Greetings,
Is there any way to turn off IPS for a specific service or machine?

Situation:
Client has ASG220 running IPS. They have a FTP/SFTP (SSH) server running on the LAN that is NAT'd with an additional IP address on the WAN interface. This server cannot be moved from the LAN, due to time-sensitive proprietary software which relies on file transfers being stored on a network share on the LAN (in other words, moving the server to a DMZ then synching the data to the LAN won't work).

This server is responsible for more than 50% of the traffic going through the Astaro. When IPS is running, remote FTP users complain of slow or dropped transfers. With IPS turned off the performance improves significantly.

I'm basically looking for a way to exclude IPS scanning from the FTP/SSH traffic running to this computer only. Is this possible? If not, does anyone have some suggestions for a work-around?
Thanks

The best way to accomplish what you want would seem to be to add an Ethernet adapter to the server so that you can have both an address in a DMZ and an address in your internal network. Then, create an exception for Intrustion Prevention with a source of the server in the DMZ.

At present, it would seem that you could create an exception for Intrustion Prevention with a source of the server. Does that resolve your issue?

__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!

Good idea, that was what I was looking for!

Of course I now have two questions:

1. You presented two options - adding the second nic connected to a DMZ then creating an exception to the server vs. just creating the exception to the server. What does adding the second nic/DMZ accomplish vs. just doing the exception?

2. Under Attach Patterns | Attacks against servers | Misc. Servers I see FTP and SSH are selected. Would unchecking these options provide any advantage over creating the exception?

Thanks for the help!

Hi,
Unchecking them would disable them for all internal and external networks.
If you don't want that, then create an exception.

Barry

__________________
http://DealBert.net
Home & business end-user since v1.x

• ASL 6.3x, HP DL145 Dual Opteron, 1GB RAM, 6 gigE NICs, 50-IP Platinum License
  
• ASL 7.3x, Dell PE1550 Dual PIII 1GHz, 1GB RAM, 2 NICs, 50-IP Platinum License
  
• ASL 7.5x, 17-watt fanless mini-ITX system: MSI IM-945GSE-A Atom n270, 2GB RAM, Morex T3310 case. 2 Intel GigE, 3 VLANs. 80G 5200rpm 2.5" HD
  Netgear GS108T gigE VLAN switch & Linksys WRT54G WAP
  Total network infrastructure: 27 watts. 100-IP Home User. FiOS 10mb/2mb

You can't run gigabit traffic through an ASG220. However, it seems like an unnecessary security risk to have a publicly-available FTP server inside your trusted network. A compromise is to have a DMZ IP and an internal LAN IP for the server; attempts to reach your LAN from the DMZ IP would be blocked. Of course, a very-motivated intruder could take the time to discover the other route into your LAN, but it's more likely that the bad-guy would be lazy and just move on to the next opportunity.

Anyway, just a thought.

Cheers - Bob

__________________
ACE V7 - Astaro Preferred Partner since V3
Addicted to my iPhone!