fortigate ips sensor when protocol is selected, and traffic uses a nonstandard port

dbeitler · ‎08-05-2024

Located this, in the docs regardng FortiProxy.

"Application control uses IPS protocol decoders that can analyze network traffic to detect application traffic even if the traffic uses nonstandard ports or protocols."

I am assuming that when I have an IPS sensor configured that specifies, for example, the SSH protocol, it does not care what port the traffic is using. But inspects the traffic to identify the SSH protocol.

Is there somewhere in the docs this is noted, for more than FortiProxy?

AEK · ‎08-05-2024

~~According to some test I've done, FG's IPS blocks the known attack even on a non-standard port.~~

~~Here is the performed test:~~

~~Sun.Solaris.Telnet.Remote.Authentication.Bypass on a telnet server listening on standard port 23 -> Attack blocked~~
~~Sun.Solaris.Telnet.Remote.Authentication.Bypass on a telnet server listening on non-standard port 10023 -> Attack blocked~~

Edit: Redoing tests and coming back.

AEK

HarshChavda · ‎08-05-2024

Hello @dbeitler ,

You can check this cookbook: https://docs.fortinet.com/document/fortigate/7.4.2/administration-guide/399269

rionelo · ‎08-05-2024

If a detection can be made on the unencrypted parts (certificate, SNI, some initial headers during the unencrypted part of a handshake that establishes encryption, ...), then such signature will work without deep-inspection.

https://omegle.onl/ vshare

fortigate ips sensor when protocol is selected, and traffic uses a nonstandard port

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website