Helpful ReplyHot!IPS from LAN to WAN

Author
fjulianom
Silver Member
  • Total Posts : 101
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/10/11 07:05:08
  • Status: offline
2017/12/04 08:55:13 (permalink)
0

IPS from LAN to WAN

Hi guys,
 
I wonder if enabling IPS in the direction LAN --> WAN is necessary or not in order to protect my PCs againts attacks. I mean enabling IPS from LAN to Internet, like this:
 

 
Is it ok?
 
Regards,
Julián

Attached Image(s)

#1
tanr
Platinum Member
  • Total Posts : 600
  • Scores: 20
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: IPS from LAN to WAN 2017/12/04 12:30:13 (permalink) ☄ Helpfulby fjulianom 2017/12/04 14:08:58
0
The short answer is yes.  Enabling IPS on the outbound policy should protect the sessions that are initiated by that policy.  in general you should not have a wan --> lan policy.
#2
fjulianom
Silver Member
  • Total Posts : 101
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/10/11 07:05:08
  • Status: offline
Re: IPS from LAN to WAN 2017/12/04 14:08:45 (permalink)
0
Hi tanr,
 
Ok, thank you. I also have enabled IPS in a WAN --> LAN policy in order to protect the customer servers, because the customer is using Virtual IPs and Destination NAT to access some servers remotely. I just wanted to be sure because some collegues told me that I only needed enable the IPS in the WAN --> LAN direction and not in the LAN --> WAN direction. Then I wondered, how will I protect the hosts againts attacks initiated from outside? And as you told, enabling IPS on the outbound policy should protect the sessions that are initiated by that policy (therefore by the hosts).
 
Many thanks!
Julián
#3
tanr
Platinum Member
  • Total Posts : 600
  • Scores: 20
  • Reward points: 0
  • Joined: 2016/05/09 17:09:43
  • Status: offline
Re: IPS from LAN to WAN 2017/12/04 16:27:54 (permalink) ☄ Helpfulby fjulianom 2017/12/05 05:40:43
0
Correct.  As long as your wan --> lan policy is just for the VIPs and has its own protection profiles that should be fine.
 
BTW, if as part of your WAN --> LAN rules you have a DENY policy that involves VIPs, you should check that it has match-vip enable.  Otherwise it is possible that those rules won't be matched.  http://socpuppet.blogspot.com/2016/02/this-is-reminder-for-set-match-vip.html 
 
Que le vaya bien.
#4
fjulianom
Silver Member
  • Total Posts : 101
  • Scores: 0
  • Reward points: 0
  • Joined: 2017/10/11 07:05:08
  • Status: offline
Re: IPS from LAN to WAN 2017/12/05 05:40:41 (permalink)
0
Ok, thanks for the reminder and your interest!
 
Regards,
Julián
#5
Jump to:
© 2018 APG vNext Commercial Version 5.5