IPS enabled in firewall policies can only inspect the traffic pass through FortiGate unit, not the traffic destined to FortiGate unit. Enabling IPS in interface-policy allows IPS to pick up any packet on the interface so it is able to inspect attacks targeting FGT.
One thought on “Traffic destined to the FortiGate unit”
Mike Butash
I’d be interested in hearing your experience in applying policies to filter traffic destined to the fortigate itself.
Case in point, I had a customer getting random connections to udp/500 for ike from random hosts scanning the internet, which would generate an ipsec alarm, where normally the customer wants those for a vpn going down. All attempts to filter traffic via firewall policy or even local-in to the fortigate from unknown peers proved fruitless, and even fortinet couldn’t give me a real answer how to accomplish this. I’d also love to filter those stupid 8008 and 8010 ports that fortinet infamously loves to leave open for no good reason.
I’d be interested in hearing your experience in applying policies to filter traffic destined to the fortigate itself.
Case in point, I had a customer getting random connections to udp/500 for ike from random hosts scanning the internet, which would generate an ipsec alarm, where normally the customer wants those for a vpn going down. All attempts to filter traffic via firewall policy or even local-in to the fortigate from unknown peers proved fruitless, and even fortinet couldn’t give me a real answer how to accomplish this. I’d also love to filter those stupid 8008 and 8010 ports that fortinet infamously loves to leave open for no good reason.