Im trying to configure an IPS Profile to block a Signatunre on whicht we can see under Protocols just unencrypted Protocols such as ftp, http, stmp, etc.
Since those arent encrypted im assuming that we do not need ssl inspection at all.
Is this correct or did i miss something here?
Thanks in advanced.
Solved! Go to Solution.
Hi @ItsGeisterWolf ,
Unencrypted/clear traffic like HTTP/SMTP/FTP does not use any certificate, so it does not require SSL certificate-Inspection (or Deep-inspection). In our-days more than 85% of traffic on the Internet is encrypted so IPS would miss to inspect quite a lot of content.
You may find the following links useful:
https://community.fortinet.com/t5/Support-Forum/Is-SSL-inspection-required-for-Intrusion-Prevention-...
https://community.fortinet.com/t5/FortiGate/Technical-Note-Differences-between-SSL-Certificate-Inspe...
https://docs.fortinet.com/document/fortigate/7.2.6/administration-guide/583477/configuring-an-ips-se...
Best regards,
Probably based on IP origin and certificate info as that is presented in the clear with TLS 1.2. Once TLS 1.3 is required, certficate will be encrypted so URL and other info will no longer be available. Only the IP origin/destination will be available.
Hi @ItsGeisterWolf ,
Unencrypted/clear traffic like HTTP/SMTP/FTP does not use any certificate, so it does not require SSL certificate-Inspection (or Deep-inspection). In our-days more than 85% of traffic on the Internet is encrypted so IPS would miss to inspect quite a lot of content.
You may find the following links useful:
https://community.fortinet.com/t5/Support-Forum/Is-SSL-inspection-required-for-Intrusion-Prevention-...
https://community.fortinet.com/t5/FortiGate/Technical-Note-Differences-between-SSL-Certificate-Inspe...
https://docs.fortinet.com/document/fortigate/7.2.6/administration-guide/583477/configuring-an-ips-se...
Best regards,
Hi @fricci_FTNT ,
Thanks for your information and provided Links for proper documentation.
Most of them i've already seen.
I guess the best would be to activate the ips sensor together with a SSL Inpection profile, just in case.
Best regards,
Hi @ItsGeisterWolf ,
You are more than welcome and thanks for accepting my answer as solution.
It would be better to activate the IPS sensor with a SSL inspection profile, indeed. Please bear in mind that to inspect encrypted payload traffic you would need Deep-Inspection. With certificate inspection FortiGate would be unable to decrypt and then analyse the payload content.
My further advice would be implementing the IPS sensors initially in monitoring mode and check the behaviour, just to see if you have any false positive. Then please also be wise in adding/using IPS signatures to save CPU/memory resources, i.e. if you are protecting a Linux server, you would not need to implement Windows server related IPS signatures, or if you are protecting clients related traffic, you would not need server related IPS signatures in that specific profile.
Please find some best practices at the link below:
https://docs.fortinet.com/document/fortigate/6.4.0/best-practices/871604
Best regards,
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.