ProCurve Alliance Tested Configuration Document Fortinet IPS Integration with ProCurve PCM+ and Network Immunity Manager Introduction ................................................................................................................. 2 Best Practices ............................................................................................................ 3 Prerequisites ............................................................................................................. 3 FortiGate 1000A Configuration ........................................................................................ 4 Management Access ................................................................................................... 4 Web Manager Access .................................................................................................. 4 Enable Management Protocol Access ............................................................................ 5 SNMP Configuration ................................................................................................... 5 Optional SNMP Configurations ..................................................................................... 6 Protection Profile ....................................................................................................... 8 Firewall Policy............................................................................................................ 9 Intrusion Protection - Signatures ................................................................................10 Intrusion Protection - Anomaly ...................................................................................11 PCM+ & Network Immunity Configuration .......................................................................11 PCM+ Fortinet Discovery............................................................................................11 Network Immunity Security Alerts...............................................................................12 Network Immunity Mitigation Actions ..........................................................................13 PCM+/ NIM Policy Configuration .................................................................................14 Policy Configuration Summary ....................................................................................15 Appendix A: PCM+ Global Policy Preference Settings .....................................................16 Appendix B - Network Immunity Security Monitoring Settings ........................................16 Appendix C – Switch Security Feature Matrix ................................................................17 Introduction The purpose of this document is to outline specific configuration details used to verify the ProCurve Network Immunity Manager (NIM) / Fortinet Solution. The deployment option currently supported is the inline IPS design. The inline design requires network traffic is forwarded through the IPS device for inspection (see figure 1.0). The ProCurve Alliance Certification Testing objectives are to ensure NIM can properly decode SNMP traps from the Fortinet appliance and create policies based on specific data fields within the trap. Network Immunity Manager v.1.0 Mitigation Action MAC Lockout Virus Throttle VLAN Override Policy Manager “Find” the Attacker Execute Mitigation ` ProCurve Switch 5406zl J8699A PoE Attacker ProCurve Networking Status ProCurve Switch 5400zl Management Module J8726A HP Innovation Use zl Modules only Power Reset A B 1 C D I J 2 E F K L PoE Test Clear Mgmt Flash Temp Chas DIMM Fan 3 4 1 2 Internal Power G H Act Modules PoE Pwr FDx PoE Spd Usr Console LED Mode Auxiliary Port Fault 1 3 5 7 9 11 13 15 17 19 21 23 A B ProCurve 24p Gig-T zl Module J8702A ProCurve 24p Gig-T zl Module J8702A Locator 2 4 6 8 10 12 14 16 18 20 22 zl 24 PoE-Integrated 10/100/1000Base-T Ports (1-24) - Ports are IEEE Auto MDI/MDI-X C D E F 1 3 5 2 4 6 7 9 11 13 15 17 19 21 23 8 10 12 14 16 18 20 22 24 zl PoE-Integrated 10/100/1000Base-T Ports (1-24) - Ports are IEEE Auto MDI/MDI-X 5406zl ProCurve Manager+ v.2.2 Fortigate 1000A Fan Mdl EPS RPS Status of the Back Spd Mode off = 10Mbps flash = 100Mbps on = 1000Mbps Dual-Personality Port 10/100/1000-T (T) or Mini-GBIC (M) PoE-Integrated 10/100/1000Base-T Ports (1-24T) - Ports are IEEE Auto MDI/MDI-X Link 1 Mode 3 5 7 9 11 Link 13 Mode 15 17 19 21 23 Link 25 Mode 27 29 31 33 35 Link 37 Mode 39 41 43 45T 47T Link 45 M Mode 47 M Link 2 Mode 4 6 8 10 12 Link 14 Mode 16 18 20 22 24 Link 26 Mode 28 30 32 34 36 Link 38 Mode 40 42 44 46T 48T Link 46 M Mode 48 M Act Status PoE Tmp Fault FDx Spd LED Mode PoE Reset Clear Usr Test Decode Traps Evaluate Content Use only one (T or M) for each Port ProCurve Switch 3500yl-48G J8693A PoE Power SNMP Traps 3500yl ` Victim Figure 1.0: Inline IPS Topology Fortinet provides five data fields within their SNMP traps that can be used by NIM for identifying security events, configuring security policies and triggering mitigation actions. These fields are listed below and illustrated in figure 1.1. 1. Attacker IP Address. In the screen capture below, the Attacker IP Address is 180.44.216.150 and labeled “Source Address” in the Event Details. 2. The Physical IP Address of the device sending the SNMP trap (e.g. FortiGate appliance): 180.44.216.23. 3. The Signature ID – the numerical value for the Signature. 4. The Trap ID is shown in text format in figure 1.1 as “Fortinet IPS Anomaly.” 5. The SNMP Trap Description Field shown below as “syn_flood” 2 Figure 1.1: Fortinet SNMP Trap Format Best Practices Here are few tips to consider prior to implementing the Network Immunity Manager Security solution: Start simple. Benchmark malicious traffic patterns prior to configuring automated policies with PCM/NIM. o Enable the Fortinet device to send traps to PCM/NIM o Analyze incoming Events in the PCM/NIM Event Browser o Organize events by severity, frequency, location to determine problem areas In creating your security deployment strategy, here are some things to consider: o Placement of the Fortinet IPS in your network. The IPS is an inline device so network traffic must pass through for inspection. o Mitigation strategies – determine appropriate actions to take based on switch capabilities (see Appendix C) and the severity level of attacks. o Notification Options – email, pager, call tracking integration. o Reporting – NIM provides a variety of useful Reports to tune your Security Policies. Review the ProCurve Network Immunity Design and Implementation Guides for Deployment Options and various Implementation details. Prerequisites Platform requirements – Ensure you have adequate system resources and management software in place to deploy the ProCurve Network Immunity / Fortinet Solution. o On a medium to large network the PCM / NIM management server could consume up to 2gb RAM – Ensure your platform has 2-3gb gb RAM. o PCM v.2.2 AU#2 and NIM v.1.0 AU#1 are required management software versions. 3 Switch requirements – Refer to the ProCurve switch capabilities matrix (appendix A) to determine mitigation actions available to you. SNMP requirements – ensure SNMP settings are configured on the Management server and FortiGate appliance. FortiGate 1000A Configuration The following section outlines configuration steps for the FortiGate 1000A appliance for use with ProCurve Network Immunity Manager. The first step is to set up remote management access. There are several ways to accomplish this task: Command Line Interface (CLI), Front Panel LCD or by connecting to the device over a pre-configured IP Address. The CLI method is described below. Management Access From the devices console port, execute the following CLI commands to configure an Operating Mode, IP Address, Subnet Mask and Gateway address. #config system settings <settings> set opmode transparent <settings> set manageip <ip address> <netmask> <settings> set gateway <address_gateway> Web Manager Access Connect to the web-based manager by entering the device IP Address you configured in the previous step. The default login name is admin with no password. Figure 1.2: Web Manager Login Step 2, The FortiGate 1000A home page will appear following successful login. Verify your configurations by navigating to the System > Config > Operation tab (see Figure 1.3). 4 Figure 1.3: System Operation Configuration Enable Management Protocol Access The test topology utilizes Ports 1 and 2 to inspect network traffic. Figure 1.4 illustrates configuration results for management protocols that can now be used to access the device. To achieve these results, navigate to the System > Network > Interface tab to configure Ports 1 and 2. Select the edit button located in the right sub-panel that corresponds to Port 1. A simple configuration UI will appear that will allow you to select the protocols you wish to enable. In this example, all available management protocols are allowed. Repeat steps for Port 2. Figure 1.4: Management Access Protocol Settings SNMP Configuration Once basic network connectivity is established proceed to the System > Config > SNMP v1/v2c tab (Figure 1.5). Ensure the SNMP Agent and SNMP trap forwarding is enabled. Enter SNMP Description, Location and Contact if you wish. 5 Figure 1.5: SNMP Properties Summary Next, select the Create New button to complete SNMP configurations. The configuration UI shown in Figure 1.6 will appear. Add the PCM/NIM server IP Address in the Host field. Ensure the Queries and Traps, SNMP versions are set to v2c. PCM/NIM will not decode SNMP v1 traps from the FortiGate appliance, therefore, ensure SNMP v1 is disabled. UDP port numbers 161 and 162 are default settings – these settings must remain at default values. SNMP Event trap settings for IPS Signatures and IPS Anomalies must be enabled (see Figure 1.6). Optional SNMP Configurations The Administrator can add additional SNMP Hosts to receive traps by selecting the Add button. The corresponding “Interface” setting is used to specify which physical port the traps will be sent. Enabling additional SNMP Events (lower pane) configures the FortiGate to send device health traps such as CPU and Memory usage. 6 Figure 1.6: SNMP Properties Summary 7 Protection Profile The Protection Profile defines traffic types the FortiGate will monitor and inspect. Protection Profiles are applied to individual port configurations allowing the administrator to customize monitoring parameters across each physical port as needed. Navigate to the Protection Profile screen by selecting Firewall > Protection Profile. Figure 1.6 shows the Protection Profile Summary. The profile, SCAN, was created by selecting the Create New button. Click, Create New, to configure the Protection Profile. Figure 1.7: Protection Profile Summary Once in the Protection Profile configuration UI, expand the IPS and Logging sections (Figure 1.8). Select all IPS Signature and IPS Anomaly severities and ensure the IPS Log Intrusions checkbox is selected. Name your profile and select OK. 8 Figure 1.8: Protection Profile Configuration Firewall Policy The Firewall Policy is used to configure specific monitoring parameters for each port (see Figure 1.9). In our topology example we monitor traffic across port 1 and 2. Notice these ports are listed in two rows, illustrating bi-directional traffic monitoring across each port. To Create the Firewall Policy, select Create New. Figure 1.9: Protection Profile Configuration 9 Create a Firewall Policy for traffic traversing port1-> port2 as shown in Figure 1.10. Apply the Protection Policy, SCAN, created in the previous step. Secondly, select the Log Allowed Traffic checkbox. This setting is used in parallel with Intrusion Detections settings and described in the next section. Figure 1.10: Protection Profile Configuration Intrusion Protection - Signatures Navigate to the Intrusion Protection menu in the left tree pane and select Signature. Listed in the main configuration screen are Signatures the FortiGate will be monitoring. You will notice there are several pages of Signatures listed. Ensure the Enable and Logging checkboxes are selected for Signatures you wish to monitor. Note: Within the Action field there are several choices the administrator can make based on the desired “action”, should a Signature be detected (e.g. Pass, Drop Session, etc). The Action field value, Pass, corresponds to the Logged Allowed Traffic configuration in the Protection Profile. Collectively, these configurations specify Signatures detected with the “Pass” action, will be logged and an SNMP trap will be sent to the PCM/NIM management server. 10 Figure 1.11: Protection Profile Configuration Intrusion Protection - Anomaly Highlight the Anomaly selection as shown in Figure 1.12. Ensure the Enable and Logging checkboxes are selected. Figure 1.12: Protection Profile Configuration This concludes the configuration steps required for FortiGate IPS integration with NIM. PCM+ & Network Immunity Configuration PCM+ and Network Immunity provide an integrated management solution for Security policy configuration. The following section outlines PCM+ and NIM configuration requirements. PCM+ Fortinet Discovery The PCM+ application is responsible for “discovering” the Fortinet appliance. The discovery process establishes SNMP communications with the device and sets up PCM+ to receive SNMP traps. The simplest way to complete the discovery process is to execute a Manual Discovery within PCM+. The Tool menu highlighted in figure 2.0 shows the location of the Manual Discovery Wizard. Once Manual Discovery is complete the FortiGate appliance will appear in the UTM folder (see Figure 2.0). 11 Figure 2.0: PCM+ / FortiGate Discovery Network Immunity Security Alerts The next step is to begin configuring Security Policies. This is a multi-step process outlined in the following 3 sections. The first step is to create Alerts. PCM+/NIM categorize alerts in two groups: ProCurve and External. For the purpose of FortiGate IPS integration, we will work with the External Alert configuration. As mentioned earlier, FortiGate SNMP traps contain 5 fields NIM can utilize:: Trap OID Signature ID (Note: IPS Anomalies also have “signature” ID’s) Source IP Address Trap Description Text These fields are illustrated with example trap data in figure 2.1. The 5th field, Attacker IP Address, is configured in an upcoming step. Step 1: Navigate to the PCM+ Policy manager. Highlight Alerts and select New. A configuration UI (not shown) will appear with 3 configurable fields: Select Alert type, Name and Description. 12 From the pull down menu select Security: External Alert. Enter a Policy Name (e.g. Fortinet Signature). The Alert Description field is optional. Click OK. The Alert Properties field will displayed. Click on the Configuration tab to set specific Alert configurations. These fields can be used in combination with one another or individually. Since Trap OID’s and Signature ID’s may not be readily available, use the Trap Source device IP and enter the IP Address of the FortiGate appliance. Once this alert is applied to a Policy it will process all incoming traps from the FortiGate. There are two other required fields: Number of Events and Time Period. The Alert configuration UI requires the administrator enters values in these fields. Enter 1 in the Number of Events field Enter 1 in the Time Period Field and Minutes from the pull down menu These settings determine when a Policy will execute. Click Apply and Close. Go to Step 2, Network Immunity Mitigation Actions. Figure 2.1: PCM+ / External Alert Configuration UI Network Immunity Mitigation Actions There are several Actions the PCM+/NIM solution provides. For use within Security Policies the most applicable are: Disable Port MAC Lockout 13 VLAN Override Rate Limit All available actions have been verified and may be used. Figure 2.2 illustrates one example for configuring the Action: Disable Port. Step 2: Highlight the Actions menu item then select “New.” As with creating Alerts a configuration UI will appear with three configurable fields: Select an Action type, Name and Description. From the Select an Action type pull down menu select Enable/Disable Port. Enter a Name for the Action, for example, Disable Port. Within the Port Status configuration screen select Disable. The “targeted ports” text is underscored in figure 2.2 to emphasize port(s) that are disabled by this Action are “targeted” or Attacker ports. Targets are configured in the final step of Policy configuration. Go to Step 3, Policy Configuration Figure 2.2: Policy Actions configUI PCM+/ NIM Policy Configuration Now that Alerts and Actions have been defined we will proceed with creating a Policy. In addition to assigning Alerts and Actions to Policies, the administrator will define: Properties – Policy Name and enable/disable settting Time – defines the time frame a policy will (or will not) execute Sources – defines the network location(s) where the policy will be applied 14 Targets - defines devices, ports or groups where the policy will execute Step 3: 3a) Create a new policy by highlighting Policies and selecting “New.” Once you have named your policy (e.g. Fortinet Signature Policy) the Policy Properties dialog will be displayed. From there proceed through the Policy configuration tabs: Time, Sources and Targets. Note: Figure 2.3 highlights “Target all alert sources (device & ports) that trigger this policy.” This is the most common setting for Security policies as it ties Actions (e.g. Disable Port, Rate Limit Port, Move Port to Quarantined VLAN, etc…) to the Attacker IP Address contained within the SNMP trap sent by the FortiGate appliance. Figure 2.3: PCM+ /NIM Policy Configuration 3b) Within the Alerts tab configuration UI you will see the Fortinet Signatures alert defined in Step 1. Select Fortinet Signatures from the Available Alerts list and move to the Selected Alerts list. 3c) Select the Actions tab. From the Available Actions list select the Disable Port action previously defined and move it to the Selected Actions list. Select Apply and Close. Policy Configuration Summary Name: Fortinet Signatures Time: (execute) Any time Sources: (monitor) Any source (e.g. all network device groups) Targets: Target all alert sources (devices and ports) that trigger this policy (e.g. take action on the Attacker as identified within the SNMP trap) Alerts: process all alerts from the trap source (e.g. FortiGate) Action: disable port if a Signature or Anomaly event is received by Fortigate. 15 Appendix A: PCM+ Global Policy Preference Settings The administrator should be advised of important Global policy settings. Highlighted below are the key configuration parameters: “Log actions that would be taken by policies but do not allow device configuration changes.” This setting effectively disables Policy Actions. Administrators should use this setting to benchmark the number of policies that would be triggered based on the Policy Configuration. To fully enable you Security Policy including Actions, select the “…allow device configuration changes.” The suppress event log messages is a handy setting to enable to reduce the number of events displayed in the PCM+ event browser. Appendix B - Network Immunity Security Monitoring Settings The Security Monitoring settings are used in conjunction with the Fortinet IDS (“offline”) solution that will be supported in the near future. The purpose for showing this configuration UI now, is to make the administrator aware of other Security events that may be displayed in the event browser. These security events may cause confusion or an excessive number of entries in the event browser. If excessive events are occur while benchmarking the IPS solution, it may be helpful to temporarily disable Security Monitoring. 16 Appendix C – Switch Security Feature Matrix Utilize the switch security feature matrix to help determine mitigation actions. 17 To find out more about ProCurve Networking products and solutions, visit our Web site at www.procurve.com © 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein. XXXX-XXXXEN, 10/2005
© Copyright 2026 Paperzz