I’m trying to check if my Intrusion Prevention System is correctly configured and working because it seems that it is not functioning properly. I performed an nmap scan from my green network against the red zone. I received IPS logs, but I could still reach the information with nmap, and I don’t have the monitoring-only option enabled.
Nmap scan from green zone against red zone:
In direction green → red0 ( → WAN ) traffic is allowed by the firewall. So the ports should be open.
IPS blocks according to its rules distinct connections. How the rules are working isn’t obviously; mainly thresholds, triggering packet contents, …
On the other side it is not obviously which packets are sent by nmap.
To check effeftivity of the IPS in this scenario, you must know the bunch of nmap packets ( can be captured by tcpdump or tshark, f.e. ) and examine the reaction of the IPS to these packets.
If your red IP is 192.168.1.3 the IPS logs show ( some ) of the nmap packets as blocked.
If you want measure effectivity of the IPS ( for the WAN ), a test from LAN isn’t really suitable. On the WAN side the IPS can rely on the general FW rules also. An IPS rule may not match packets caught by a FW rule.