Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Jkaural
Staff
Staff

Created on ‎03-11-2025 12:18 AM Edited on ‎03-11-2025 12:19 AM By Moderator

Article Id 381460

Technical Tip: IPS Signatures are not validating each subsequent communications between Client-Server

 

Description

The article describes the behavior of IPS Signatures, which do not validate each subsequent communication between the client and server.
Scope FortiGate, IPS Signature validation.
Solution

During the session creation, each traffic is validated against the IPS Signature. However, For the existing session, IPS signatures are aggregated.

 

Scenario 1: IPS Signature validation for the new session.

 

date=2024-11-08 time=14:09:51 eventtime=1731092991646136339 tz="-0500" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="test" severity="critical" srcip=172.19.11.66 srccountry="Reserved" dstip=172.19.32.66 dstcountry="Reserved" srcintf="port13.604" srcintfrole="lan" dstintf="port10.704" dstintfrole="lan" sessionid=7966919 action="detected" proto=6 service="HTTP" policyid=1 poluuid="bae3ca8c-19d8-51ee-0609-bc55cb8a8faf" policytype="policy" attack="Test-Server_Server_Validation" srcport=41408 dstport=80 hostname="server284" url="/downloads/eicar.txt" agent="curl/7.29.0" httpmethod="GET" direction="incoming" attackid=6499 profile="IPS_Testing_Signatures" incidentserialno=207626992 msg="custom: Test-Server_Server_Validation" crscore=50 craction=4096 crlevel="critical"

 

date=2024-11-08 time=14:09:51 eventtime=1731092991645622014 tz="-0500" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="test" severity="critical" srcip=172.19.11.66 srccountry="Reserved" dstip=172.19.32.66 dstcountry="Reserved" srcintf="port13.604" srcintfrole="lan" dstintf="port10.704" dstintfrole="lan" sessionid=7966919 action="detected" proto=6 service="HTTP" policyid=1 poluuid="bae3ca8c-19d8-51ee-0609-bc55cb8a8faf" policytype="policy" attack="Test-Client_Tunnel_Validation" srcport=41408 dstport=80 hostname="server284" url="/downloads/eicar.txt" agent="curl/7.29.0" httpmethod="GET" direction="outgoing" attackid=5371 profile="IPS_Testing_Signatures" incidentserialno=207626991 msg="custom: Test-Client_Tunnel_Validation" crscore=50 craction=4096 crlevel="critical"

 

The above logs show traffic is validated against Custom IPS Signature.

 

Scenario 2: IPS Signature validation for the existing session.

 

date=2024-11-08 time=14:08:23 eventtime=1731092903851309105 tz="-0500" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="test" severity="critical" srcip=172.19.11.66 srccountry="Reserved" dstip=172.19.32.66 dstcountry="Reserved" srcintf="port13.604" srcintfrole="lan" dstintf="port10.704" dstintfrole="lan" sessionid=7966829 action="detected" proto=6 service="HTTP" policyid=1 poluuid="bae3ca8c-19d8-51ee-0609-bc55cb8a8faf" policytype="policy" attack="Test-Server_Server_Validation" srcport=41406 dstport=80 direction="incoming" attackid=6499 profile="IPS_Testing_Signatures" incidentserialno=207626990 msg="custom: Test-Server_Server_Validation" crscore=50 craction=4096 crlevel="critical"

 

date=2024-11-08 time=14:08:17 eventtime=1731092897759689233 tz="-0500" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="test" severity="critical" srcip=172.19.11.66 srccountry="Reserved" dstip=172.19.32.66 dstcountry="Reserved" srcintf="port13.604" srcintfrole="lan" dstintf="port10.704" dstintfrole="lan" sessionid=7966829 action="detected" proto=6 service="HTTP" policyid=1 poluuid="bae3ca8c-19d8-51ee-0609-bc55cb8a8faf" policytype="policy" attack="Test-Server_Server_Validation" srcport=41406 dstport=80 hostname="server284" url="/downloads/eicar.txt" agent="python-requests/2.6.0 CPython/2.7.5 Linux/3.10.0-1062.4.1.el7.x86_64" httpmethod="GET" direction="incoming" attackid=6499 profile="IPS_Testing_Signatures" incidentserialno=207626988 msg="custom: Test-Server_Server_Validation" crscore=50 craction=4096 crlevel="critical"

 

date=2024-11-08 time=14:08:17 eventtime=1731092897759083950 tz="-0500" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="test" severity="critical" srcip=172.19.11.66 srccountry="Reserved" dstip=172.19.32.66 dstcountry="Reserved" srcintf="port13.604" srcintfrole="lan" dstintf="port10.704" dstintfrole="lan" sessionid=7966829 action="detected" proto=6 service="HTTP" policyid=1 poluuid="bae3ca8c-19d8-51ee-0609-bc55cb8a8faf" policytype="policy" attack="Test-Client_Tunnel_Validation" srcport=41406 dstport=80 hostname="server284" url="/downloads/eicar.txt" agent="python-requests/2.6.0 CPython/2.7.5 Linux/3.10.0-1062.4.1.el7.x86_64" httpmethod="GET" direction="outgoing" attackid=5371 profile="IPS_Testing_Signatures" incidentserialno=207626987 msg="custom: Test-Client_Tunnel_Validation" crscore=50 craction=4096 crlevel="critical"

 

The logs indicate that when a session already exists, the IPS (Intrusion Prevention System) combines multiple triggers for the same signature. This helps improve performance by reducing processing.

 

317
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.