Located this, in the docs regardng FortiProxy.
"Application control uses IPS protocol decoders that can analyze network traffic to detect application traffic even if the traffic uses nonstandard ports or protocols."
I am assuming that when I have an IPS sensor configured that specifies, for example, the SSH protocol, it does not care what port the traffic is using. But inspects the traffic to identify the SSH protocol.
Is there somewhere in the docs this is noted, for more than FortiProxy?
According to some test I've done, FG's IPS blocks the known attack even on a non-standard port.
Here is the performed test:
Edit: Redoing tests and coming back.
Hello @dbeitler ,
You can check this cookbook: https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/399269
If a detection can be made on the unencrypted parts (certificate, SNI, some initial headers during the unencrypted part of a handshake that establishes encryption, ...), then such signature will work without deep-inspection.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1740 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.