Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
fjulianom
New Contributor III

How to protect clients and servers with IPS?

Hi guys,

 

I have a FortiGate and three firewall policies: one for the communication from clients (laptops) to servers, one for the communication from servers to clients, and one for Internet access from clients to Internet:

 

Clients --> Servers

Servers --> Clients

Clients --> Internet

 

I have configured two IPS profiles for protecting clients (target: client) and servers (target: server), called "protect_client" and "protect_server" respectively.

What IPS profiles I have to use in each policy?

 

Regards,

Julián

1 Solution
Dave_Hall
Honored Contributor

Generally, you will want to place an IPS sensor (profile) on traffic originating from internal to WAN (or your internet - e.g. client browsing) - if you have servers facing or accessing the Internet you will want to apply an IPS sensor to that traffic too (e.g. internal server -> WAN (or Internet). 

 

Generally, in my personal experience I have never seen IPS applied to internal traffic communications, - usually server/client computers have (or should have) security/firewall mechanisms in place to prevent or log such incidents. And if I have any say in the matter, I rather see all outside mobile devices blocked from accessing your internal network.

 

Also keep in mind too, that IPS (and other security policies) on the Fortigate can only be applied to traffic crossing a "interface" (e.g. LAN->WAN, WAN->LAN, LAN->DMZ, etc.). 

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

View solution in original post

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
3 REPLIES 3
fjulianom
New Contributor III

Hi guys,

 

Any idea?

 

Regards,

Julián

Dave_Hall
Honored Contributor

Generally, you will want to place an IPS sensor (profile) on traffic originating from internal to WAN (or your internet - e.g. client browsing) - if you have servers facing or accessing the Internet you will want to apply an IPS sensor to that traffic too (e.g. internal server -> WAN (or Internet). 

 

Generally, in my personal experience I have never seen IPS applied to internal traffic communications, - usually server/client computers have (or should have) security/firewall mechanisms in place to prevent or log such incidents. And if I have any say in the matter, I rather see all outside mobile devices blocked from accessing your internal network.

 

Also keep in mind too, that IPS (and other security policies) on the Fortigate can only be applied to traffic crossing a "interface" (e.g. LAN->WAN, WAN->LAN, LAN->DMZ, etc.). 

 

 

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C

NSE4/FMG-VM64/FortiAnalyzer-VM/6.0 (FWF30E/FW92D/FGT200D/FGT101E/FGT81E)/ FAP220B/221C
fjulianom
New Contributor III

Hi Dave,

 

Thanks for your interest. When you say "Generally, in my personal experience I have never seen IPS applied to internal traffic communications, - usually server/client computers have (or should have) security/firewall mechanisms in place to prevent or log such incidents.". But does that mean that the built-in security/firewall mechanisms of servers/clients work well for only internal communications but not from WAN to LAN?

 

Regards,

Julián

Labels
Top Kudoed Authors