This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
woon_sf
Explorer
‎2021-06-29 12:08 AM

IPS protection for custom RDP port

Hi CheckMate.

Customer using customize port for the RDP connection. Which they are using port 33389 instead of 3389, I was not sure what the reason for them to do the changes. 

And recently they found the RDP brute force that detect on they internal Fortigate FW. But Checkpoint was doesn't detect any IPS log. So I was suggested them to sync the condition that using to trigger the prevention. Kindly refer the protection i was suggested them to customized. 

 

So here my question, did IPS protection able to trigger for the blocking action even the custom port was using for the RDP traffic? Or due to the custom port change for RDP connection will cause the protection won't be trigger at all?

Really appreciate if got any idea can share regard this.

 

Attach screenshot for the protection suggest customer to override action with "Prevention" and the customized condition suggest to be align with Fortigate.

 

Thanks and regard,

Woon

0 Kudos
5 Replies
Timothy_Hall
Legend Legend
Legend
‎2021-06-29 08:21 AM

For that specific IPS protection to fire I think you will need to have SSL/TLS Inspection enabled for RDP, see here:  sk154752: How to enable SSL Inspection over RDP

That IPS signature should still work even if a non-standard port is being used by RDP, is the Fortigate performing SSL/TLS inspection on RDP?

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos
woon_sf
Explorer
‎2021-06-29 08:32 PM
In response to Timothy_Hall

Thanks for reply. 

It might sound reasonable but i not too sure how the exact setting on Fortigate.

Will have a check again with customer again. 

0 Kudos
PhoneBoy
Admin
Admin
‎2021-06-29 08:19 PM

It's entirely possible this protection is only triggered on port 3389 traffic.
However, it's also possible the threshold that trigger this on a Fortinet gateway are more strict than ours.
This might be worth a TAC case.

0 Kudos
George_Ellis
Advisor
‎2021-12-17 12:29 PM

A little late to the party and saying I have not done this.  What about an import of a snort rule?

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2021-12-18 08:56 AM
In response to George_Ellis

Importing a SNORT rule could  work, but generally if you need this type of functionality it seems like the much newer Custom Threat Indicators would be preferred; they are described in the "Indicators" section here: sk92264: ATRG: Anti-Bot and Anti-Virus

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top