IPS from LAN to WAN

Forum|Forum|8 years ago
December 4, 2017
1 reply
10101 views

Hi guys,

I wonder if enabling IPS in the direction LAN --> WAN is necessary or not in order to protect my PCs againts attacks. I mean enabling IPS from LAN to Internet, like this:

Is it ok?

Regards,

Julián

ipslantowan.jpg

Best answer by tanr

The short answer is yes. Enabling IPS on the outbound policy should protect the sessions that are initiated by that policy. in general you should not have a wan --> lan policy.

tanrAnswer

New Member

The short answer is yes. Enabling IPS on the outbound policy should protect the sessions that are initiated by that policy. in general you should not have a wan --> lan policy.

fjulianomAuthor

Explorer II

Hi tanr,

Ok, thank you. I also have enabled IPS in a WAN --> LAN policy in order to protect the customer servers, because the customer is using Virtual IPs and Destination NAT to access some servers remotely. I just wanted to be sure because some collegues told me that I only needed enable the IPS in the WAN --> LAN direction and not in the LAN --> WAN direction. Then I wondered, how will I protect the hosts againts attacks initiated from outside? And as you told, enabling IPS on the outbound policy should protect the sessions that are initiated by that policy (therefore by the hosts).

Many thanks!

Julián

tanr

New Member

Correct. As long as your wan --> lan policy is just for the VIPs and has its own protection profiles that should be fine.

BTW, if as part of your WAN --> LAN rules you have a DENY policy that involves VIPs, you should check that it has match-vip enable. Otherwise it is possible that those rules won't be matched. http://socpuppet.blogspot.com/2016/02/this-is-reminder-for-set-match-vip.html

Que le vaya bien.

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded