Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
woon_sf
Explorer

IPS protection for custom RDP port

Hi CheckMate.

Customer using customize port for the RDP connection. Which they are using port 33389 instead of 3389, I was not sure what the reason for them to do the changes. 

And recently they found the RDP brute force that detect on they internal Fortigate FW. But Checkpoint was doesn't detect any IPS log. So I was suggested them to sync the condition that using to trigger the prevention. Kindly refer the protection i was suggested them to customized. 

 

So here my question, did IPS protection able to trigger for the blocking action even the custom port was using for the RDP traffic? Or due to the custom port change for RDP connection will cause the protection won't be trigger at all?

Really appreciate if got any idea can share regard this.

 

Attach screenshot for the protection suggest customer to override action with "Prevention" and the customized condition suggest to be align with Fortigate.

 

Thanks and regard,

Woon

0 Kudos
5 Replies
Timothy_Hall
Legend Legend
Legend

For that specific IPS protection to fire I think you will need to have SSL/TLS Inspection enabled for RDP, see here:  sk154752: How to enable SSL Inspection over RDP

That IPS signature should still work even if a non-standard port is being used by RDP, is the Fortigate performing SSL/TLS inspection on RDP?

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
woon_sf
Explorer

Thanks for reply. 

It might sound reasonable but i not too sure how the exact setting on Fortigate.

Will have a check again with customer again. 

0 Kudos
PhoneBoy
Admin
Admin

It's entirely possible this protection is only triggered on port 3389 traffic.
However, it's also possible the threshold that trigger this on a Fortinet gateway are more strict than ours.
This might be worth a TAC case.

0 Kudos
George_Ellis
Advisor

A little late to the party and saying I have not done this.  What about an import of a snort rule?

0 Kudos
Timothy_Hall
Legend Legend
Legend

Importing a SNORT rule could  work, but generally if you need this type of functionality it seems like the much newer Custom Threat Indicators would be preferred; they are described in the "Indicators" section here: sk92264: ATRG: Anti-Bot and Anti-Virus

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events