Cybersecurity Forum

This forum is for all security enthusiasts to discuss Fortinet's latest & evolving technologies and to connect & network with peers in the cybersecurity hemisphere. Share and learn on a broad range of topics like best practices, use cases, integrations and more. For support specific questions/resources, please visit the Support Forum or the Knowledge Base.

alcg101
New Contributor

IPS Tunning

Hello everybody

Is there a manual for a proper IPS tunning? I know a proper tunning will vary on every organization, but at least some basic info would be useful

Regards

1 REPLY 1
JesuRami
New Contributor

Hi Alden,

There is a little bit difficult to find an IPS manual for tuning... i'd suggest as follow:

  1. Be sure about FW resources as CPU & Memory consumption before enable IPS inspection. A firewall with heavy load traffic will be slow down pretty much after enalbling IPS.
  2. Configure signature by Severity including Critical, High, Medium modifing their default action to Monitor.
  3. See what's happen in Security Events inside Logs & Report section
  4. After a couple of week review again the logs and take a decision about what to enable in the IPS sensor.
  5. Do not enable signatures for targets that doesn't exist, for example.. why enable Linux signatures (to protect Linux servers) if you don't have Linux Servers.
  6. Make an inventory of you assets (OS, Apps, devices, etc) to be sure what is in your infrastructure.
  7. Remember, once IPS is enabled, the fortigate resources will consumed either in block or monitor mode.

Cheers!


In Reply to Alden Chevez:

Hello everybody

Is there a manual for a proper IPS tunning? I know a proper tunning will vary on every organization, but at least some basic info would be useful

Regards