FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
vifi
Staff
Staff
Article Id 334661
Description This article describes how to receive IPS logs in FortiGate.
Scope FortiGate.
Solution

config firewall policy
    edit 1
        set name "internet"
        set uuid 0b7e4698-5eca-51ef-040b-84b71d282ad8
        set srcintf "port3"
        set dstintf "port1"
        set action accept
        set srcaddr "all"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set utm-status enable
        set ssl-ssh-profile "certificate-inspection" -->
        set ips-sensor "test-eicar"  -->
        set logtraffic all
        set nat enable
    next
end


Perform a test to download an EICAR file, create an IPS sensor, and enable the EICAR signature.

 

config ips sensor
    edit "test-eicar"
        config entries
            edit 1
                set rule 29844
                set status enable
                set action block
            next
        end
    next
end

 

Download the EICAR file from Anti Malware Testfile.

However, no logs are being generated.

 

Check the version of Attack Definitions/ Attack Extended Definitions by using the command: 'diagnose autoupdate versions'.
The databases are updated successfully checking the latest version there IPS.


Change the SSL/SSH inspection profile from certificate-inspection to deep-inspection. The EICAR file is blocked successfully and logs are being generated.
It is strongly recommended to use a 'deep-inspection' profile when using an Intrusion Prevention profile for more efficient detection of IPS signatures.

 

eventtime=1723714477181988079 tz="+0200" logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="root" severity="info" srcip=172.16.1.2 srccountry="Reserved" dstip=89.238.73.97 dstcountry="Germany" srcintf="port3" srcintfrole="undefined" dstintf="port1" dstintfrole="undefined" sessionid=2148164589 action="dropped" proto=6 service="HTTPS" policyid=1 poluuid="9441a5c0-50b4-51ef-352d-269f586485de" policytype="policy" attack="Eicar.Virus.Test.File" srcport=59557 dstport=443 hostname="www.eicar.org" url="/download-anti-malware-testfile/" agent="Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36" httpmethod="GET" referralurl="https://www.eicar.org/download-anti-malware-testfile/" direction="incoming" attackid=29844 profile="test-eicar" ref="http://www.fortinet.com/ids/VID29844" incidentserialno=188743687 msg="file_transfer: Eicar.Virus.Test.File"