Hi all,
Have a couple networks/VLANs behind an Untangle gateway and need to port forward http & https (tcp ports 80 & 443) in to a web server. So we'd like to enable Intrusion Prevention. Turning that on with all the default settings gives a ton of events that I don't think matter at all. For example, SSH attempts on port 22 (closed / not forwarded inbound) and 1433 (RDP closed / not forwarded). Would it generally be preferable to:
A) Switch IPS to "After other network processing" which would presumably allow NAT/PAT forwarding (or lack thereof) to effectively filter things like RDP inbound before IPS even sees them.
B) Modify the enabled IPS rules with an additional criterion of destination port 80 and port 443? (shows 84 rules logging)
C) Something else?
Basically, we'd like the IPS protection on inbound to the web server, but don't want to have a needle in the haystack situation with IPS log/reporting.