Technical Tip: Intrusion Prevention Scanning failure
| Description | This article describes a known issue that can occur where clients passing through a FortiGate or FortiProxy can receive a block page stating that an Intrusion Prevention Scanning Failure has occurred. |
| Scope | FortiGate, FortiProxy. |
| Solution | When using IPS security inspection profiles in the FortiGate and FortiProxy Firewall Policies, it is possible to observe the following error message and block page when client devices are trying to reach resources on the Internet:
Your attempt to access the internet resource is blocked because of an Intrusion Prevention scanning failure.
In general, this message can occur when a process crash occurs for the WAD or IPS Engine processes mid-inspection. There are several known instances of this occurring in the past:
More recently, Issue #1253472 was reported for FortiOS v7.4.11 and earlier, where the IPS Engine processes would crash with Signal 11 and present the above scanning failure message. The problem has been identified within the IPS Engine, and a fix will be delivered in a future IPS Engine (either distributed via FortiGuard or bundled in an upcoming FortiOS firmware versions for FortiOS v7.4, v7.6, and later).
As a workaround for the above issues on affected firmware versions, administrators can try gracefully restarting the IPS Engine processes using the command diagnose test application ipsmonitor 99. Some anecdotal evidence has also suggested that clearing cookies/history from client web browsers can help in cases where the above block page is being shown persistently.
Note: The issue has been addressed in IPS Engine 07.004.600. Upgrading the IPS engine will fix the issue.
The current IPS engine can be checked using this command:
diagnose autoupdate versions | grep "IPS Attack" -A 6 |
