Hello!
How to properly apply an IPS profile between internal networks? Let's say there are 50 policies between two zones and they look like this: srv1...srv5 -> srv6 and srv7 : port1 and port2. That is, there are no general rules with "all" in the destination in both server section or services section. Does this mean I have to create a suitable IPS profile and use this in all of those 50 rules (plus in hundreds of others that are between other zones)? And I can't simplify this with an additional rule having "all" because that would open traffic that I actually don't want to be open?
Another question is about IPS profile with port scanning detection. The DoS policy doesn't really work here because some servers just happen to do lots of traffic and if not now then maybe in the future. That's why I'm more interested in detecting port scanning with the IPS profile. But in this case, if I apply this profile in the before-mentioned 50 policies (and in hundreds of others) that specify ports then how does this really work? The policy allows port1 and port2 but if the port scanner avoids those two ports, the IPS profile won't detect port scanning? Just like before, I don't want to create a policy with destination:service=all:all because that would allow traffic I don't want to be allowed.
Now, if there is no such wider policy then I understand that no port scanning can actually take place because the policies are restrictive enough but in my case, the need for using a port scanning in IPS was to detect port scanning to detect possibly compromised sources, be they users or servers. Is this impossible with IPS profile then without making a unnecessarily wide rule of type all:all? Is this a fundamental limitation when using IPS? And this is so because IPS profiles can be used only on traffic policies and not like DoS policies or traffic shapers which are separated from traffic policies?
Hi echo
There are some ways you can apply IPS quickly on hundreds of rules:
I think port scanner is better detected by DoS/anomaly policy. I don't think is a good idea to use IPS an all to all policy.
IPS signatures have various labels attached to them, two of these are used for distinguishing "protect server" and "protect client" signatures. While "protect server" signatures are more on the pointless side of inspecting end-user LAN->WAN traffic, the "protect client" signatures are very much relevant, as long as you're using protocols and applications to which these signatures are relevant.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1735 | |
1107 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.