Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
alejandro_castilloh
New Contributor

Detect vulnerability scans

Hi, I need a solution to detect and block when someone is doing a vulnerability scan on my network. I have a Fortigate 1500D and FortiAnalyzer 1000D. Can I achieve this with my products? How? What other solutions are there?

2 REPLIES 2
fernandezm_FTNT

This COULD be a trick question in a sense.  Some Vulnerability scans are done in a stealthy manner, while some are not.  The best practice is to have IPS enabled on your policies and ensure that your notification on the FAZ are set correctly.  One thing to note:  If you have a bunch of IPS profiles assigned to different policies, this will be for traffic THROUGH the 1500D not TO the 1500D.  For this, you will need to assign an 'interface policy' on the WAN side(s) of your 1500D.  This will protect traffic TO the Fortigate.

 

As I mentioned in other responses here, you can quarantine the "offenders" (aka your vulnerability partner) but this may not give you a good visibility into your vulnerabilities in general.  However it would stop them dead in their tracks which may/may not be the desired outcome.  Check out my article I wrote last year.

 

Unrelated but related.  I have worked on all three sides of an assessment red, blue and the manufacturer.  I cannot tell you how many times I heard the assessor tell me or my customer, can you whitelist these IP addresses that we will be coming from.....  "Really?" I tell them.  That is like me challenging you to enter my house and tell you where the spare key is, where the alarm code is written, the alarm company pass code and my dog's favorite treats.  Make them work for their money. 

Manny Fernandez Team Lead Systems Engineering Commercial SE, Miami @secprimate fernandezm@fortinet.com www.infosecmonkey.com
ThomasK

Great info, the link is dead. Do you have the right one?

Labels
Top Kudoed Authors