I recently setup some IPS rules on my Fortigate and just want to make sure I am using them correctly. At my main site I have:
RDS Web - WAN-DMZ
RDS Gateway - WAN-DMZ
SIP - WAN-LAN
OWA - WAN-LAN
Mail flow - WAN-LAN
I have setup IPS sensors like this:
protect_http_server: IPS filters - Location: server - Protocol: HTTP
protect_rdp: IPS Signatures: MS.Windows.RDP.Remote.Code.Execution, MS.RDP.ActiveX.Use.After.Free, MS.Windows.RDP.ESTEEMAUDIT.Code.Execution, MS.RDP.Connection.Brute.Force
Protect_SIP: Protocol: SIP - Location - Server
protect_email_server: Protocol: SMTP, POP3, IMAP - Location - Server
I then apply the appropriate sensors to the iPv4 rules. I have been getting alerts for RDS Web for example so IPS is detecting stuff. Is this the correct way to be using this?
Should I be using any LAN-WAN IPS rules for standard user traffic such as web browsing?
I would start with reading http://help.fortinet.com/fos50hlp/54/Content/FortiOS/fortigate-security-profiles-54/IPS/ips_chapter.... . That should answer your question.
Thanks. That link was really useful and the IPS examples gave some good information.
Happy to help!
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2023 Fortinet, Inc. All Rights Reserved.