Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
17g
New Contributor

Am I using IPS correctly?

Hi guys

 

I recently setup some IPS rules on my Fortigate and just want to make sure I am using them correctly. At my main site I have:

 

RDS Web - WAN-DMZ

RDS Gateway - WAN-DMZ

SIP - WAN-LAN

OWA - WAN-LAN

Mail flow - WAN-LAN

 

I have setup IPS sensors like this:

 

protect_http_server: IPS filters - Location: server - Protocol: HTTP

protect_rdp: IPS Signatures: MS.Windows.RDP.Remote.Code.Execution, MS.RDP.ActiveX.Use.After.Free, MS.Windows.RDP.ESTEEMAUDIT.Code.Execution, MS.RDP.Connection.Brute.Force

Protect_SIP: Protocol: SIP - Location - Server

protect_email_server: Protocol: SMTP, POP3, IMAP - Location - Server

 

I then apply the appropriate sensors to the iPv4 rules. I have been getting alerts for RDS Web for example so IPS is detecting stuff. Is this the correct way to be using this?

 

Should I be using any LAN-WAN IPS rules for standard user traffic such as web browsing?

 

Thanks

3 REPLIES 3
packetpusher
Contributor

17g

Thanks. That link was really useful and the IPS examples gave some good information.

packetpusher

Happy to help!

Labels
Top Kudoed Authors