Protecting a web server

Facebooktwittergoogle_plusredditpinterestlinkedinFacebooktwittergoogle_plusredditpinterestlinkedin

In this example, you will protect a web server using an Intrusion Prevention System (IPS) profile and a Denial of Service (DoS) policy. This will prevent a variety of attacks from reaching the server.

1. Enabling Intrusion Protection

Go to System > Config > Features and ensure that Intrusion Protection is turned ON. Apply your changes if necessary.  

2. Configuring the default IPS profile to block common attacks

Go to Security Profiles > Intrusion Protection and edit the default profile. In the Pattern Based Signatures and Filters list, highlight the default entry and select Edit.  
Select Severity to view all signatures in the database.  
Scroll down and set the Action to Block All.  
Enable all the listed Rate Based Signatures.  

3. Adding the IPS sensor to the server access security policy

Go to Policy & Objects > Policy > IPv4 and edit the security policy allowing traffic to the web server from the Internet.

Enable IPS under Security Profiles and set it to use the default profile.

Enabling IPS will automatically enable SSL Inspection. In order to inspect encrypted traffic, the deep-inspection profile must be used.

 

4. Creating a DoS policy

Go to Policy & Objects > Policy > DoS and create a new policy.

Set Incoming Interface to your Internet-facing interface.

In the Anomalies list, enable Status and Logging and set the Action to Block for all types.

 

5. Results

Warning: DoS attacks are illegal, unless you own the server under attack. Before performing an attack, ensure that you have the correct server IP.

Launch a DoS attack on your web server’s IP address.

Go to System > FortiView > Threats and select the 5 Minutes view.

You will see that a DoS attack has been detected and blocked.

 

For further reading, check out Intrustion Protection in the FortiOS 5.2 Handbook.

Victoria Martin

Victoria Martin

Technical Writer & Head Cookbook Chef at Fortinet
Victoria Martin works in Ottawa as part of the FortiOS technical documentation team. She graduated with a Bachelor's degree from Mount Allison University, after which she attended Humber College's book publishing program, followed by the more practical technical writing program at Algonquin College. She does need glasses but also likes wearing them, since glasses make you look smarter.
Victoria Martin
  • Was this helpful?
  • Yes   No
Using the deep-inspection profile may cause certificate errors. For information about avoiding this, see Preventing security certificate warnings when using SSL full inspection.
  • Javi Hdez

    Hi Victoria, I want to apply Windows signatures to protect a 2016 server, there are around 6000, in order to be more accurate, is there a way to filter it? I mean, for example, if I haven’t any related with Adobe, could I avoid this signatures? Thanks,

  • Julio Carriscajo Perez

    You apply all the signatures for protecting an http server? Y have only seleccted de application that I publish and the protocol I need. ¿That´s right?

    • Victoria Martin

      In this recipe, we have selected all the signatures but this is not a strict requirement.

  • Mohammed Srour

    Hi. I have website with signed certificate from godaddy. how can i use fortigate ips with ssl deep inspection without certificate error at customer side.

    • Victoria Martin

      Hello Mohammed,

      There is a recipe about preventing certificate errors that you can find at http://cookbook.fortinet.com/preventing-certificate-warnings/.

      • Mohammed Srour

        Thanks Victoria
        So i can import signed certificate in F.G device and ssl inspecting with IPS will work fine without users side problems?

        • Victoria Martin

          Yes, that should work. The recipe I linked you to is focused on certificate errors for internal users; however, it sounds like you are concerned about external users who are accessing the website.

          If this is the case, then you will need to install the signed certificate on the FortiGate and select it in your SSL Inspection profile, as described in the recipe. However, you will need to enable SSL Inspection of Protecting SSL Server, rather than Multiple Clients Connecting to Multiple Servers, as shown in the recipe.

          • Mohammed Srour

            Thanks Victoria. i will test the recipe and inform for results.

          • ashish mane

            Hi Victoria,
            If i enable SSL inspection, then it will scan only certificate, it wont scan content of data.
            How effective IPS will work in this case for SSL traffic

          • Victoria Martin

            Hi Ashish,

            In order to apply IPS, you need to use the deep-inspection profile for SSH Inspection, which does inspect the content of the data. However, you can add certian sites and types of sites to be excluded from this, such as banking.

            Certificate only inspection is only intended for web filtering.

            You can find more information in this article: http://cookbook.fortinet.com/why-you-should-use-ssl-inspection/

  • James

    Thank you for this recipe. Love the Cookbook series. It would be helpful if for each article you could advise which feature/s discussed aren’t available on certain models. For example a 40C does not have the DOS option nor the Fortiview.

    • Victoria Martin

      Hi James,

      I’m glad you are enjoying the Cookbook recipes.

      While we do sometimes address differences between models, adding information for each recipe may not be feasible. If you want to get an idea of what features are available for your model, I would recommend looking at the Product/Feature Matrix. You can find the matrix for your version of FortiOS at http://docs.fortinet.com/fortigate/reference.