Our IDS picked up an external NMAP scan on a public IP that made it through the Fortigate Firewall IPS.
How can we strengthen our IPS to stop these reconnaissance tools?
Importance: High
Detected: Generic suspicious network activity
Detect: HackTool.Nmap.TCP.ServerRequest
Source: 185.203.122.144
Destination: xxx.xxx.xxx.xxx
Technologies: ids
https://threats.kaspersky.com/en/threat/HackTool.Nmap.TCP.C-C/
You need to apply IPS Security Profiles on all the firewall policies with proper action on the signatures.
We do have that on all. However it appears this specific signature is not covered?
You can verifiy event log and verify using which policy this attack went through and configure IPS profile on that firewall policy as well
I'm used to block it with DoS policy.
Tech tip: https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-NMAP-port-scanner/ta-p/196222
Be careful when you use DoS policy, if you squeeze a lot you will block many regular traffic. So you need to read well about it and test it enough.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1737 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.