Introduction

Increasingly sophisticated and persistent threats are targeting today's expanding attack surface. Isolated security and management systems along with an increasing skills gap make it difficult for organizations to detect and respond to these threats. The most effective approach starts with a unified next-generation firewall (NGFW) security platform. One of the most essential additions to any NGFW is a fully integrated intrusion prevention system (IPS) that can analyze all communication traffic via deep packet inspection (DPI).

The team at the WWT Advanced Technology Center (ATC) tested the core functionality and usability of Fortinet FortiGate Firewalls IPS feature set including:

  • Device management and configuration
  • Protocol analysis and DPI of encrypted SSL traffic
  • Real-time event logging and analysis
  • Reporting

The next sections will provide further details from our testing results. 

Lab Topology

A virtual topology was created in the ATC to focus on validating the IPS capabilities of Fortinet FortiGate NGFW. FortiManager and FortiAnalyzer virtual appliances were included to provide centralized management and detailed logging of the FortiGate NGFWs. After the network topology was built and configured successfully, end-to-end communication was verified. All configuration was completed exclusively using FortiManager as the configuration interface. 

Ixia Breaking Point was introduced for traffic generation. Two types of traffic profiles were applied, one common enterprise traffic (good traffic) mix and a WWT IPS strike pack (bad traffic). The strike pack was used to evaluate the efficacy of the IPS Engine and up-to-date FortiGuard default signature list. The enterprise traffic was evaluated to ensure normal enterprise applications were not impacted by IPS activities.

Fortinet Security Lab - IPS Testing

Testing Components

Device DescriptionHardware ModelO/S Version
FortiManagerFMG-VM64v7.2.1-build1215
FortiGateFGT-VM64v7.2.3-build1262
FortiAnalyzerFAZ-VM64v7.2.1-build1215
Windows ServerWindows Server 2019 Datacenterv2019 Datacenter – build17763
Windows DesktopWindows 10 Prov22H2-build19045.2364
Ubuntu ServerUbuntu VMv20.04.02
Traffic JamTraffic Jam VMv3.0.2
Breaking PointBreaking Point VMv9.20
VMware vSpherevSpherev7.0.3-build20395099
Cisco UCSCisco UCS 5108 AC2 ChassisUCSB-5108-AC2
Cisco UCS B200 M4 ServersCisco UCS B200 M4 ServersUCSB-B200-M4
Cisco UCS Fabric InterconnectsCisco UCS 6324UCS-FI-M-6324
FGT IPS Definitionsn/av22.00483
FGT IPS Enginen/av7.00234
FGT Malicious URLsn/av4.00602
FGT Botnet IPsn/av7.02997
FGT Botnet Domainsn/av3.00168

IPS Testing Highlights

The IPS validation was conducted following a detailed test plan to validate each of the following core functions. Overall testing was very straightforward, and no major issues were encountered. Fortinet IPS performing favorably against the Ixia Breaking Point testing suite. After some light tuning of signature policies, the IPS engine successfully prevented 98.569 percent of strikes, an achievement that puts Fortinet in the upper echelon of IPS solutions.

Figure 2: Evaluated Test Cases

Role-Based Access Controls

Administrator accounts are used to control access to FortiManager. Local and remote authentication is supported, as well as two-factor authentication. Administrator profiles define different types of administrators and the level of access they have to the FortiManager unit, as well as its authorized devices.

In FortiManager, a restricted administrator profile can be created to allow an administrator to configure IPS settings without interfering with other FortiManager configurations. Restricted administrators can create new profiles and signatures, add signatures and filters to a profile, and define the action (allow, monitor, block, reset, default, quarantine) that will occur for detected signatures. They are also able to view IPS diagnostics, FortiGuard package status, licenses, and services, and create IPS templates.

Several administrator accounts were configured and tested in the evaluation and each account functioned as expected. The firewall admin could push policy and utilize IPS signatures created by the IPS admin but could not edit the signatures. The IPS admin could create IPS signatures that could be utilized by the firewall admin. The full Admin account provided full access to FortiManager which could then be used to create custom administrative accounts that would be needed by customers.

IPS Evaluation

The FortiGate was configured with the prebuilt 'all_default' IPS security profile. The 'all_default' security profile enables all predefined signatures with default setting. The action was set to 'block' and the status was changed to 'enabled' to override the default per-signature defined action. The industrial signature database was enabled using the 'default ips global exclude-signatures none' setting to detect the strikes from the FortiGuard Industrial Security Service which requires a license that can be purchased la carte or as part of the Enterprise Protection Bundle.

Breaking point was used to send valid HTTPS traffic, malware HTTPS traffic and strike packs from the Internet facing interface to the DC facing interface. The strike pack contained 982 strikes with a CVSS score of 10.0. As seen in the summary below, the IPS engine successfully prevented 98.569 percent of strikes that were sent.

Table

Description automatically generated

Figure 3: IXIA Breaking Point Results

Next, a new IPS profile was created that blocks approximately 15,800 signatures at the firewall when originating from the Branch location. This profile and policy were pushed while Breaking Point sent traffic in the background and shows no packet loss. 

Event Logging

Event logging was validated using both SNMP and syslog. A test case was completed that created an SNMPv3 user for an assigned SNMP server to forward events, validate the settings were pushed to the FortiGate, and receipt of the encrypted SNMPv3 events at the server. An additional test case configured to send syslog messages to a syslog server. FortiManager System Templates were used to assign a SNMP server and Syslog server to the FortiGate. 

 

Figure 4: SNMP traps received at the SNMP Server

A screenshot of a computer

Description automatically generated with medium confidence

Figure 5: Syslog message at the defined Syslog Server

In the lab environment, FortiAnalyzer was configured to receive all logs from FortiGate. 

FortiAnalyzer is a powerful log management, analytics, and reporting platform. Alerts and event logs from Fortinet devices are processed and correlated in a format that is easy to understand. FortiView (part of FortiAnalyzer) is a comprehensive monitoring solution that provides multi-level views and summaries of real-time critical alerts and information. 

Graphical user interface, table

Description automatically generated

Figure 6: FortiAnalyzer Log View for FortiGate Traffic

FortiView was able to provide lists and maps of threats in the form of top threats, threat maps and threat monitors that include various views of threat activity. Most views are customizable, sortable, and filterable on many fields. The monitor views are more dashboard-style and can be customized with the available widgets to meet your needs. Drill-down is also available for threats that show various specifics about that threat such as source, destination, threat type, etc., along with URL links to Fortinet details and NIST details about that threat. 

Graphical user interface, application, table

Description automatically generated

Figure 11: FortiView Top Applications

The thread map provides a real-time view of active threats occurring based on the events received from all the FortiGate NGFWs in the environment. 

Figure 7: FortiView Threat Map

The FortiManager Incidents and Events Dashboard provides a correlated view of all the events. Events listed are all actionable and can be acknowledged, with the ability to add comments, assign to someone, view log, create new incident or add to existing incident. The dashboard has many built-in event handlers and offers the creation of custom event handlers that can do things such as send emails, create SNMP/Syslog traps, etc. 

Table

Description automatically generated

Figure 8: Incidents & Events Dashboard

More advanced event handling scenarios can integrate and open tickets with ServiceNow using the FortiSOC component of FortiAnalyzer and playbooks. 

A picture containing diagram

Description automatically generated

Figure 9: FortiSOC Critical Intrusion Incident Playbook

Reporting

While many canned reports are available on the system, the IPS report was set up to run weekly on Wednesdays. All reports created are available for viewing under the generated reports tab. Output profiles can be used to define the email recipients of the reports, what formats to use for the report (HTML, PDF, XML, CSV, JSON) and whether the reports should be archived out to an FTP, SFTP or SCP Server repository. 

Graphical user interface, application, table, Excel

Description automatically generated

Figure 10: IPS Report Main Page

Conclusion

Criteria

Experience

Commentary

Device Management

🟢

Remote Access Configuration: Within the role-based access and control (RBAC) configuration, a new role of "Restricted Admin" for IPS Admins provided granular administration of signature updates and custom signature creation without allowing access to other device functions.

Management Configuration: Traditional SNMPv3 access and Syslog IPS logging operated as expected, however adding the FortiAnalyzer integration supplied further detail for IPS Events for Logging, Real-time and Historical Events. No technical issues were encountered for device management.

IPS Evaluation

🟢

Change Management: As desired, neither signature updates nor policy updates disrupted active traffic flows.

Detailed Analysis: Packet captures of both non-encrypted and encrypted traffic (using SSL Decryption/Encryption at the Firewall) demonstrated the depth of investigation that Fortinet offers. From the imparted analysis, Fortinet performed different actions for IPS events, such as resetting a traffic flow or just dropping the traffic altogether. No technical issues were encountered for IPS evaluation.

Monitoring

🟢

Monitoring Dashboard: The FAZ FortiView application offered real-time monitoring with customizable dashboards showing map views, traffic views, top threats, and other metrics from the FAZ analytics. Other valuable capabilities included a robust historical event viewer and filter, and an event handler to acknowledge events and send notifications.

Alerting and Reporting: The FAZ FortiSOC application further bolstered the event handling capabilities. Playbooks were configured to run elaborate reports and create incidents. Playbooks could be triggered or scheduled, and the results automatically distributed via email. No technical issues were encountered for monitoring.

🟢 Satisfies Expectations, 🟡 Neutral Score, 🔴  Needs Improvement

Lab Services Note

A minor caveat (ID 883600) was encountered during the FortiManager signature set configuration of test 2.1.6. As a workaround, the configuration was applied directly on the FortiGate endpoint. This caveat has been resolved in FortiOS 7.2.5 and 7.4.0. Command line snippet below.

config ips global
   set exclude-signatures none
end

References

Technologies