IPS question

I have the IPS configured for the majority of my policies. I have a few things in my DMZ that are being scanned most likely by bad actors, is it better to just configure the IPS to drop that or block?

Comments

  • Drop - just drops the packet.
    Block - adds that IP addr to the temp blocked site list.

    Without knowing what IPS signatures are being hit, it is hard to tell.
    They could be false positives.
    Also, are the source IP addrs from customers or not?

  • edited April 2021

    How can i tell what signature is being hit? It just looks like port scans, I get alerts like the below

    Process: bw_driver
    Message: IPS match, Protocol: 6 Source IP: 45.146.x.x Source Port: 45522 Destination IP: x.x.x.x Destination Port: 443 Rule ID: 1138920, Action: drop Policy Name: HTTPS

  • Rule ID: 1138920

    https://securityportal.watchguard.com/threats/detail?ruleId=1138920&sigVers=4

    SSL OpenSSL X509_V_FLAG_X509_STRICT and signature_algorithms Vulnerabilities (CVE-2021-3449)

    Review the info here:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2021-3449

  • okay so it better to just configure the IPS to drop that or block?

  • Better to drop as you don't know if this is a desired client access or not.

  • I have been getting ton of these all over my network switched action to drop instead of block. All internal triggers have been agents getting blocked communicating to our Dell Kace management appliance . We do see triggers from external sources to our host sites as well but haven't identified any of that to legitimate traffic yet

  • james.carsonjames.carson Moderator, WatchGuard Representative

    I personally avoid BLOCK actions because they can end up blocking other critical information. If an IP ends up in the BLOCK category, it'll block ANY traffic to/from that host, not just the offending traffic.

    In my set-ups I use Deny, and watch the IPS report in Dimension every few days to see if there's any problems trending.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.