, and enable
the WEBSERVER IPS sensor. Name the firewall policy Web_Server_Access_IPS.

If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After you complete the challenge, see Generate Attacks From the Linux Server on page 1

To create a virtual IP
1. Continuing on the Local-Fortigate GUI, click Policy & Objects > Virtual IPs.

2. Click Create New.

3. Configure the following settings:

Field Value

Name VIP-WEB-SERVER

Interface port1

External IP address/range 10.200.1.200

Map to IPv4 address/range 10.0.1.10

4. Click OK.

6
To configure a firewall policy
1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Firewall Policy.

2. Click Create New, and then create a new firewall policy using the following settings:

Field Value

Name Web_Server_Access_IPS

Incoming Interface port1

Outgoing Interface port3

Source all

Destination VIP-WEB-SERVER

Schedule always

Service ALL

Action ACCEPT

Inspection Mode Flow-based

NAT disabled

3. In the Security Profiles section, enable IPS, and then in the IPS field, select WEBSERVER.

4. In the SSL Inspection field, select certificate-inspection.

The policy should look like the following example:

7
Using full SSL inspection would significantly increase the time required to
complete this lab. Therefore, for the purposes of this exercise, you will not
configure full SSL inspection.

5. Click OK.

8
Generate Attacks From the Linux Server
You will run a Perl script to generate attacks from the Linux server located in front of Local-FortiGate.

To generate attacks from the Linux server


1. On the Local-Client VM, open PuTTY, and then connect over SSH to the LINUX saved session.

2. Log in with the username student and password password.

3. Enter the following command to start the attacks:

nikto.pl -host 10.200.1.200

4. Leave the PuTTY session open (you can minimize it) so that traffic continues to generate.

Do not close the LINUX PuTTY session or traffic will stop generating.

Monitor the IPS


You will check the IPS logs to monitor for known attacks that Local-FortiGate is detecting and dropping.

To monitor the IPS


1. Return to the Local-FortiGate GUI, and then click Log & Report > Security Events > Intrusion
Prevention.

2. Locate and review the relevant log entries for the detected and dropped attacks.

FortiGate creates an intrusion prevention log entry for the following:

• Detected attack without blocking it

• Dropped attack with blocking it

3. Click a log entry, and then click Details.

4. Click the Attack Name link.

5. Review the FortiGuard Labs Threat Encyclopedia for the signatures.


The FortiGuard Labs Threat Enclyclopedia provides information about signatures, such as severity, coverage,
affected products, impact, and recommended actions that you can take.

Are the signatures matching the product currently installed on the Local-Client VM? This
information is important to make a note of before you tune the WEBSERVER IPS sensor. If
the signatures do not apply to your product, is it really necessary to inspect those packets?

9
Troubleshoot IPS Activity
You will troubleshoot and monitor IPS activity.

To troubleshoot IPS activity


1. Connect to the Local-FortiGate CLI, and then log in with the username admin and password password.

2. Enter the following command:

diagnose test application ipsmonitor 1

The output should be similar to the following example:

3. Enter the following command to enable the IPS bypass mode:

diagnose test application ipsmonitor 5

If you then enter the diagnose test application ipsmonitor 1 command, the last line shows
the new bypass status of enable.

On the Local-FortiGate GUI, you can also verify in Log & Report > Security
Events > Intrusion Prevention that no new log entry is generated.

4. Enter the following command to restart the IPS-related engines:

diagnose test application ipsmonitor 99

5. Enter the following command to verify the status:

diagnose test application ipsmonitor 1

The output should be similar to the following example:

10
Because you have restarted the IPS engine, the corresponding process ID has changed and
the bypass mode resets to the disable status.

6. Close the Local-FortiGate CLI and GUI sessions.

7. Close the LINUX PuTTY session.

LAB-9 > Blocking Known Exploits

11
Exercise 2: Controlling Application Traffic
In this exercise, you will create a profile-based application control profile in flow-based inspection mode. Flow-
based and proxy-based inspection modes share identical configuration steps for application control.

You will also view the application control logs to confirm that FortiGate identifies applications. Then, you will
monitor the traffic that matches the application control profile.

Configure Filter Overrides


The configuration file for this exercise has the application control categories set to Monitor (except
for Unknown Applications). This allows the applications to pass, but also records a log message.

You will configure filter overrides.

To configure filter overrides


1. Connect to the Local-FortiGate GUI, and then log in with the username admin and password password.

2. Click Security Profiles > Application Control.

3. Double-click the default application control profile to edit it.

There are 113 cloud-based application signatures available in the application control
signatures database that require deep inspection. This number of cloud-based application
signatures can vary.

The number beside the cloud icon in each category represents the number of cloud
application signatures in a specific category. The number of cloud applications increases as
new applications are added to this list.

4. In the Application and Filter Overrides section, click Create New to add a filter override.

5. On the Add New Override page, in the Type field, select Filter.

6. Click + to add a filter.

7. Under BEHAVIOR, click Excessive-Bandwidth.

12
The Excessive-Bandwidth setting blocks many applications that are known to be bandwidth
intensive. Applications can belong to different categories, but they may be part of this
behavior filter if they are bandwidth intensive.

8. Click OK.

The configuration should look similar to the following image with the Action set to Block.

9. Click OK.

13
Apply the Application Control Profile to the Firewall Policy
Now that you have configured the application control profile, you will apply it to the firewall policy.

Take the Expert Challenge!

On the Local-FortiGate GUI, edit the existing Application_Control firewall policy and do the
following:

• Enable the default application control profile.

• Enable deep-inspection in the SSL/SSH inspection profile.

If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After you complete the challenge, see Test the Application Control Profile on page 1.

To apply the application control profile to the firewall policy

1. Continuing on the Local-FortiGate GUI, click Policy & Objects > Firewall Policy.

2. Double-click the Application_Control firewall policy to edit it.

3. In the Security Profiles section, enable Application Control, and then select default.

4. In the SSL Inspection field, select deep-inspection.

If the FortiGate self-signed, full-inspection certificate has not been imported into the
browser, end users see a certificate warning message. In this lab environment, the FortiGate
self-signed SSL inspection certificate has been imported into the browser.

5. Click OK to save the changes.

6. Click OK to confirm.

14
Test the Application Control Profile
You will test the application control profile by going to the application that you blocked in the application
override configuration.

To test the application control profile


1. On the Local-Client VM, open a new browser tab, and then go to the following URL: http://abc.go.com.

You should see that you cannot connect to this site—it times out.

2. Return to the Local-FortiGate GUI, and then click Security Profiles > Application Control.

3. Double-click the default application sensor.

4. In the Options section at the bottom of the page, enable Replacement Messages for HTTP-based
Applications.

5. Click OK.

6. On the Local-Client VM, open a new browser tab, and then go to the following URL: http://abc.go.com.

FortiGate should display a block message—it can take up to 2 minutes for the Application Blocked page to
appear because of the change in configuration.

If the Application Blocked page does not appear after 2 minutes, close all browser tabs,
and then restart the browser.

15
Configure Application Overrides
You will configure application overrides. The application overrides take precedence over filter overrides and
application categories.

Take the Expert Challenge!

On the Local-FortiGate GUI, complete the following:

• Modify the default application control profile.

• Add Application Overrides for the ABC.Com application signature, and set the
action to Allow.

If you require assistance, or to verify your work, use the step-by-step instructions that follow.

After you complete the challenge, see Test Application Overrides on page 1.

To configure application overrides


1. Return to the browser tab where you are logged in to the Local-FortiGate GUI, and then click Security
Profiles > Application Control.

2. Double-click the default application sensor.

3. In the Application and Filter Overrides section, click Create New.

4. On the Add New Override page, in the Type field, select Application.

5. In the Action field, select Allow.

6. In the search field, type abc.com, and then press Enter.

FortiGate returns a signature.

7. Click ABC.Com to select it.

8. Click OK.

9. Drag the ABC.Com application filter and place it above the Excessive-Bandwidth filter.

The configuration should look like the following image:

16
10. Click OK.

This application control profile is already applied to a firewall policy that is


scanning all outbound traffic. You do not need to reapply the application control
profile for the changes to take effect.

Test Application Overrides


You will test the application control profile by going to the application that you allowed.

To test the application control profile


1. On the Local-Client VM, open a new browser tab, and then go to the following URL: http://abc.go.com.

FortiGate allows the website to load properly.

View Logs and Traffic Matching With the Application Control Profile

You will view the logs and traffic that matched the test you just performed.

To view logs
1. Return to the Local-FortiGate GUI, and then click Log & Report > Security Events.

2. Under Summary, click Application Control.

3. Use the Application Name log filter, and then search for ABC.Com.

You will see log messages with the action set to block.

4. Double-click a log to view more details.

The details include application sensor name, application name, category, policy ID, and the action that
FortiGate took.

5. Click Log & Report > Forward Traffic, and then search and view the log information for ABC.Com.

You can see more details about the log, including translated IP address, bytes sent, bytes received, action, and
application.

To view the traffic that matched the application control profile

1. On the Local-FortiGate GUI, click Dashboard > FortiView Applications.

The display should be similar to the following example:

17
2. Click the line including ABC.Com to select it, and then click Drill down.

The display should be similar to the following example:

3. Click Policies.

The display should be similar to the following example:

4. Click View session logs.

The display should be similar to the following example:

You now have the information (bytes, sessions, and policy ID) regarding the
traffic that matched the application ABC.Com.

5. Close the Local-FortiGate GUI session.

LAB-9 > Controlling Application Traffic


18

You might also like