IPS (Intrusion Detection System) profiles are applied to firewall policies. If you’re not familiar with creating firewall rules, read this guide first.
IPS (Intrusion Detection System) Profiles on FortiGate
Setting up IPS (Intrusion Detection System) profiles on FortiGate to detect web attacks is a crucial step in securing your network infrastructure. As cyber threats targeting web applications continue to evolve, deploying a well-configured Intrusion Prevention System (IPS) ensures that malicious traffic such as SQL injections, cross-site scripting, and other common web-based attacks are detected and blocked effectively. In this article, we will guide you through the process of setting up IPS profiles on your FortiGate device, enabling you to protect your web servers and applications from potential breaches.
Understanding Web-Based Attacks and How IPS Detects Them
Web attacks often target vulnerabilities in web servers, content management systems, and web applications. Some of the most common types include:
- SQL Injection (SQLi) – Injecting malicious SQL commands through input fields to manipulate backend databases.
- Cross-Site Scripting (XSS) – Injecting scripts into web pages viewed by other users, often used to steal cookies or session tokens.
- Remote File Inclusion (RFI) & Local File Inclusion (LFI) – Exploiting input fields to include unauthorized files on the server.
- Command Injection – Executing system commands via poorly sanitized input fields.
- Directory Traversal – Gaining access to directories and files outside the web root.
FortiGate’s IPS engine analyzes traffic in real-time, comparing packet data against known attack signatures. When a match is found, the IPS can log, alert, or block the traffic—depending on your configuration.
For deeper analysis of suspicious traffic, you can also perform a packet capture directly on the FortiGate device. Learn how to capture and analyze packets here.
Example Configuration: Creating and Applying an IPS Profile
To detect web attacks on a FortiGate 60D, follow these steps to create an IPS profile and apply it to your firewall policy:
Step 1: Create a New IPS Sensor Profile
- Log in to the FortiGate GUI.
- Go to Security Profiles > Intrusion Prevention.
- Click Create New and name the profile, for example:
Web_Attack_Protection. - Under IPS Filters, choose Add Filter.
- In the filter section, set:
- Target:
Server - Severity:
Critical,High, andMedium - Target:
Server
- Target:
- If you select
IPS Signatures, you can manually select signatures relevant to:- SQL Injection
- XSS
- Directory Traversal
- RFI/LFI
- Web Shells
- Click Apply to add them to the profile.
- In the filter section, set:
- Under Action, select Block for severe threats and Monitor or Alert for lower-severity items if you’re unsure.
- Save the IPS sensor.
Step 2: Apply IPS Profile to Firewall Policy
- Go to Policy & Objects > IPv4 Policy.
- Edit the policy that handles incoming HTTP/HTTPS traffic (typically from WAN to LAN/DMZ).
- Scroll down to Security Profiles.
- Enable IPS and select the
Web_Attack_Protectionprofile. - Click OK to save changes
In this post, you can find how to assign security policy to the firewall policy:
Step 3: Monitor Detected Threats
After configuration:
- Go to Log & Report > Intrusion Prevention to monitor detected threats.
- Ensure logging is enabled in the firewall policy to keep visibility.
In this post you can check more information about logging:
Conclusion
Web applications are often exposed to a variety of threats, but FortiGate’s IPS feature provides an effective first line of defense. By setting up an IPS profile specifically tuned to detect common web-based attacks, you can significantly reduce the risk of compromise.
Regularly updating the IPS signatures, reviewing logs, and fine-tuning your profiles will help maintain robust protection. Even on older devices like the FortiGate, proactive configuration and monitoring can go a long way in securing your network.
About The Author
