cyber-101

What are the various components of FortiGate IPS?

Describing the various components of the FortiGate IPS and signatures.

Mike Berggren

Mike Berggren

— 3 min read
What are the various components of FortiGate IPS?
Photo by Markus Winkler / Unsplash
đź’ˇ
This is part of an on-going series in cybersecurity foundations. Check the cyber 101 article tag index from time to time for more content.

The FortiGate Intrusion Prevention System (IPS) is a nifty feature with a lot of practical value. Today, I'd like to describe the various parts that comprise it.

IPS on FortiGate consists of 3 main parts:

  • IPS Signatures - These are basically patterns/definitions of malicious activity that the Firewall looks for. Examples can be things like:
    • Incoming application-level requests matching known exploits or reconnaissance techniques.
    • Rate-based IPS signatures indicating unusual network volume for specific actions/activities.
  • Protocol Decoders - These are mechanisms that deconstruct network traffic to see if the data conforms to industry specifications. It's a way of catching threats that are trying to disguise themselves as other packets/protocols.
  • IPS Engine - This is the software that performs the IPS scanning work.

So, what do Fortinet IPS signatures actually look like? From a syntax perspective, they have a structure like this:

F-SBID( --<option1> [<value1>]; --<option2> [<value2>]; ...)

The first part F-SBID( is a header that identifies it as a signature. After that, the rest of the signature is just various options/values that the author wants to match. These could be things like:

  • Protocols
  • String patterns
  • Direction of traffic
  • Metadata (e.g. attack_id, name, etc)

While the syntax is straight-forward enough, choosing the right ingredients and matching patterns can be tricky. The IPS signature needs to be specific enough to accurately match the threat/technique but also broad enough to catch threat actors who are being creative.

Here's an example of a custom signature.

F-SBID( --revision 1; --attack_id 8616; --name \"BlockPS1\"; --service HTTP; --protocol tcp; --pattern \". py\"; --context uri; --no_case; --flow from_client;)

In this example, the IPS signature is looking for URIs that contain the string ".py" (case-insensitive) in traffic originating from the client. It's a technique for trying to catch people sending raw python scripts.

For more information, check out the following resources:

Creating IPS and application control signatures | Custom IPS and Application Control Signature Syntax Guide
Fortinet docs logo
FortiGuard Intrusion Prevention Service | Fortinet
Utilizes the latest threat intelligence to perform deep packet inspection/SSL inspection of network traffic to detect and block malicious traffic and activities.
Fortinet
What is an Intrusion Prevention System (IPS)? | Fortinet
An Intrusion Prevention System (IPS) identifies malicious traffic and blocks it from entering the organization’s network. Learn how IPS works & why it’s essential for the business.
Fortinet

Read more