Hi, I need a solution to detect and block when someone is doing a vulnerability scan on my network. I have a Fortigate 1500D and FortiAnalyzer 1000D. Can I achieve this with my products? How? What other solutions are there?
This COULD be a trick question in a sense. Some Vulnerability scans are done in a stealthy manner, while some are not. The best practice is to have IPS enabled on your policies and ensure that your notification on the FAZ are set correctly. One thing to note: If you have a bunch of IPS profiles assigned to different policies, this will be for traffic THROUGH the 1500D not TO the 1500D. For this, you will need to assign an 'interface policy' on the WAN side(s) of your 1500D. This will protect traffic TO the Fortigate.
As I mentioned in other responses here, you can quarantine the "offenders" (aka your vulnerability partner) but this may not give you a good visibility into your vulnerabilities in general. However it would stop them dead in their tracks which may/may not be the desired outcome. Check out my article I wrote last year.
Unrelated but related. I have worked on all three sides of an assessment red, blue and the manufacturer. I cannot tell you how many times I heard the assessor tell me or my customer, can you whitelist these IP addresses that we will be coming from..... "Really?" I tell them. That is like me challenging you to enter my house and tell you where the spare key is, where the alarm code is written, the alarm company pass code and my dog's favorite treats. Make them work for their money.
Team Lead Systems Engineering
Commercial SE, Miami
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.