Hi All,
Apologies if this has been covered before, I feel like I've read every article I can find but I'm yet to have a clear understanding in my head.
I understand that best practice with an Intrusion profile would be to add specific signatures, rather than applying all signatures to a profile, however lets say we started with a base filter for all high / critical signatures and set the action to 'Default'.
Then if we started receiving logs for a specific signature triggering, lets say a Netgear one for example, but we had no Netgear devices in our network, or another example, the signature was incorrectly blocking legitimate traffic, what would be the best method to 'silence' those logs and allow the traffic through?
All of the articles I have read seem to suggest that you add the specific signature above the original high / critical filter in the rule and set the action to 'Allow' which will no longer log any hits on that signature and allow the traffic through.
The problem there is that you then need add another rule in the profile including ALL signatures apart from the signature in question with the action default, replacing all / part of the original high / critical filter, otherwise it would still 'fall down', hit the original high / critical filter and follow the Default action again.
I'm obviously not understanding something, as that doesn't seem very efficient? Especially as the new ALL signature rule would need constantly updating after new DB updates?
Wouldn't a better method be to add the signature and set it to disabled instead? After all, isn't that what the IP exemptions do for specific IPs /subnets, disable that signature just for those IPs / subnets?
Or following on with the IP exemptions, add the signature and set an IP exemption of 0.0.0.0/0, which in theory would exempt ALL IPs from that signature (if that is even possible)?
What am I mis-understanding?
Many thanks in advance.
Andy
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hello andycollin,
Thank you for using the Community Forum. I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.
Thanks,
Hi Jean-Philippe,
Thank you, appreciated.
Thanks,
Andy
Hello,
We are still looking for an answer to your question.
We will come back to you ASAP.
Thanks,
Hi Andy,
I am not fully understanding the question honestly. However, keep in mind that firewall policy match is not done with IPS or any security profile. First, the policy is matching based on criteria srcIP:srcport<>dstIP:dstport, schedule and group/authentication if present.
Then the security profile, IPS here, will be applied.
If you need to exempt IPs, go on and create IP address objects for the respective IPs, create a new policy with these address objects as a source and put this as granular matching policy above the regular IPS applying policy. No IPS needed and exempted by lower OSI level information, this means also that the IPS actions do not need to be executed, and the operation is cheaper on the CPU.
I think that covers part of your question at least. I will not be helpful on IPS signatures though.
Best regards,
Markus
Hello
You may refer below article for best practices for IPS profile
Regards
Anas
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1731 | |
1105 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.