Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
unknown1020
New Contributor III

Security Profiles in policy fortigate

friends,

is it necessary in the vpn ssl policies to add the IPS profiles y full inspection? Since currently I only have certificate inspection enabled and AV MONITOR mode.

 

Should IPS, WEB FILTER or APP CONTROL also be added in IPSEC tunnels?
Since currently I only have certificate inspection enabled and AV MONITOR mode.

 

I do not want my equipment to enter conservation mode, it is better to be safe.

1 Solution
Christian_89
Contributor III

When it comes to SSL VPN policies and IPSec tunnels, the specific requirements and recommendations can vary depending on your network infrastructure, security goals, and the devices or software you are using. However, I can provide you with some general guidance.

1. SSL VPN Policies and IPSec Tunnels:
- SSL Policies: Adding IPS (Intrusion Prevention System) profiles to SSL VPN policies can enhance the security of your VPN connections. IPS helps detect and prevent various network threats and attacks, such as intrusion attempts, malware, and exploits. It is generally a good practice to enable IPS in SSL VPN policies for added protection.
- Full Inspection: Enabling full inspection in SSL policies means that the SSL traffic passing through the VPN will be decrypted, inspected, and re-encrypted. This allows your security devices to analyze the encrypted traffic and detect any potential threats. Full inspection can provide more comprehensive security, but it may also introduce additional processing overhead on your devices. Evaluate the performance impact and make sure your devices can handle the increased workload if you decide to enable full inspection.

2. IPsec Tunnels:
- Certificate Inspection: Enabling certificate inspection is a good practice to verify the authenticity and validity of certificates used in IPsec tunnels. This helps prevent man-in-the-middle attacks and ensures secure communication between the tunnel endpoints.
- AV Monitor Mode: AV (Antivirus) Monitor mode allows your security devices to scan IPsec traffic for known malware or viruses. It is a recommended practice to enable AV monitoring to protect against malicious payloads that may be transmitted through the tunnels.

In addition to certificate inspection and AV monitoring, you may consider adding the following security features to your IPsec tunnels, depending on your specific requirements:

- IPS: Enabling IPS in IPsec tunnels provides an additional layer of protection against various network-based attacks. It helps detect and block intrusion attempts, exploits, and other threats.
- Web Filter: Adding web filtering capabilities to your IPsec tunnels allows you to control and monitor web traffic passing through the tunnels. This can help enforce web access policies, block malicious websites, and prevent users from accessing inappropriate or unauthorized content.
- App Control: Enabling application control features in IPsec tunnels allows you to regulate and manage the use of specific applications or services over the VPN. It helps enforce security policies, restrict access to certain applications, and prevent the misuse of network resources.

Ultimately, the specific security features you enable in your SSL VPN policies and IPsec tunnels should be based on your security requirements, the sensitivity of the data being transmitted, and the resources available on your network devices. It is always advisable to consult the documentation and guidelines provided by your VPN and network security vendors to ensure you are implementing the appropriate security measures.

View solution in original post

9 REPLIES 9
Christian_89
Contributor III

When it comes to SSL VPN policies and IPSec tunnels, the specific requirements and recommendations can vary depending on your network infrastructure, security goals, and the devices or software you are using. However, I can provide you with some general guidance.

1. SSL VPN Policies and IPSec Tunnels:
- SSL Policies: Adding IPS (Intrusion Prevention System) profiles to SSL VPN policies can enhance the security of your VPN connections. IPS helps detect and prevent various network threats and attacks, such as intrusion attempts, malware, and exploits. It is generally a good practice to enable IPS in SSL VPN policies for added protection.
- Full Inspection: Enabling full inspection in SSL policies means that the SSL traffic passing through the VPN will be decrypted, inspected, and re-encrypted. This allows your security devices to analyze the encrypted traffic and detect any potential threats. Full inspection can provide more comprehensive security, but it may also introduce additional processing overhead on your devices. Evaluate the performance impact and make sure your devices can handle the increased workload if you decide to enable full inspection.

2. IPsec Tunnels:
- Certificate Inspection: Enabling certificate inspection is a good practice to verify the authenticity and validity of certificates used in IPsec tunnels. This helps prevent man-in-the-middle attacks and ensures secure communication between the tunnel endpoints.
- AV Monitor Mode: AV (Antivirus) Monitor mode allows your security devices to scan IPsec traffic for known malware or viruses. It is a recommended practice to enable AV monitoring to protect against malicious payloads that may be transmitted through the tunnels.

In addition to certificate inspection and AV monitoring, you may consider adding the following security features to your IPsec tunnels, depending on your specific requirements:

- IPS: Enabling IPS in IPsec tunnels provides an additional layer of protection against various network-based attacks. It helps detect and block intrusion attempts, exploits, and other threats.
- Web Filter: Adding web filtering capabilities to your IPsec tunnels allows you to control and monitor web traffic passing through the tunnels. This can help enforce web access policies, block malicious websites, and prevent users from accessing inappropriate or unauthorized content.
- App Control: Enabling application control features in IPsec tunnels allows you to regulate and manage the use of specific applications or services over the VPN. It helps enforce security policies, restrict access to certain applications, and prevent the misuse of network resources.

Ultimately, the specific security features you enable in your SSL VPN policies and IPsec tunnels should be based on your security requirements, the sensitivity of the data being transmitted, and the resources available on your network devices. It is always advisable to consult the documentation and guidelines provided by your VPN and network security vendors to ensure you are implementing the appropriate security measures.

unknown1020

Friend, thanks for answering, a query, for the Internet exit policies, that is, lan to wan, is it necessary to add the IPS profile in the policy?

pavankr5

When it comes to internet egress policies (LAN to WAN), adding an IPS  profile to the policy can provide an additional layer of security. IPS helps detect and prevent various network-based threats and attacks, such as intrusion attempts, exploits, and malware.

By including an IPS profile in the LAN to WAN policy, you can actively monitor and protect outgoing traffic from your internal network to the internet. This can help identify and block any malicious activities or attempts to exploit vulnerabilities before they reach the external network.

unknown1020
New Contributor III

thanks very much buddy

Christian_89

When configuring Internet exit policies (LAN to WAN), adding an IPS (Intrusion Prevention System) profile to the policy can provide an additional layer of security for your outgoing traffic. IPS helps detect and prevent various network threats and attacks, such as intrusion attempts, malware, and exploits.

Including an IPS profile in your Internet exit policy allows the traffic leaving your LAN to be inspected for any known or suspicious patterns that might indicate malicious activity. If a potential threat is detected, the IPS can take appropriate actions, such as blocking or alerting on the traffic.

While it is not always mandatory to include an IPS profile in the policy, it is generally recommended to enable IPS for outgoing traffic. However, the specific requirements and recommendations can vary depending on your network infrastructure, security policies, and the devices or software you are using.

Here are a few factors to consider:

1. Security Requirements: Evaluate the level of security required for your network. If you want to ensure comprehensive protection for your outgoing traffic, including an IPS profile is beneficial.

2. Performance Impact: Keep in mind that enabling IPS can introduce additional processing overhead on your devices, potentially affecting performance. Evaluate the impact on your network infrastructure and ensure your devices can handle the increased workload.

3. Available Resources: Consider the resources available on your security devices or firewalls. Depending on the device's capabilities and licenses, there may be limitations on the number of IPS profiles that can be applied simultaneously.

4. Risk Assessment: Assess the specific risks and threats that your network may face. This can help determine the necessity and priority of including an IPS profile in your Internet exit policies.

It is also important to note that besides IPS, other security features like application control, web filtering, and antivirus can also enhance the security of your Internet exit policies. Consider enabling these features based on your security requirements and the capabilities of your devices.

Ultimately, the decision to include an IPS profile in your Internet exit policy should be based on your organization's security policies, risk tolerance, and the capabilities of your network infrastructure. Consulting the documentation and guidelines provided by your security appliance or firewall vendor will provide more specific recommendations tailored to your environment.

unknown1020

Friend regarding the ssl vpn policies of my network towards an ipsec vpn of an external network? Is it also necessary to add a security profile? apart from AV and IPS, it is necessary to add the web filter, app control ???Screenshot_3.jpg

 

Screenshot_4.jpg

 

Christian_89

Yes, it can make sense to include additional security profiles such as web filtering and application control in your SSL VPN policies, depending on your specific needs and security objectives. Here are a few reasons why it might be beneficial:

1. Enhanced Security: Adding web filtering and application control can help strengthen your network's security posture by preventing access to malicious or inappropriate websites and controlling the use of unauthorized or risky applications. This can reduce the risk of security breaches and protect your network from potential threats.

2. Policy Enforcement: Web filtering and application control allow you to enforce specific policies related to web usage and application access. You can define rules and restrictions based on your organization's requirements and prevent users from accessing certain websites or using prohibited applications. This helps maintain compliance, improve productivity, and mitigate potential risks.

3. Granular Control: These additional security profiles offer granular control over network traffic. You can set up rules based on content categories, URLs, application types, or user groups, allowing you to tailor the level of access and restrictions according to different requirements. This flexibility helps you align network security with your organization's specific needs.

4. Defense in Depth: Including multiple layers of security, such as antivirus, IPS, web filtering, and application control, follows the principle of defense in depth. It means that even if one layer of security fails to detect or block a threat, other layers are still in place to provide protection. This multi-layered approach increases the overall effectiveness of your security infrastructure.

However, it's important to consider the potential impact on network performance and user experience when adding these additional security profiles. Some security features may introduce latency, especially when inspecting encrypted traffic. Therefore, it's crucial to properly configure and optimize these profiles to strike a balance between security and performance.

Ultimately, the decision to include web filtering, application control, or other security profiles in your SSL VPN policies should be based on a thorough assessment of your network requirements, risk tolerance, and the resources available to manage and maintain these security features effectively.

MelissaVollmer

That was an excellent and comprehensive explanation of SSL VPN policies and IPSec tunnels!

srajeswaran
Staff
Staff

Excellent points shared by @Christian_89 . I would like to add that you need to consider the performance point of view from the user as well. Any VPN encryption/decryption is going to influence the throughput/performance reduction and adding more deeper inspection may also have an impact.

Regards,
Suraj
- Have you found a solution? Then give your helper a "Kudos" and mark the solution.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors