I have a webserver behind a FortiGate 100F (v6.2.5). I want to protect it with IPS-Sensor. But there are some question where I wasn't able to find an answer.
[ol]Why have some IPS signatures with action = pass and also there are some signature with status = disabled. I know that I can override generally all signatures to block/quarantine (changing ips-action to block/quarantine) - and the same for for status. But whats the reason that not all actions/status are blocked? There are many signature with high/maximum severity... wouldn't it the best to include all signatures? Is the reason false positive? How would recommend (default or override to block/quarantine all).I have a Windows-Webserver (IIS) behind the fortigate with just HTTP/HTTPS (access from public) - between FortiGate and IIS is also a HAProxy-Loadbalancer. So there is a IPv4-Policy allowing only HTTP/HTTPS (service) from public. Whats now the "best practice" for IPS-Filter. Should I include all signatures (no filter) for "maximum" security (decreasing performance?)? Would a IPS-Signature e.g. IMAP have any effect - because IPv4-Policy isn't allowing IMAP? Or lets ask the question in another way: If I set IPS-Filter to just HTTP/HTTPS are there other TCP based attacks possible? Would it be the best to select all SEVERTIES + SERVER + LINUX + WINDOWS (because of HAProxy + IIS)?
Basically I wouldn't to have any attacks inside my network. But I don't know the impact of enabling all signatures (no filter)? I also don't know if e.g. an IMAP-Attack is blocked by the IPv4-Policy (service restricted to HTTP/HTTP) anyway and IPS-signature for IMAP are useless in this case?[/ol]