Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
CA443
New Contributor

Help with external Scan

I have a FortiGate 80C and the Intrusion Protection is stopping me from running an external compliance scan against my devices. I have a range of IP' s that I would like to be able to fully scan my webservers; however, the Intrusion Protection drops the scan. My scans end up failing thinking that either A) I am vulnerable to a DOS attack, or B) It fails because it can' t complete the scans. What I have done so far - I created a Policy rule from my External scan range to Internal Any, on Any service port. In addition, I have turned the Intrusion Protection to " Monitor All" , but even when I did this the log would show that things were being dropped. I have since removed my IPS Sensor, but the log report for IPS Packet Archive is still showing that it is dropping things. Is there something else I should be doing? Any idea on how to allow these scans? Thanks in advance!
Thanks,
Thanks,
4 REPLIES 4
ShrewLWD
Contributor

We have to have ours audited, so it sounds like you have it almost right. You need the HIGHEST rule to have all the scan ranges listed, external to internal ANY. Don' t put ANY UTM rules on it. (I technically have a Block Country rule just above that, with a few... undesirable... countries listed I' d prefer not to have waste my WANs time).
CA443
New Contributor

Strange. My highest rule is the IP block to any internal any. UTM is unchecked within the rule. However, when I watch the IPS Packet Archive, I continue to see Date, time, ID' s, and drops. Think I need to reboot my firewall before turning off the IPS feature will take effect? Or maybe I need to open a support ticket?
Thanks,
Thanks,
FortiAdam
Contributor II

When you look at your logs take note of which policy ID is blocking the traffic. I' m guessing it' s not the policy you created to try and let the traffic in. In order to get traffic that was initiated from the internet to the inside of you network you will need to use destination NAT otherwise known as a VIP. Do you normally have servers exposed to the internet or are you trying to open them up for the sole purpose of this external scan?
Mark_Oakton
Contributor

Hi, You shouldn' t open a any rule inbound to internal services / servers, this is not the purpose of the compliance test. Compliance scans for all security standards, ISO 27001, PCI DSS, FCA, DPA, CESG, etc, etc are intended to test the current state security and to find any inbound connections. You shouldn' t be opening any traffic for the purposes of the scan, this will go down as a vulnerability. The requirement is to leave the inbound traffic profiles exactly as they are but to disable IPS for any inbound services for the source IP range of the external scanners. You would likely have to create a duplicate rule for each inbound rule, with a second rule (labelled an audit rule) placed above each inbound rule and configured with the source range of the external scanner and with any UTM functions disabled. Mark
Infosec Partners
Infosec Partners
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors