What's the difference between IPS Signatures and IPS Filters within an IPS Sensor on FortiGate?
Similar terms. Important differences.
💡
This is part of an on-going series in cybersecurity foundations. Check the cyber 101 article tag index from time to time for more content.
When I was first learning about IPS features on FortiGates, a few terms confused the heck out of me: "IPS Sensor" vs "IP Signature" vs "IPS Filter". What are the differences? Let's briefly unpack these terms.
- IPS Sensor - This is the configuration object (think of it like a bucket; a policy container). Inside of the sensor element are various settings that describe what kind of IPS threats to look for.
- IPS Filter - This is a mechanism for organizing/selecting groups of IPS signatures to use. If you're trying to configure a IPS sensor to look for a windows-based threat, maybe it doesn't make sense to have the scanner look for Linux-based anomalies...
The filter criteria can vary but examples could be: severity level, operating system, attack category, etc. - IPS Signature - This term refers to the the actual detection patterns that identify a specific attack. These could be things like network packet attributes, suspicious commands, activities related to vulnerabilities/exploits, etc.
Beyond just the high-level definition of the term, there is a UI section of the IP Sensor called "IPS Signature". This basically lets admins add additional signatures in addition to any signatures that are already included through IPS filters.
- IPS Filter - This is a mechanism for organizing/selecting groups of IPS signatures to use. If you're trying to configure a IPS sensor to look for a windows-based threat, maybe it doesn't make sense to have the scanner look for Linux-based anomalies...
Think of it like this: filters form the basis of what IP signatures will be used by the FortiGate for a specific sensor/profile.
For more information, check out these resources:
IPS configuration options | Administration Guide
