Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Autumn 2024 badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Forums
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiBridge
- FortiAuthenticator
- FortiCache
- FortiCarrier
- FortiConnect
- FortiCASB
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDB
- FortiDDoS
- FortiDNS
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGuard
- FortiGate Cloud
- FortiHypervisor
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDR (on-premise)
- FortiNDRCloud
- FortiPAM
- FortiPortal
- FortiPhish
- FortiProxy
- FortiRecorder
- FortiRecon
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiWebCloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Forums
- Support Forum
- RE: Help with external Scan
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Help with external Scan
I have a FortiGate 80C and the Intrusion Protection is stopping me from running an external compliance scan against my devices. I have a range of IP' s that I would like to be able to fully scan my webservers; however, the Intrusion Protection drops the scan. My scans end up failing thinking that either A) I am vulnerable to a DOS attack, or B) It fails because it can' t complete the scans.
What I have done so far -
I created a Policy rule from my External scan range to Internal Any, on Any service port.
In addition, I have turned the Intrusion Protection to " Monitor All" , but even when I did this the log would show that things were being dropped. I have since removed my IPS Sensor, but the log report for IPS Packet Archive is still showing that it is dropping things. Is there something else I should be doing? Any idea on how to allow these scans?
Thanks in advance!
Thanks,
Thanks,
Nominate a Forum Post for Knowledge Article Creation
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
4 REPLIES 4
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We have to have ours audited, so it sounds like you have it almost right.
You need the HIGHEST rule to have all the scan ranges listed, external to internal ANY. Don' t put ANY UTM rules on it.
(I technically have a Block Country rule just above that, with a few... undesirable... countries listed I' d prefer not to have waste my WANs time).
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Strange. My highest rule is the IP block to any internal any. UTM is unchecked within the rule. However, when I watch the IPS Packet Archive, I continue to see Date, time, ID' s, and drops. Think I need to reboot my firewall before turning off the IPS feature will take effect? Or maybe I need to open a support ticket?
Thanks,
Thanks,
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When you look at your logs take note of which policy ID is blocking the traffic. I' m guessing it' s not the policy you created to try and let the traffic in.
In order to get traffic that was initiated from the internet to the inside of you network you will need to use destination NAT otherwise known as a VIP. Do you normally have servers exposed to the internet or are you trying to open them up for the sole purpose of this external scan?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
You shouldn' t open a any rule inbound to internal services / servers, this is not the purpose of the compliance test. Compliance scans for all security standards, ISO 27001, PCI DSS, FCA, DPA, CESG, etc, etc are intended to test the current state security and to find any inbound connections.
You shouldn' t be opening any traffic for the purposes of the scan, this will go down as a vulnerability.
The requirement is to leave the inbound traffic profiles exactly as they are but to disable IPS for any inbound services for the source IP range of the external scanners.
You would likely have to create a duplicate rule for each inbound rule, with a second rule (labelled an audit rule) placed above each inbound rule and configured with the source range of the external scanner and with any UTM functions disabled.
Mark
Infosec Partners
Infosec Partners
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Related Posts
- NAT/Proxy 443 on domain controllers to... 98 Views
- policy user by using External AD... 91 Views
- SDWAN (with two ISP) 155 Views
- FMG 7.2.7 - AWS External Connector... 100 Views
- Azure FG Cloud Deployment and Existing... 254 Views
Labels
-
FortiGate
8,029 -
FortiClient
1,608 -
5.2
801 -
FortiManager
679 -
5.4
639 -
FortiAnalyzer
516 -
FortiSwitch
424 -
FortiAP
423 -
6.0
416 -
FortiClient EMS
364 -
5.6
362 -
FortiMail
300 -
6.2
251 -
FortiAuthenticator v5.5
234 -
5.0
196 -
FortiWeb
189 -
SSL-VPN
175 -
FortiNAC
160 -
IPsec
154 -
6.4
128 -
FortiGuard
124 -
FortiGateCloud
98 -
FortiCloud Products
94 -
FortiSIEM
92 -
SD-WAN
88 -
FortiToken
86 -
Customer Service
74 -
Wireless Controller
74 -
FortiAuthenticator
70 -
4.0MR3
64 -
Firewall policy
54 -
FortiProxy
53 -
FortiEDR
50 -
Fortivoice
49 -
FortiADC
49 -
FortiExtender
43 -
VLAN
42 -
FortiDNS
41 -
High Availability
40 -
FortiSandbox
39 -
ZTNA
37 -
FortiGate v5.4
35 -
Routing
34 -
LDAP
34 -
FortiSwitch v6.4
33 -
DNS
33 -
BGP
32 -
SAML
31 -
Certificate
30 -
Interface
29 -
SSO
27 -
NAT
27 -
FortiConnect
25 -
Authentication
25 -
FortiWAN
24 -
FortiConverter
24 -
RADIUS
24 -
FortiGate v5.2
23 -
VDOM
23 -
FortiLink
23 -
Virtual IP
20 -
Web profile
20 -
FortiSwitch v6.2
18 -
FortiPortal
18 -
Fortigate Cloud
18 -
Logging
18 -
Traffic shaping
17 -
Application control
17 -
FortiMonitor
16 -
FortiPAM
16 -
FortiDDoS
15 -
FortiGate v5.0
14 -
SSL SSH inspection
14 -
OSPF
13 -
FortiCASB
12 -
SSID
12 -
IP address management - IPAM
12 -
FortiManager v5.0
11 -
Automation
11 -
Admin
11 -
Static route
11 -
WAN optimization
11 -
Web application firewall profile
11 -
FortiSOAR
10 -
FortiRecorder
10 -
SNMP
10 -
4.0MR2
9 -
FortiWeb v5.0
9 -
FortiAP profile
9 -
FortiGate v4.0 MR3
8 -
FortiManager v4.0
8 -
FortiBridge
8 -
IPS signature
8 -
System settings
8 -
Proxy policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
RMA Information and Announcements
7 -
Traffic shaping policy
7 -
Port policy
7 -
FortiCache
6 -
DNS filter
6 -
trunk
6 -
Packet capture
6 -
Security profile
6 -
Intrusion prevention
6 -
FortiCarrier
5 -
FortiToken Cloud
5 -
FortiTester
5 -
Users
5 -
Fabric connector
5 -
3.6
4 -
FortiDeceptor
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Antivirus profile
4 -
Traffic shaping profile
4 -
DLP sensor
4 -
Email filter profile
4 -
Web rating
4 -
Fortinet Engage Partner Program
4 -
FortiDB
3 -
FortiHypervisor
3 -
Explicit proxy
3 -
NAC policy
3 -
Application signature
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Netflow
3 -
Replacement messages
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
API
2 -
FortiNDR
2 -
Authentication rule and scheme
2 -
Protocol option
2 -
Schedule
2 -
Service
2 -
Zone
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Kerberos
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
TACACS
1 -
SDN connector
1 -
Multicast policy
1 -
Cloud Management Security
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1473 | |
| 1007 | |
| 748 | |
| 443 | |
| 207 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2024 Fortinet, Inc. All Rights Reserved.