- Forums
- Knowledge Base
- Customer Service
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiManager
- FortiMonitor
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSandbox
- FortiSASE
- FortiScan
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiVoice
- FortiWAN
- FortiWeb
- FortiWebCloud
- Wireless Controller
- RMA Information and Announcements
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- All_default or protect_client
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
All_default or protect_client
I have been running my firewall using the predefined " all_default" IPS setting for a long time. I was wondering, if someone just wants to use one of the predefined sensors, does all_default or protect_client offer more protection out of the box?
I' m trying to protect employee workstations, not web servers or ftp servers.
Thanks in advance!
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I would recommend spend a couple of hours determining exactly what you need from IPS engine, doing a map of services,machines, network location etc.
After that, define your own IPS specific sensors to cover your needs, log everything and re-check, let' s say, weekly.
Adjust your sensors, eliminating false positives, etc
Reward for all this job:
- FTG' s resources saving
- better logs
- better signal/noise ratio to understand your particular network traffic
regards
regards
/ Abel
regards
/ Abel
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I would recommend spend a couple of hours determining exactly what you need from IPS engine, doing a map of services,machines, network location etc. After that, define your own IPS specific sensors to cover your needs, log everything and re-check, let' s say, weekly. Adjust your sensors, eliminating false positives, etc Reward for all this job: - FTG' s resources saving - better logs - better signal/noise ratio to understand your particular network traffic regardsThanks for response. But for the people who dont have the time or the know-how to set up custom rules as you suggest, is there a recommendation of either of these predefined?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
my 2 cents...
I' ve never liked the idea of predefined IPS rule sets. You never know what the FGT will be checking or not checking until you look up the predefined rule. In the same amount of time I can create a new rule, put in all signatures for traffic I allow (which mainly is http, ssh, mail) which are marked " client" and let go.
IPS is very powerful and often the only means to stop nasty intruders. I' ve never known that so many websites try to do a HTTP SQL.Injection until I put in the IPS signature for it (OK, some false positives but enough real ones left). But the price for it is that you get a bit closer to it and at least set up your own list. You may reduce the signatures at any time afterwards. Just putting in the predefined list and never look at the logs afterwards will not do the job, even if hardware is a non-issue for you.
The other idea is to rely on Application Control, which more or less is a super-set of IPS wrapped around rules. Fortinet has put some experience into the AppCtrl so that you don' t have to know the low-level details of the protocol. Try it out and see how easy it is and yet very effective.
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede
"Kernel panic: Aiee, killing interrupt handler!"
Ede"Kernel panic: Aiee, killing interrupt handler!"
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
my 2 cents... I' ve never liked the idea of predefined IPS rule sets. You never know what the FGT will be checking or not checking until you look up the predefined rule. In the same amount of time I can create a new rule, put in all signatures for traffic I allow (which mainly is http, ssh, mail) which are marked " client" and let go. IPS is very powerful and often the only means to stop nasty intruders. I' ve never known that so many websites try to do a HTTP SQL.Injection until I put in the IPS signature for it (OK, some false positives but enough real ones left). But the price for it is that you get a bit closer to it and at least set up your own list. You may reduce the signatures at any time afterwards. Just putting in the predefined list and never look at the logs afterwards will not do the job, even if hardware is a non-issue for you. The other idea is to rely on Application Control, which more or less is a super-set of IPS wrapped around rules. Fortinet has put some experience into the AppCtrl so that you don' t have to know the low-level details of the protocol. Try it out and see how easy it is and yet very effective.thank you for detailed feedback. More to do and learn every day.
Related Posts
- Why is the certificate replaced during... 1777 Views
- Question regarding IPS profiles on firewall... 1314 Views
- FortiGate 50E in transparent mode between... 4391 Views
- TCP.Split.Handshake type alert 7018 Views
- How to protect clients and servers... 6225 Views
Labels
-
FortiGate
6,776 -
FortiClient
1,345 -
5.2
801 -
5.4
639 -
FortiManager
582 -
FortiAnalyzer
427 -
6.0
416 -
5.6
362 -
FortiSwitch
348 -
FortiAP
348 -
FortiClient EMS
274 -
FortiMail
265 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
163 -
6.4
128 -
FortiNAC
113 -
FortiGuard
108 -
FortiSIEM
91 -
FortiGateCloud
88 -
IPsec
87 -
FortiCloud Products
85 -
FortiToken
73 -
SSL-VPN
70 -
Customer Service
70 -
4.0MR3
64 -
Wireless Controller
62 -
FortiProxy
47 -
FortiADC
44 -
FortiEDR
42 -
Fortivoice
41 -
FortiExtender
34 -
FortiGate v5.4
34 -
FortiDNS
34 -
SD-WAN
34 -
FortiSandbox
33 -
FortiSwitch v6.4
30 -
Firewall policy
30 -
FortiAuthenticator
24 -
High Availability
24 -
FortiConnect
24 -
VLAN
23 -
FortiWAN
22 -
FortiConverter
21 -
ZTNA
20 -
FortiPortal
18 -
FortiSwitch v6.2
16 -
FortiGate v5.2
16 -
Certificate
16 -
SAML
15 -
DNS
15 -
FortiMonitor
14 -
BGP
14 -
Interface
14 -
Logging
14 -
FortiGate v5.0
13 -
LDAP
13 -
FortiDDoS
13 -
Routing
12 -
FortiCASB
12 -
VDOM
12 -
fortilink
11 -
RADIUS
10 -
Authentication
10 -
Virtual IP
10 -
FortiRecorder
10 -
FortiWeb v5.0
9 -
SSL SSH inspection
9 -
Traffic shaping
9 -
FortiManager v5.0
9 -
NAT
9 -
4.0MR2
9 -
SSID
8 -
Fortigate Cloud
8 -
SSO
8 -
Application control
8 -
RMA Information and Announcements
7 -
FortiSOAR
7 -
FortiAnalyzer v5.0
7 -
FortiGate v4.0 MR3
7 -
Admin
7 -
4.0
7 -
IP address management - IPAM
7 -
Security profile
6 -
FortiBridge
6 -
SNMP
6 -
Web application firewall profile
6 -
Web profile
6 -
Proxy policy
5 -
Traffic shaping policy
5 -
FortiAP profile
5 -
FortiManager v4.0
5 -
Static route
5 -
FortiDirector
4 -
IPS signature
4 -
Packet capture
4 -
Antivirus profile
4 -
Automation
4 -
WAN optimization
4 -
DNS Filter
4 -
FortiTester
4 -
FortiCarrier
4 -
FortiCache
4 -
OSPF
4 -
3.6
4 -
FortiScan
4 -
Port policy
4 -
FortiToken Cloud
3 -
DoS policy
3 -
Email filter profile
3 -
Web rating
3 -
Intrusion prevention
3 -
FortiDB
3 -
trunk
3 -
FortiDeceptor
2 -
System settings
2 -
FortiInsight
2 -
NAC policy
2 -
Fortinet Engage Partner Program
2 -
Users
2 -
Traffic shaping profile
2 -
FortiPAM
2 -
VoIP profile
2 -
FortiAI
2 -
FortiHypervisor
2 -
Netflow
2 -
Protocol option
2 -
4.0MR1
1 -
TACACS
1 -
Replacement messages
1 -
Subscription Renewal Policy
1 -
Schedule
1 -
FortiCWP
1 -
FortiNDR
1 -
SDN connector
1 -
Application signature
1 -
Authentication rule and scheme
1 -
FortiManager-VM
1 -
Internet Service Database
1 -
Fabric connector
1 -
Multicast routing
1 -
Explicit proxy
1 -
Zone
1
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.