Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Marcde_J
New Contributor II

IPS - NMAP Port Scanner

Our IDS picked up an external NMAP scan on a public IP that made it through the Fortigate Firewall IPS.

 

How can we strengthen our IPS to stop these reconnaissance tools?

 

Importance: High

Detected: Generic suspicious network activity

Detect: HackTool.Nmap.TCP.ServerRequest

Source: 185.203.122.144

Destination: xxx.xxx.xxx.xxx

Technologies: ids

https://threats.kaspersky.com/en/threat/HackTool.Nmap.TCP.C-C/

 

4 REPLIES 4
rosatechnocrat
Contributor II

You need to apply IPS Security Profiles on all the firewall policies with proper action on the signatures. 

Rosa Technocrat -- Also on YouTube---Please do Subscribe
Rosa Technocrat -- Also on YouTube---Please do Subscribe
Marcde_J

We do have that on all. However it appears this specific signature is not covered?

rosatechnocrat
Contributor II

You can verifiy event log and verify using which policy this attack went through and configure IPS profile on that firewall policy as well

Rosa Technocrat -- Also on YouTube---Please do Subscribe
Rosa Technocrat -- Also on YouTube---Please do Subscribe
AEK
Honored Contributor

I'm used to block it with DoS policy.

Tech tip:  https://community.fortinet.com/t5/FortiGate/Technical-Tip-How-to-block-NMAP-port-scanner/ta-p/196222

Be careful when you use DoS policy, if you squeeze a lot you will block many regular traffic. So you need to read well about it and test it enough.

AEK
AEK
Labels
Top Kudoed Authors