Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
echo
Contributor II

A question about applying IPS profile

Hello!

How to properly apply an IPS profile between internal networks? Let's say there are 50 policies between two zones and they look like this: srv1...srv5 -> srv6 and srv7 : port1 and port2. That is, there are no general rules with "all" in the destination in both server section or services section. Does this mean I have to create a suitable IPS profile and use this in all of those 50 rules (plus in hundreds of others that are between other zones)? And I can't simplify this with an additional rule having "all" because that would open traffic that I actually don't want to be open?

 

Another question is about IPS profile with port scanning detection. The DoS policy doesn't really work here because some servers just happen to do lots of traffic and if not now then maybe in the future. That's why I'm more interested in detecting port scanning with the IPS profile. But in this case, if I apply this profile in the before-mentioned 50 policies (and in hundreds of others) that specify ports then how does this really work? The policy allows port1 and port2 but if the port scanner avoids those two ports, the IPS profile won't detect port scanning? Just like before, I don't want to create a policy with destination:service=all:all because that would allow traffic I don't want to be allowed.

 

Now, if there is no such wider policy then I understand that no port scanning can actually take place because the policies are restrictive enough but in my case, the need for using a port scanning in IPS was to detect port scanning to detect possibly compromised sources, be they users or servers. Is this impossible with IPS profile then without making a unnecessarily wide rule of type all:all? Is this a fundamental limitation when using IPS? And this is so because IPS profiles can be used only on traffic policies and not like DoS policies or traffic shapers which are separated from traffic policies?

2 REPLIES 2
AEK
Honored Contributor

Hi echo

There are some ways you can apply IPS quickly on hundreds of rules:

  • Use FortiManager
  • Prepare command sequence and run it in CLI

I think port scanner is better detected by DoS/anomaly policy. I don't think is a good idea to use IPS an all to all policy.

AEK
AEK
kabip7
New Contributor

IPS signatures have various labels attached to them, two of these are used for distinguishing "protect server" and "protect client" signatures. While "protect server" signatures are more on the pointless side of inspecting end-user LAN->WAN traffic, the "protect client" signatures are very much relevant, as long as you're using protocols and applications to which these signatures are relevant.

https://showbox.bio https://tutuapp.uno/
Labels
Top Kudoed Authors