Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
chakravarthinakka
New Contributor

IPS profile related

Hi Team ,

 

We are planning to implement IPS profile to be added to the firewall policies. There are totally 14k signatures are available in the current fortigate firewall. it is 14k signatures If I create a profile with critical and high and medium severity signatures. Can I apply the 14k signatures to each policy or create IPS profile as per the service ( like  HTTP , HTTPS )   of the policy.

 

Please suggest which proceed is good and suggestible. 

4 REPLIES 4
seshuganesh
Staff
Staff

Hi Team,

 

I will suggest you to create signatures as per your requirement instead of adding whole list of signatures.

Lets say you have webserver in the internal network, add only the signatures related to http, https, sql and related signatures.

This will prevent your firewall to load complete signature list again which is not required in your case.

Under LAN to WAN policy keep the IP policy with 14K signatures, as we are not sure what type os attack we may come accross.

Kindly check and keep us posted

chakravarthinakka
New Contributor

ok , thank you for the reply.

I will create profiles as per service . But when I select HTTP signatures they are around 6k or 8k. If I add the profile , will there be any impact to web application. will legitimate traffic will be block by signatures. 

When I see most of the critical signatures has "PASS" action and remaining are in block mode. How fortigate considering these signatures to be"  Pass or Block ". What is the deciding factor to Pass or block.  I am concerned because I don't want  legitimate traffic to be block.

 

how many IPS profile can we create for fortigate 501E.

seshuganesh
Staff
Staff

when I select HTTP signatures they are around 6k or 8k. If I add the profile , will there be any impact to web application

---Usually there will not be any false positive in IPS.

If there is any false positive blocking, you can exempt the signature using this article:

https://community.fortinet.com/t5/FortiGate/Technical-Tip-Exempting-Allow-one-single-IPS-signature-f...

 

For detecting the signature you can check under logs and reports >> IPS section.

Kindly check and keep us posted

chakravarthinakka

Thank you for the reply.

 

How many IPS profile can we create .

do we have any set of IPS signatures to enable for webserver. 

 

Example : consider I enable HTTPS set of signatures for webserver . Along with that  do I need to enable other services like (HTTP,Sql...). Same way , what is for ssh connection and ftp . Enabling only FTP signatures for FTP connection is enough or along with that do we need to enable any other services.

Please give me if you have any document or table for this.

Labels
Top Kudoed Authors