Skip to main content
Lonis23i
Lonis23i
Explorer
December 20, 2023
Question

Clarification Needed on Fortigate IPS Alert

  • December 20, 2023
  • 5 replies
  • 5197 views

Dear community members,

I hope this message finds you well. I have a question regarding Fortigate IPS, specifically about the scope of its analysis. Does the firewall's IPS exclusively analyze incoming traffic (e.g., WAN to LAN, WAN to DMZ, etc.), or does it also scrutinize outgoing traffic (e.g., LAN to WAN, LAN to LAN, etc.) for potential threats?

The reason I'm raising this question is that I recently encountered an IPS alert with the description "Backdoor: Backdoor.Cobalt.Strike.Beacon." The details provided were as follows: Source - Public IP address, Destination - Internal address (switch), Direction - Outgoing. I'm seeking clarification on what this alert precisely signifies. Does it imply a compromised internal machine? Could you please provide a more in-depth explanation of this alert?

Thank you for your assistance and insights.

Best regards,

5 replies

AEK
SuperUser
AEK
SuperUser
December 20, 2023

Hello

In my understanding IPS scans both in and out traffic depending on the IPS profile.

E.g.: protect_client profile mainly (but not exclusively) analyses responses from server, while protect_server profile mainly analyses queries from client.

Regarding the backdoor alert it is not simple to provide definite response, but basically the firewall detected suspicious communication, but it doesn't mean that your host is 100% compromised. The next action would be to scan the host and investigate further.

AEK
    vraev
    Staff
    vraev
    Staff
    December 27, 2023

    Hi @Lonis23i ,
    Could you provide the version of the FortiGate and the FortiAnalyzer?

     

    Best,

    Jack_wack
    Jack_wack
    Explorer II
    January 18, 2024

    Look in the raw logs of ips. there is a parameter called direction. It's values: incoming or outgoing.

    Screenshot 2024-01-18 221916.jpg

     

     

    Angelrian
    Angelrian
    New Member
    February 14, 2024

    A situation where your FortiGate firewall generates an IPS alert for suspicious outgoing traffic, indicating potential exploitation. For instance, you may receive an alert with the description "Suspicious Activity: CVE-2023-XXXX Exploit Attempt." Upon investigation, you discover that the source IP is an internal server, while the destination IP belongs to an external entity. This raises concerns about a possible compromise of the internal server and unauthorized attempts to exploit a known vulnerability.

    Terms & ConditionsAccessibility statement