- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the IPS inspection sequence applicable?
In my Fortigate I have a IPS Profile with:
1º - "FTP.Login.Brute.Force" Signature, configured to block if there is 300 login failures in 10 seconds.
2º - A filter also including "FTP.Login.Brute.Force" with default settings (200 times in 10 seconds).
In case of a FTP brute force attack (ex. 250 times in 10 seconds), the 2º line will be applicable? Why? The fist line replaces the "FTP.Login.Brute.Force" included in the filter (second line)?
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi there:
The IPS inspection sequence is similar to the way firewall policy matching works. The rules are matched in a top to down approach. If it doesn't match the first rule , it goes down the list until it finds a match
Below is a KB explaining the IPS sequence.
https://community.fortinet.com/t5/FortiGate/Technical-Tip-IPS-inspection-sequence/ta-p/199695
Please let me know if that helped
Thank you,
Hope.
Created on 07-13-2022 08:52 AM Edited on 07-13-2022 09:05 AM
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answer.
So...in case of FTP brute force attack with 250 login failures in 10 seconds, it doesn't match the first line and goes down for the second line, matching the 2º line. Am I Right?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes! It goes down the list until it finds a match which in your case is the second line.
Thank you,
Hope.