Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
pctech79
New Contributor

IPS and how/when to apply it

i am not new to the Fortigate line of routers but have questions regarding IPS and how/when to implement it.

 

if i am configuring a new fortigate router for a client that has a small office network /w domain server (IE: 10pc / 1DC)  how should IPS be implemented...if need be?  port forwards that would be set up for the server would be port 80 and port 443 and nothing for the desktop clients except maybe RDP access.

 

#1 would it be needed?

#2 would i just apply the default IPS filter on the WAN to LAN policy for the port forward?

 

any info would be greatly appreciated.

 

Thanks,

Gary.

1 Solution
Alby23
Contributor II

Just a little tip for you all... enable IPS on the outgoing policies (the browsing ones i.e.) and try the vulnerabilities tests on wicar.org then let me know

 

In the ransomware era, the idea of apply IPS on the "from internet to internal (via VIP)" appears to be really really old.

View solution in original post

8 REPLIES 8
Alby23
Contributor II

Just a little tip for you all... enable IPS on the outgoing policies (the browsing ones i.e.) and try the vulnerabilities tests on wicar.org then let me know

 

In the ransomware era, the idea of apply IPS on the "from internet to internal (via VIP)" appears to be really really old.

kallbrandt

Hello,

What Fortigate model will be used in this setup?

The smaller desktop models doesn't have a content processor, so the throughput will be kind of low if you apply IPS on any model below 100D.

That however, is a fair price to pay usually.

I would say that you should always apply ips/av on incoming traffic from internet if possible, but create custom profiles with narrowed down scope of signatures - If you have a webserver running linux and apache, create an ips profile that is sorting out everything else BUT linux server and apache webserver.

 

Try to not use the default filter at all, since it has to check the traffic against everything. Narrowing down what is checked is a good practice when your resources isn't unlimited...

 

If you don't have any incoming traffic from internet - Create a custom profile that protects your AD-server maybe?

 

You still need to have the servers and the users on different networks for it to work. Users and servers on the same network segment is not a good practice since they will be able to reach each other without going through the firewall at all.

It is possible to use proxy-arp in the firewall etc, but simplest and safest solution is to keep users and servers on different vlans and networks.

 

The same goes for outgoing traffic to internet. Create an ips policy for windows clients and apply it to the outgoing traffic. Check your cpu and ram usage. If it peaks/flatlines, you need to cut back on something. But as I said in the beginning, it all depends on your Fortigate model.

 

On my lab 51E, traffic speed drops to around 60Mbit/s with av/ips on. Depending on your ISP speed, that might be ok or not for you. The 600D on one of my clients can push over 4Gbit/s with ips on, and they have 100Mbit internet... So, they apply ips/av to just about everything.

Richie

NSE7

Richie NSE7
Alby23

I agree with kallbrandt and I'd like to add that the you'll have the best performance from the 300D that with its NP6 is able to fully offload IPS traffic (for this reason the IPS Enterprise Mix throughput of a 200D is 350 Mbps and in a 300D is 2 Gbps).

pctech79

this particular set up would be using a 30D

Alby23

How many users? And internet throughput?

santonic

Alby23 wrote:

Just a little tip for you all... enable IPS on the outgoing policies (the browsing ones i.e.) and try the vulnerabilities tests on wicar.org then let me know

 

In the ransomware era, the idea of apply IPS on the "from internet to internal (via VIP)" appears to be really really old.

Thanx for Wicar tip. First i thought it was a typo :)

pctech79
New Contributor

probably 8-10 users or so and 25d/l & 2u/l

Alby23

You could try but please monitor the RAM Usage in order to avoid Conserve Mode.

Labels
Top Kudoed Authors