I'm trying to figure out what could be the best solution to block access attempts to our SFTP server on a specific port (type 2222). The Dos policy seems to me a valid option, except that it presents some problems: putting a high enough threshold does not mean that all attacks are correctly intercepted. Conversely, putting a threshold too low can lead to false negatives. Could it be a solution to create a custom signature? In case I should somehow decrypt the traffic or am I wrong? How could this be done in your opinion?
IPS engine marks traffic based on packet content instead of port mapping, unless a specific port is specified in the signature (it is not in this one) therefore if traffic is ftp it should match regardless of the port number.
Now since you ask for FTPS, you will have to configure your ssl inspection profile accordingly and since it will be in "protect server mode" if you are protecting a server, you can only do this part in CLI, for example:
config firewall ssl-ssh-profile edit "test" config ftps set ports 2222 set status deep-inspection end set server-cert-mode replace set server-cert "test_cert" next end
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.