Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
SupermanInNY
New Contributor

Created on ‎10-08-2009 12:35 PM

Firewall policy ID sequence/order

Hi All, I have Transparent mode settings for a FG200A-HD unit. I have WAN1 going to the DataCenter and INTERNAL going to my servers. I have a class of IP Addresses. 5 of those IPs belong to a specific client who needs IPS protection, primarily due to DoS attacks. Light attacks, yet still annoying. I' ve set up the UTM-IPS profile and it worked great and blocks away attackers. However, I belive I was setting up the Firewall rules incorrectly,. and I belive I had it such that the ENTIRE class was being put behind the IPS rule. The reason I believe this, is because Servers with IPs that were not supposed to be behind the IPS policy were all of sudden showing pages of ' Blocked because of IPS Attack' . And I know that these were not supposed to be ' enjoying' the IPS service. I know I can set the Addresses in a Group, .but for this ' exercise' I decided to have a single entry for each IP. I named them Starttech-1 through Starttech-5. Now, here is my confusion about the Firewall Policies order. Attached you can see the CURRENT setup: 1. Am I protecting the Starttech IPs? - assume the IPS profile is correct. (Yes/No) 2. Am I letting all other IPs go through with just ' regular' firewall services? - assume my policies are correct. (Yes/No). My previous Setup had the Firewall rule ID 3 BEFORE ID6 (as shown in my picture). I have just swapped them, so ID-6 is now showing First - so the picture is showing the Current status. 3. Is this how I should have it? 4. Was the previous order a mistake? (where ID-3 came before ID-6). Thanks for any input on this. -Sup.
Preview file
191 KB
7653
0 Kudos
11 REPLIES 11
emnoc
Esteemed Contributor III

Created on ‎10-10-2009 06:07 PM

I wouldn' t get to excite about those. You really need to review the fortiguard and Kb for info http://www.fortiguard.com/encyclopedia/vulnerability/tcp.stealth.activity.html fwiw, That' s a very low severity alert.

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
410
0 Kudos
SupermanInNY
New Contributor
In response to emnoc

Created on ‎10-10-2009 07:12 PM

anomaly: tcp_src_session, 71 > threshold 70, repeats 29 times
OH,. I wasn' t concerned about the " tcp_reassembler: TCP.Stealth.Activity, paw" I don' t care for that one,. I do see those, but actually not that many. My primary concern is this one: " anomaly: tcp_src_session, 71 > threshold 70, repeats 29 times " Over 70 sessions from a single source seems to me very unlikely as a normal activity. But perhaps I' m wrong? When you visit a website, a forum, etc,. should you have more then 70 sessions originating from YOUR compuer to the Server? That is to my understanding an attack of some sort. That needs to be blocked.
410
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.