Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
magnatas
New Contributor

Created on ‎07-13-2022 08:20 AM

What is the IPS inspection sequence applicable?

In my Fortigate I have a IPS Profile with:

1º - "FTP.Login.Brute.Force" Signature, configured to block if there is 300 login failures in 10 seconds.
2º - A filter also including "FTP.Login.Brute.Force" with default settings (200 times in 10 seconds).

IPS_profile.png

 

In case of a FTP brute force attack (ex. 250 times in 10 seconds), the 2º line will be applicable? Why? The fist line replaces the "FTP.Login.Brute.Force" included in the filter (second line)?

Labels:
718
0 Kudos
3 REPLIES 3
ssudhakar
Staff
Staff

Created on ‎07-13-2022 08:42 AM

Hi there:

 

The IPS inspection sequence  is similar to the way firewall policy matching works. The rules are matched in a  top to down approach. If it doesn't match the first rule , it goes down the list until it finds a match

 

Below is a KB explaining the IPS sequence.

 

https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPS-inspection-sequence/ta-p/199695

 

Please let me know if that helped

 

 

Thank you,

Hope.

711
0 Kudos
magnatas
New Contributor
In response to ssudhakar

Created on ‎07-13-2022 08:52 AM Edited on ‎07-13-2022 09:05 AM

Thanks for your answer.

 

So...in case of FTP brute force attack with 250 login failures in 10 seconds, it doesn't match the first line and goes down for the second line, matching the 2º line. Am I Right?

708
0 Kudos
ssudhakar
Staff
Staff
In response to magnatas

Created on ‎07-19-2022 08:43 AM

Yes!  It goes down the list until it finds a match which in your case is the second line.

 

Thank you,

Hope.

 

 

688
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.