“IPS Açık Ama CPU %100, Kapatayım mı?”
IT’de yanlış algı: “IPS performance öldürüyor, kapatayım.”
Doğru: IPS tune edilir. Default sensor tüm 18,000+ signature aktif → CPU zor. Kritik olanlar + özel ihtiyaç = denge.
Hızlı Çözüm (TL;DR)
- Security Profiles > IPS Sensor > + Create
- Filter: Severity = Critical + High
- Category: Specific (Server: SQL injection, XSS, RCE)
- Client-side attacks: Browser-based (Java, Flash CVEs)
- Performance: Scan timeout reasonable, packet loss acceptable
- Policy attach
10:00 — Default Sensor Analiz
Default IPS sensor:
- Tüm 18K+ signature aktif
- Her severity (info → critical)
- Tüm category
- Her paket inspect
Etkisi: CPU %50-70, latency +15ms, memory yüksek.
Çoğu signature irrelevant — info-level, noise, old/disabled software.
10:10 — Custom Sensor
Security Profiles > IPS Sensor > + Create:
📸 Ekran 1 — IPS Sensor
Name: “Corp-IPS-Tuned”IPS Signatures and Filters:
Add Filter:
Severity: Critical, High
Target: Server (server-protecting signatures)
OS: Windows, Linux
Protocol: HTTP, HTTPS, SMB, RDP
Action: BlockAdd Filter:
Severity: Critical
Target: Client (client-side browser exploits)
Action: BlockAdd Filter (selective):
Application: specific (MSSQL, Apache, WordPress)
Action: Block
Bu tune ile aktif signature ~3000. Performance delta minimal.
10:25 — Signature Override
Specific signature enable/disable:
📸 Ekran 2 — Signature
Search: “Log4j”
Multiple CVE-2021-44228 signature listed
Select all → Action: Block (Log4Shell — kritik)
Veya false positive:
- Signature: “Apache.HTTP.Server.Directory.Traversal”
- İç Apache server false positive veriyor
- Override: Disable (bu signature için)
10:40 — Rate-Based Thresholds
Brute force / DDoS için:
config ips sensor
edit "Corp-IPS-Tuned"
config entries
edit 1
set severity critical high
set rate-threshold 100
set rate-duration 60
set rate-mode periodical
set rate-track src-ip
next
end
next
end100 attempt / 60 saniye → source IP track + block.
Monitoring
Security Fabric > IPS:
- Daily events: ~200-500 normal
- Critical blocks: <10
- Top source IPs (tekrar eden attacker)
- Top signatures triggered
Anomali detection:
Signature triggered > 10,000 times/day from single IP
→ Active attack, immediate blockPerformance Metrics
diagnose ips stats showOutput:
- Packets processed
- Drops due to full buffer
- Average latency added
Kabul edilebilir:
- Latency +5-15 ms
- Throughput %-10-20
Bundan fazlaysa:
- Daha az signature
- Daha güçlü FortiGate model
- Offload (ASIC-based where available)
İlgili Rehberler
IPS deployment + threat hunting için uzman destek? Teknik görüşme.