Fortinet Firewall IDS configuration

From Notes_Wiki

Home > Enterprise security devices or applications > Fortigate firewall > Fortinet Firewall IDS configuration

Configuration of IDS on FortiGate Firewall

This guide provides step-by-step instructions for configuring the Intrusion Detection System (IDS) on a FortiGate firewall to enhance network security by monitoring and logging suspicious activities.

Configure the Correct Time Zone

  • Setting the correct time zone ensures accurate logging and time synchronization across the network.
  1. Log in to the FortiGate Web Interface via [1].
  2. Navigate to System → Settings.
  3. Locate the Time & Date section.
  4. Select the correct time zone from the drop-down menu.
  5. Click Apply to save the changes.

Enable Extended IPS Signature Package

  • This step enhances the intrusion prevention system by enabling an extended signature database to detect a wider range of threats.
  1. Go to Security Profiles → Intrusion Prevention.
  2. Locate the IPS Database section.
  3. Enable Use Extended IPS Signature Package.
  4. Click Apply.

Open Interface Settings

  • This step allows configuration changes to be made to network interfaces.
  1. Navigate to Network → Interfaces.
  2. Select the interface you want to configure.

Remove Internal 2 from Interface

  • Removing an unused or conflicting internal interface ensures proper network segmentation and traffic monitoring.
  1. In the Interfaces section, locate Internal 2.
  2. Click Edit and remove it from the assigned interfaces.
  3. Click Apply.

Configure Interface 2 as a One-Arm Sniffer

  • Setting the interface as a one-arm sniffer enables passive traffic monitoring without altering network flow.
  1. Go to Network → Interfaces.
  2. Select Interface 2.
  3. Set the mode to One-Arm Sniffer.
  4. Enable necessary security features.
  5. Click Apply.

Enable Logging Options

  • Enabling logging allows network traffic and security events to be recorded for analysis.
  1. Navigate to Log & Report → Log Settings.
  2. Enable Logging Options for security events and traffic logs.
  3. Click Apply.

Open the Sniffer Traffic Panel

  • This step allows real-time traffic monitoring to detect and analyze network anomalies.
  1. Go to Network → Packet Capture.
  2. Click on Sniffer Traffic.

Refresh Sniffer Traffic Data

  • Refreshing the traffic capture ensures updated real-time data is displayed.
  1. In the Packet Capture window, click Refresh to update live traffic logs.

Select Required Columns in Logs

  • Selecting the appropriate log columns helps in efficient analysis and troubleshooting.
  1. In the Packet Capture window, click on Column Settings.
  2. Select the required columns for better visibility.

Enable Address Logging in Log Settings

  • Address logging records the source and destination IPs, providing better visibility into network activity.
  1. Go to Log & Report → Log Settings.
  2. Enable Address Logging to capture IP details in logs.

Set ‘All’ for Local Traffic Logging

  • Logging all local traffic provides comprehensive monitoring of internal network activity.
  1. In Log Settings, locate Local Traffic Logging.
  2. Set logging mode to All.
  3. Click Apply.

Assign Internal IP 192.168.1.99 to a Device

  • Assigning a static IP ensures device accessibility and network stability.
  1. Navigate to Network → Interfaces.
  2. Assign 192.168.1.99 to the internal device.
  3. Click Apply.

Log in to FortiGate Web Interface

  • Logging in to the firewall interface allows for configuration changes and monitoring.
  1. Open a web browser.
  2. Enter [2](https://192.168.1.99).
  3. Log in with administrator credentials.

Assign a Free IP to the DMZ

  • Assigning an IP to the DMZ isolates public-facing services from internal networks for better security.
  1. Go to Network → Interfaces.
  2. Select the DMZ interface.
  3. Assign a free IP address from the available range.
  4. Click Apply.

Change DMZ IP to 10.10.10.3/16

  • Updating the DMZ subnet improves segmentation and security control.
  1. In Network → Interfaces, locate DMZ.
  2. Change the IP address to 10.10.10.3/16.
  3. Click Apply.

Verify Connectivity by Pinging Syslog Server (10.10.1.51)

  • Verifying connectivity ensures logs are correctly transmitted to the Syslog server for analysis.
  1. Open CLI Console in FortiGate.
  2. Run the command:
  3. Ensure the ping is successful.

Assign a Synology Logging IP

  • Assigning a dedicated logging IP to Synology ensures proper storage of security logs.
  1. Go to Log & Report → Log Settings.
  2. Assign the Synology logging IP to store logs externally.
  3. Click Apply.

Conclusion

This completes the IDS configuration for the FortiGate firewall. Ensure all settings are correctly applied, and verify logging and traffic monitoring functionalities.

Home > Enterprise security devices or applications > Fortigate firewall > Fortinet Firewall IDS configuration

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Fortinet_Firewall_IDS_configuration&oldid=8299"