What is the IPS inspection sequence applicable?

magnatas · ‎07-13-2022

In my Fortigate I have a IPS Profile with:

1º - "FTP.Login.Brute.Force" Signature, configured to block if there is 300 login failures in 10 seconds.
2º - A filter also including "FTP.Login.Brute.Force" with default settings (200 times in 10 seconds).

In case of a FTP brute force attack (ex. 250 times in 10 seconds), the 2º line will be applicable? Why? The fist line replaces the "FTP.Login.Brute.Force" included in the filter (second line)?

ssudhakar · ‎07-13-2022

Hi there:

The IPS inspection sequence is similar to the way firewall policy matching works. The rules are matched in a top to down approach. If it doesn't match the first rule , it goes down the list until it finds a match

Below is a KB explaining the IPS sequence.

https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPS-inspection-sequence/ta-p/199695

Please let me know if that helped

Thank you,

Hope.

magnatas · ‎07-13-2022

Thanks for your answer.

So...in case of FTP brute force attack with 250 login failures in 10 seconds, it doesn't match the first line and goes down for the second line, matching the 2º line. Am I Right?

ssudhakar · ‎07-19-2022

Yes! It goes down the list until it finds a match which in your case is the second line.

Thank you,

Hope.

What is the IPS inspection sequence applicable?

Nominate a Forum Post for Knowledge Article Creation