More information about Threat 131072

Question

Hi All,

I have read the following information about the threat 131072: https://community.fortinet.com/t5/FortiGate/Technical-Tip-Threat-131072-is-seen-in-logs-when-traffic-is/ta-p/192533

But I am still not sure why we can see this sessions being blocked in our firewall. I have an Allow policy which is blocking some traffic due to threat 131072. Any idea about how to try to troubleshoot this traffic? Thanks.

EDIT: Afer checking deeper, the blocked packets are related to the Packet Based Inspection. I suppose that Packet Based Inspection includes 3-way-handshake, check sequence numbers, etc.

alif · Answer

Hi @amorales,

The link explains the traffic logged as denied with the reference threat ID but does not mention why the traffic is getting denied.

Please share the information about the firewall policy configured.

Please also capture the output of the below debugs while generating traffic.

diagnose debug reset
diagnose debug flow filter addr <source_IP> <destination_IP> and
diagnose debug console timestamp enable
diagnose debug flow show iprope enable
diagnose debug flow show function-name enable
diagnose debug flow trace start 1000
diagnose debug enable

After performing the test, you can stop debugging;
diagnose debug disable
diagnose debug reset

Sign up

Login with SSO

Login to the community

Login with SSO

Scanning file for viruses.

This file cannot be downloaded