IPS engine blocked the attack but "Allowed" & Action "TCP reset from client" in Traffic log

Forum|Forum|4 years ago
May 5, 2022
1 reply
2944 views

Recently the FortiGate received attack from 114.34.160.41 and IPS successfully blocked the attack, but then caused a false alarm on SIEM.

As the FortiGate sent a “Allowed – session reset” log message to SIEM, the SIEM triggered a high-alert message, which the keyword “allowed” made a confuse of the Firewall bypassed the attack.

Any suggestion to prevent that? Thanks.

FortiGate

Best answer by amouawad

Are you sure the IPS blocked this?

The default action for this signature is to allow:

From the IPS log it looks like you're using the default IPS profile, which has the action set to default (which means do whatever the individual signature's default action is, which in this case is allow):

Could you confirm what the action was in the IPS log you had above? Your picture didn't show the full log.

amouawadAnswer

Staff

Are you sure the IPS blocked this?

The default action for this signature is to allow:

From the IPS log it looks like you're using the default IPS profile, which has the action set to default (which means do whatever the individual signature's default action is, which in this case is allow):

Could you confirm what the action was in the IPS log you had above? Your picture didn't show the full log.

MarcusLeungAuthor

Visitor III

Hi amouawad,

Thanks for your reply! The policy is using default IPS profile and should be the reason why action shows "Allowed" on traffic log.

But why some CVE set Action "Pass" as default setting?

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded