Default Action - Pass?

Jeff_the_Network_Guy · ‎07-09-2009

I' m not sure if I am misreading things, but it seems that a lot of " Critical" severity IPS events listed in the " Predefined" tab have a default action of " Pass" . Why is this? Is Fortinet just being overly cautious in terms of usability, or am I missing something?

----------------(-- Jeff

abelio · ‎07-09-2009

Maybe those IPS signatures doesn' t apply to a one widely deployed network. If IPS apply to a very specific traffic or software that you don' t have in your network, why enable related signatures?

regards

/ Abel

Jeff_the_Network_Guy · ‎07-09-2009

I am not talking about enabling. I am referring to the default " Action" parameter. Look up " MS.DirectX.MsVidCtl.ActiveX.Control.Access" for instance. It is the signature for the exploit publicized this week for Direct X exploit that can be used in normal web browsing. The severity level is considered " Critical" , but according to " Predefined" tab, packets utilizing this exploit will be passed by default, unless I specify that the IPS sensor it is enabled in overrides the default action value. My question is, if this exploit is considered " Critical" why isn' t the default action " Drop" ?

----------------(-- Jeff

emnoc · ‎07-09-2009

you have to tweak and adjust each signature. I think all are set to pass by default. Since fortinet doesn' t know " your" network and systems, the default is to pass.

PCNSE

NSE

StrongSwan

AKrause · ‎07-13-2009

the default action for most signatures is set to pass, because false positives can occur. IPS should not interfere with normal traffic. You have to tune the IPS settings according to your network. Of course this is a time consuming task which is neglected quite often.

Default Action - Pass?

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website