Skip to main content
ahmetyilmaz2050
ahmetyilmaz2050
Explorer II
June 7, 2022
Question

IPS

  • June 7, 2022
  • 2 replies
  • 3198 views

Our network on attack but log message include this. Not include IPS. why can not detect ips?

 

Message meets Alert condition

date=2022-06-07 time=16:46:07 devname=xxxx devid=xxxxxxxxxxx logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1654609567005375688 tz="+0300" srcip=176.193.227.224 srcport=41898 srcintf="wan1" srcintfrole="wan" dstip=xxxxxxxx dstport=3389 dstintf="lan" dstintfrole="lan" sessionid=110258904 proto=6 action="deny" policyid=0 policytype="policy" service="RDP" dstcountry="Turkey" srccountry="Russian Federation" trandisp="dnat" tranip=10.10.10.52 tranport=3389 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high"

2 replies

ahmetyilmaz2050
ahmetyilmaz2050Author
Explorer II
June 7, 2022

i think, maybe affacted packet flow but in similar case IPS detected

pminarik
Staff
pminarik
Staff
June 7, 2022

IPS inspection is triggered as a result of a firewall policy being matched.

Packet arrives -> find a matching policy -> apply UTM profiles from that policy (including IPS)

 

Your traffic didn't match any policy, and so it was simply dropped. ("implicit deny")

 

... action="deny" policyid=0 policytype="policy" ...

ahmetyilmaz2050
ahmetyilmaz2050Author
Explorer II
June 7, 2022

thank you for reply. in addition i found this article in old mails.

 

https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-life-of-packet-52/LoP-packet-flow.htm

 

pminarik
Staff
pminarik
Staff
June 7, 2022

Here's a more up-to-date version of that document - https://docs.fortinet.com/document/fortigate/6.4.0/parallel-path-processing-life-of-a-packet/466137/introduction

Terms & ConditionsAccessibility statement