| Description | This articles describes that, although IPS is enabled in both FortiGates along the path from client to server, sometimes it is not the first FortiGate(e.g. 'FGT1' below) in the path which can detects the IPS signature first. |
| Scope | |
| Solution |
It depends on what traffic pattern the IPS signature detects. If the IPS signature is triggered by response from 'server', it may be possible that the second FortiGate (e.g. 'FGT2' below) detects the IPS signature first and 'FGT1' cannot detect it (because it has already been blocked by the other FortiGate). 
This can be simulated by creating custom IPS signature below which detects specific pattern in 'response' from server. Then it is applied to the firewall policies in both 'FGT1' and 'FGT2'.
# config ips custo edit "Test_FGT" set signature "F-SBID( --attack_id 7870; --name \"Test Cust FGT\"; --protocol tcp; --service HTTP; --flow from_server; --pattern "Connection"; --context packet; )" set comment '' next end
# config ips senso edit "Test_Cus_FGT" # config entrie edit 1 set rule 7870 set action block next end next
When the client visits the server, HTTP response from the server will trigger the IPS signature in 'FGT2' only with logging below. There will be no log in 'FGT1' as the response has already been blocked from reaching FGT1 by FGT2.
IPS log in FGT2.
date=2022-01-21 time=13:00:06 eventtime=1642741206634621625 tz="+0800" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="critical" srcip=10.30.30.1 srccountry="Reserved" dstip=10.40.40.2 srcintf="port3" srcintfrole="undefined" dstintf="port2" dstintfrole="undefined" sessionid=253893 action="dropped" proto=6 service="HTTP" policyid=2 attack="Test Cust FGT" srcport=54827 dstport=80 hostname="10.40.40.2" url="/" direction="incoming" attackid=7870 profile="Test_Cus_FGT" incidentserialno=62914658 msg="custom: Test Cust FGT," crscore=50 craction=4096 crlevel="critical"
On the other hand, for IPS signatures which detect specific traffic pattern from 'client', the FortiGateclosest to the client will detect it first while the other FortiGate near the server will not detect it (because it has been blocked by the FortiGate at the client side already).
In topology above, this can be simulated by sending below from the client to the server to trigger IPS signature 'Cross.Site.Scripting' (included in IPS profile 'high_security') which detects traffic pattern from the client.
http://10.40.40.2/issstart.htm?id=<script>alert(XX)</script>
IPS log in 'FGT1'.
date=2022-01-21 time=15:15:03 eventtime=1642749304279513584 tz="+0800" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="medium" srcip=10.20.20.20 srccountry="Reserved" dstip=10.40.40.2 srcintf="port2" srcintfrole="undefined" dstintf="port3" dstintfrole="undefined" sessionid=312901 action="dropped" proto=6 service="HTTP" policyid=1 attack="Cross.Site.Scripting" srcport=54950 dstport=80 hostname="10.40.40.2" url="/issstart.htm?id=%3Cscript%3Ealert(XX)%3C/script%3E" direction="outgoing" attackid=17702 profile="high_security" ref="http://www.fortinet.com/ids/VID17702" incidentserialno=42991705 msg="web_app2: Cross.Site.Scripting," crscore=10 craction=16384 crlevel="medium"
Custom IPS and Application Control Signature Syntax Guide |
