I have the IPS configured for the majority of my policies. I have a few things in my DMZ that are being scanned most likely by bad actors, is it better to just configure the IPS to drop that or block?
Drop - just drops the packet.
Block - adds that IP addr to the temp blocked site list.
Without knowing what IPS signatures are being hit, it is hard to tell.
They could be false positives.
Also, are the source IP addrs from customers or not?
How can i tell what signature is being hit? It just looks like port scans, I get alerts like the below
Message: IPS match, Protocol: 6 Source IP: 45.146.x.x Source Port: 45522 Destination IP: x.x.x.x Destination Port: 443 Rule ID: 1138920, Action: drop Policy Name: HTTPS
Rule ID: 1138920
SSL OpenSSL X509_V_FLAG_X509_STRICT and signature_algorithms Vulnerabilities (CVE-2021-3449)
Review the info here:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-3449
okay so it better to just configure the IPS to drop that or block?
Better to drop as you don't know if this is a desired client access or not.
I have been getting ton of these all over my network switched action to drop instead of block. All internal triggers have been agents getting blocked communicating to our Dell Kace management appliance . We do see triggers from external sources to our host sites as well but haven't identified any of that to legitimate traffic yet
I personally avoid BLOCK actions because they can end up blocking other critical information. If an IP ends up in the BLOCK category, it'll block ANY traffic to/from that host, not just the offending traffic.
In my set-ups I use Deny, and watch the IPS report in Dimension every few days to see if there's any problems trending.
WatchGuard Customer Support