i am not new to the Fortigate line of routers but have questions regarding IPS and how/when to implement it.
if i am configuring a new fortigate router for a client that has a small office network /w domain server (IE: 10pc / 1DC) how should IPS be implemented...if need be? port forwards that would be set up for the server would be port 80 and port 443 and nothing for the desktop clients except maybe RDP access.
#1 would it be needed?
#2 would i just apply the default IPS filter on the WAN to LAN policy for the port forward?
The smaller desktop models doesn't have a content processor, so the throughput will be kind of low if you apply IPS on any model below 100D.
That however, is a fair price to pay usually.
I would say that you should always apply ips/av on incoming traffic from internet if possible, but create custom profiles with narrowed down scope of signatures - If you have a webserver running linux and apache, create an ips profile that is sorting out everything else BUT linux server and apache webserver.
Try to not use the default filter at all, since it has to check the traffic against everything. Narrowing down what is checked is a good practice when your resources isn't unlimited...
If you don't have any incoming traffic from internet - Create a custom profile that protects your AD-server maybe?
You still need to have the servers and the users on different networks for it to work. Users and servers on the same network segment is not a good practice since they will be able to reach each other without going through the firewall at all.
It is possible to use proxy-arp in the firewall etc, but simplest and safest solution is to keep users and servers on different vlans and networks.
The same goes for outgoing traffic to internet. Create an ips policy for windows clients and apply it to the outgoing traffic. Check your cpu and ram usage. If it peaks/flatlines, you need to cut back on something. But as I said in the beginning, it all depends on your Fortigate model.
On my lab 51E, traffic speed drops to around 60Mbit/s with av/ips on. Depending on your ISP speed, that might be ok or not for you. The 600D on one of my clients can push over 4Gbit/s with ips on, and they have 100Mbit internet... So, they apply ips/av to just about everything.
I agree with kallbrandt and I'd like to add that the you'll have the best performance from the 300D that with its NP6 is able to fully offload IPS traffic (for this reason the IPS Enterprise Mix throughput of a 200D is 350 Mbps and in a 300D is 2 Gbps).
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.