Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fortimaster
Contributor

Doubts about IPS sensor into some policies

Hello. I am very strict when it comes to applying UTM profiles and in some cases I wonder if it is necessary or if I am doing it wrong. Specially when I talk about IPS sensor. In some cases I double analyze the traffic that enters (and comes out) the network that I manage and I am going to give you some examples in which I have doubts if I am doing it correctly.

 

1)Internet to DMZ server web A--> In this case I have no doubt. I apply IPS sensors, HTTP antivirus deep inspection etc.

 

2)Intranet to DMZ server web A-->In this case I apply too IPS Sensor, HTTP antivirus. I apply an IPS sensor in case the server, although it is protected as indicated in example 1 for the internet connections, has been infected by a worm in the DMZ itself. Does it seem correct to you or do you think that in this case IPS would no longer be necessary

 

3)User networks to DMZ server web A--> I apply IPS and Antivirus. I apply an IPS sensor in case the server, although it is protected as indicated in example 1, has been infected by a worm in the DMZ itself. Does it seem correct to you or do you think that in this case I can do it better this?

 

4)DMZ server SQL to SQL intranet server-->I apply IPS sensor with SQL signatures. ¿This is correct or an IPS exploit cannot by pass witouth user interaction?

 

5)Finally I protect all direct connections from intranet user/servers to internet. For example SMTP connection to Office365 server. Even if the connection originates from my network. I use IPS sensor and Antivirus, in case the destination to which we make the TCP connection had a problem and could enter through that tcp connection to my network.

 

Could you give me your opinion about the use I make, especially of the IPS sensors in the examples that I indicate?

Thank you for your help ¡¡¡¡

3 REPLIES 3
Anthony_E
Community Manager
Community Manager

Hello,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.


Regards,

Anthony-Fortinet Community Team.
Anthony_E
Community Manager
Community Manager

Hello,

 

For questions 1) and 2):

consider using a FortiWEB - Web Application Firewall as it is dedicated to protection for HTTP applications.

 

For 3):

You can have a look in these documents:

 

https://community.fortinet.com/t5/Support-Forum/Best-Practices-of-IPS-Using/m-p/8815?m=162609

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Best-practices-for-policy-configuration/ta...

https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPs-best-practices/ta-p/198360#:~:text=Ref...

 

Anthony-Fortinet Community Team.
fortimaster

Thanks for your help Antony. I will read carefully everything you say.

Top Kudoed Authors