Am I using IPS correctly?

Question

Hi guys

I recently setup some IPS rules on my Fortigate and just want to make sure I am using them correctly. At my main site I have:

RDS Web - WAN-DMZ

RDS Gateway - WAN-DMZ

SIP - WAN-LAN

OWA - WAN-LAN

Mail flow - WAN-LAN

I have setup IPS sensors like this:

protect_http_server: IPS filters - Location: server - Protocol: HTTP

protect_rdp: IPS Signatures: MS.Windows.RDP.Remote.Code.Execution, MS.RDP.ActiveX.Use.After.Free, MS.Windows.RDP.ESTEEMAUDIT.Code.Execution, MS.RDP.Connection.Brute.Force

Protect_SIP: Protocol: SIP - Location - Server

protect_email_server: Protocol: SMTP, POP3, IMAP - Location - Server

I then apply the appropriate sensors to the iPv4 rules. I have been getting alerts for RDS Web for example so IPS is detecting stuff. Is this the correct way to be using this?

Should I be using any LAN-WAN IPS rules for standard user traffic such as web browsing?

Thanks

packetpusher · Answer

I would start with reading http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-security-profiles-54/IPS/ips_chapter.htm . That should answer your question.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded