NSE4_FGT-6.4 Fortinet NSE 4 – FortiOS 6.4 – FortiGate Firewall V6.4 Part 6

40. Lecture-40:Security Profile Intrusion Prevention.

Security profile is intrusion prevention system IPS what is IPS? And IPS? Basically normally they ask an interview IPS means intrusion prevention prevention means to prevent you a system which can prevent you from the attack like alarm system. Suppose you have put alarm normally every house they have alarm system. So whenever somebody opens the door, so the alarm will start just to generate alarm. They said they will do nothing. They will not stop the thief to do anything either. The burger, they will not do anything to them they call IDs ideas means intrusion detection system. It will only detect and will send generate logs, they said, but it will not stop the attack.

So we call them IPS. But in case of IPS intrusion prevention system, it will prevent the attack. Not only generate the logs, but it will prevent them to enter. Suppose you put alarm in your house in UK and you say will alarm start smoke? Suppose so. Start the water. So it means it’s taking action to protect that one as well. So then we call them intrusion prevention system. So, like a botnet website, anything. They have a full database of things, like a smoke along. When they see smoke, they take action. That smoke can be a false it’s okay. They will start water. You will call them. I don’t know what is called the shower.

You know, they start them. They don’t care they don’t know because the sensor you put them you tell them that whenever you see the smoke start the water they say so intrusion prevention sometime it can be wrong this is difference too it is false positive false negative false and so many options. I don’t want to go in detail so we have a profile to prevent us for so many attack like a botnet attack from spyware malware malware spyware and so many thing whatever.

We discuss in all the profile it can be done by intrusion prevention profile as well to block the network based attack and also viruses attack, vendorability attack, spyware attack, zero day attack, malware attack, vendorability attack because they have their own sensors and they are using when they sense those things they will take action so these are all the details, you can go through them intrusion prevention profile, we call them again we will use the same topology. Outside of net. Inside I’m using length of net. Inside I have 192 and 68 one range. Outside I’m using 109, 21681, 114 range. This is old slide, so it’s showing one, one, two.

What can I do to show you? So let me go there. And here we have another security profile with intrusion prevention. So I have predefined eight sensor sorry, intrusion prevention profile like all default passed through default one high risk, one protected client email server http one and WiFi one. But I want to create my own. These are the name, these are the comments where they are used, search and clone and edit. Click on create new and I would say IPS profile.

Type the comment block malicious URL. So any malicious malware related, it will stop them. It’s a good thing. It can do for you that one. And look at botnet C, the CNC, the things which we done with DNS, you know a bit before we done this one botnet the same thing you can do with IPS as well. You remember? Let me open this one. These are the botnet website. These 16712 and I show you some of them as well. I think so I copy this one. These so the same thing can be achieved through Intrusion prevention. Block them and these are the botnet packages. It will go to the same place. By the way, look, it is the same, but IP by IP this time. So you can do this one as well. The botnet website are URL and fake IPS. Botnet IPS blacklist IPS. You can disable them. It will not work, block or monitor. It will only generate login. It will allow m malicious URL like Malaysia URL. This one. Now I can visit this website. Where is this one? It’s a malicious URL in antivirus. We use them. This profile. Let me see that. Can I go there? Because I don’t have any profile set. So I hope so I will reach there. Yes, I can go there. Can I download wireless? Yes. Because I don’t have any wireless profile at age.

So yes, I can reach there. And if I click on this one, let me download this file, it will download because I don’t have anything and go to proceed and it will download. Yes. Nobody can stop me because I don’t have wireless profile at H here, if I go to security and object firewall policy and I have a policy but only application control I have but this is not Application Control category.

So nobody can stop me. Can I stop this one through IPS? Yes, because of this one block malicious URL. Let’s test them and okay, my IPS profile is ready now let’s go to Firewall policy and tell them to attach IPS profile. Here is IPS. Click and choose my IPS. We have this one IPS profile and where we can test them. So go to logs and report. And here is intrusion prevention. Nothing is there yet. Let’s do it again. This is the same thing which we had done before. Click on this one and let’s see.

Okay. Why it’s not stopped me? So we need to go back again. Let me do it again. So it has to stop us from download. Because IPS can do this one for you as well. So let me click here. It’s open by somehow. Okay, let me see. So no traffic is here by the way. I don’t know. For some reason it has to stop me because IPS I can do this one as well. And then IPS signature and filter. Let me add here then it will do definitely. By the way, it has to stop by this malicious URL. This URL is coming under this category. But anyway, let me add here then definitely it will do. I will add signature and this website is so filter again. Filter and signature action which action I want to take? Block them. Okay.

And picket logging yes, I want to enable the generator logs and status enable and here, let me add all severity level. So I say any severity level thread okay and okay, so this website is coming under low security level. So definitely low security I already loaded, will be blocked now, definitely okay, and let’s see no traffic is here. Yeah, let’s try again. So let me click on this one. This time has to stop. So for some reason let me do it from top some let’s do it again sometime. It’s not going to give you the proper result. Okay. And let’s try this link again. So by the way, IPS has to stop this one. I don’t know why it’s allowed them and no traffic is being generated. Let me go to IPS.

Yeah, all the severity level I stopped them. I say don’t allow anyone which is coming out of this severity level. So let’s go back and let me see maybe I did not stop them. Edit all enable, block, filter and status enable. Yeah, it’s okay. Let me create a new one. Okay. And action is to be block it’s just to be enabled. Status is to be enabled and let me all say label either let me search by name. What is this wireless name? You know, we call them a wireless. This wireless name let me show you wireless name. We will search specific dead wireless. We search here end wireless, we use them. So what the name? Is the name?

So let me just the name. Why not copy E-I-C-A-R so let’s try them here E-I-C what was the name? Er this one. Okay, it’s passed this wire. So let me add this virus and this one did I add or not? Let me check again. No, not this one. What was the name? E-I-C. Yeah, this one. Because the action is allowed, let me block them. Enable status enable. Okay, let me add this one with the wireless we can test them. That’s why it was not block. Look at this not block. So that’s why it was passed. Okay, so let me by the way, it’s better to do it by signature and add them. So C I sorry, what was the name? I forgot? E-I-C-A-R-E-I-C-A-R. This is the virus I want to add. Okay. And select I want to block them this one so it will block now. So let’s see now if I go back and see again, let’s see they can block me or not and advance again, this is an issue so I need to restart from here again. Okay, and now I want this the name of the virus to test them. So if I click on this one anyone so they have to give me an error and it will show here the logs. The ice coming now no, not this one and intrusion prevention so still it’s not there so let’s see it stopped them or not yet? Okay, so basically it’s not going but for some reason due to this browser so let me try another one and if I see the logs so logs are still not showing me, it means it’s not fire yet so click again. My main theme is that IPS can do all the antivirus profile stuff and also do more stuff as well botnet and altogether. So let me click on this one and let’s see it can give us the different result.

So it was no so it’s giving me another error. So let’s do it by another browser. Let me try here. Okay, advanced exceptional. This is low level of virus just for test purpose so it was allowed before in the policy, so I denied them. So by the way, it will work when you test them, it’s come up now. Yeah, so they say this virus because I mean intrusion prevention, it’s drop as is the virus name. Okay, but here maybe it’s not showing me the banner or something. It give mirror, but it work. After some time, it will show me the message because it’s come now. How? We can log and report an intrusion prevention. It will show you here this source IP, this protocol DCP and drop and count how many times it exists and what is the attack name. Okay, so it will show you here this intrusion prevention. If I go back to intrusion prevention, what else we can do? Okay, so we can block malicious URL, we can apply our own signature and filter both way signature as well and filter as well.

Okay, and botnet IP is those same IPS which was this one. I hope it will work because it’s the same thing only by IP. So if I test here the same which we use NDS, so it has to be stopped and let’s see if I come here and see the results of the botnet IP has to be here as well. If they stop them either we can take the IP from here when you click here, take any botnet IP like the IP which is 179-10-6197, these are blacklisted IP, russia, China and other countries which they can send you button and can control your system. So they have a full list available. Okay, so let’s do it by this IP, they can stop this IP or not. And if they generate log here, it means it’s working. This IP will be stopped. So still I don’t have here and we can test from another browser as well. Test the botnet IP. Okay and let’s see the logs here. Still am not getting any logs yet. Okay so you can do the botnet activity, you can filter and you can stop malicious using intrusion prevention. Okay, I hope so.

Now it so now let’s see here so still I can test another IP anyway it will show you after a while. Sometimes it takes time to show you. Let me go to file. So we test here. We allowed what is monitor for a dining malicious URL. We test this one botnet is the same thing which we done through DNS and Intrusion Prevention. You can choose enable them and you can severity level what you want. And when you access this website, it will block and it will show you under prevention and also in the forward interpick it will show you here. It’s both thing you can try from here as well. It will show you the log here. Yeah IP. But it is loud by the way, it means we can verify from here. This IP is excess. So it means it’s not stopped by botnet which has to be stopped. Okay. And also that’s why we don’t have a loud here. So we can verify from here.

• Category: Uncategorized