Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Not applicable

What is the different between " Block" and " Reset"

Dear all, I am now setting up the firewall 200A for controlling our staff to use instant messaging during work hours. I have created a new IPS sensor, specifying protocol to IM, application to IM, Enable all for " Enable" and " Logging" . But when come to " Action" , I am not sure whether I should set it to " Block all" or " Reset all" . What are the different between this two? Thanks a lot!
4 REPLIES 4
lmuir
New Contributor

Reset: Sends TCP Reset in both directions and removes the session from the session table. Reset Client: Sends TCP Reset to the client and removes the session from the session table. Pass Session: Allows the packet that triggered the signature and performs no further IPS checking for the session Drop Session: Drops the packet which triggered the signature and all subsequent packets for that session. Clear Session: Drops the packet which triggered the signature and removes the session from the session table. Drop: Drops the packet which triggered the signature. Not sutiable for TCP as the dropped packet will be detected and the packet will be resent. Cheers, Lachlan.
Not applicable

Its hard to figure out what action to use with what rule. I thought that with ' drop session' I would be safe in most cases? Or is ' clear session' better? Or are there rules where these would have no effect?
aplato
New Contributor

Its hard to figure out what action to use with what rule. I thought that with ' drop session' I would be safe in most cases? Or is ' clear session' better? Or are there rules where these would have no effect?
In general, if you are in-line, you want to avoid using any of the ones that sends a reset (RST) packet. That can be detected at the origin and it can potentially DoS your own connection. (If I know you send RSTs, I can flood you with bad traffic and the RST packets will clog your pipe). RST is the only way you can block if you are doing passive monitoring, (not in-line) and even that isn' t 100% effective and can DoS your own network. It is best to drop the packet or session. This causes the offending packet(s) to simply disappear, which is preferable as it can not be detected (easily) at the origin. Dropping the packet or session also can slow down automated scanners and worms.
Andrew Plato, CISSP, CISM President / Principal Consultant Anitian Enterprise Security www.anitian.com Fortinet Star MSSP Reseller
Andrew Plato, CISSP, CISM President / Principal Consultant Anitian Enterprise Security www.anitian.com Fortinet Star MSSP Reseller
Not applicable

Thank you, that helps a lot.
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors