Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chakravarthinakka
New Contributor

Fortigate IPS Profile

Hi ,

Greetings,

 

I have created IPS profile by adding SSH protocol and enabled this IPS profile for SSH related policies.

and These policies are from external interface to DMZ interface.

 SSH protocol has around 35 IPS signatures. Is this SSH protocol signatures are enough to 

is it right approach to enable the IPS profile.

2 REPLIES 2
lol
Staff
Staff

Hello,


> SSH protocol has around 35 IPS signatures. Is this SSH protocol signatures are enough to is it right approach to enable the IPS profile.

 

It really depends on what you are trying to achieve.

 

In case you want to protect an internal SSH server from external attacks then also add IPS signatures for TCP to detect such attacks as the underlying TCP protocol might be attacked.

 

If you want to make sure only SSH traffic is passing over the allowed TCP port then you should only add the required Application Control signatures, i.e. "SSH", "WinSCP", etc to block any other traffic.

 

And you should verify that SSL deep inspection is enabled for your allowed SSH port to be able to scan the content of the encrypted traffic.

 

It might also be a good idea to add a firewall DoS-policy to protect the internal servers from too many requests.

 


Best Regards

AlexC-FTNT
Staff
Staff

is it right approach to enable the IPS profile. >> it depends on what your goal is

The IPS is detecting and blocking various signatures, but filtering by "SSH" only returns 13 signatures in the latest DB (and some not even related to SSH). Not really sure what you are referring to. 


- Toss a 'Like' to your fixxer, oh Valley of Plenty! and chose the solution, too00oo -
Labels
Top Kudoed Authors