I recently setup some IPS rules on my Fortigate and just want to make sure I am using them correctly. At my main site I have:
RDS Web - WAN-DMZ
RDS Gateway - WAN-DMZ
SIP - WAN-LAN
OWA - WAN-LAN
Mail flow - WAN-LAN
I have setup IPS sensors like this:
protect_http_server: IPS filters - Location: server - Protocol: HTTP
protect_rdp: IPS Signatures: MS.Windows.RDP.Remote.Code.Execution, MS.RDP.ActiveX.Use.After.Free, MS.Windows.RDP.ESTEEMAUDIT.Code.Execution, MS.RDP.Connection.Brute.Force
Protect_SIP: Protocol: SIP - Location - Server
protect_email_server: Protocol: SMTP, POP3, IMAP - Location - Server
I then apply the appropriate sensors to the iPv4 rules. I have been getting alerts for RDS Web for example so IPS is detecting stuff. Is this the correct way to be using this?
Should I be using any LAN-WAN IPS rules for standard user traffic such as web browsing?