Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
candawi
Staff
Staff

Created on ‎12-08-2024 11:49 PM Edited on ‎06-23-2025 06:55 AM By Moderator

Article Id 363080

Technical Tip: Possible reasons why IPS signature is not blocked and only detected when checked in IPS logs

Description This article discusses possible reasons why IPS signature is not blocked and only detected when checked in IPS logs.
Scope FortiGate.
Solution
  1. IPS signature respective action is set to allow or monitor instead of block. Refer to this article for the difference: Technical Tip: IPS profile actions and corresponding actions in logs
  2. The version of IPS is not updated. Make sure the IPS version is updated. This can be done by making sure one of the firewall policies has IPS enabled under security profiles and running the command execute update-now afterwards in CLI.
  3. Change in the default action for the respective IPS signature. For example, refer to https://www.fortiguard.com/encyclopedia/ips/56904  under the version history of the article. 
  4. Check if disabling auto-asic offload on the firewall policy helps. Custom signatures not supported by ASIC on FortiGate devices are typically those that require complex processing or specific conditions that cannot be handled by the hardware acceleration capabilities of the ASIC. In such cases, these signatures are processed by the CPU instead. This ensures that the custom signatures can still be applied effectively, even if they are not offloaded to the ASIC. If there is need to use such custom signatures, ensure that the FortiGate's CPU has sufficient resources to handle the additional processing load. 
    Example:

       

config firewall policy

    edit 1

        set auto-asic-offload disable

end

 

See Technical Tip: FortiGate - disable hardware acceleration.


Palo.Alto.Networks.Expedition.CVE-2024-9463.Command.Injection:
2024-12-03 29.914 Default_action:pass:drop ---> change in default action

Sample2.png


The default action was changed to drop from the pass on December 3rd, 2024. This is why in the IPS logs, the IPS signature was detected because these logs were before the change was done on December 3rd, 2024.

Before the change, the action was passed so that is why the signature's action is detected instead of blocked.

 

The IPS version can be confirmed through the CLI with the following command:

 

diagnose autoupdate versions

 

Once the IPS version is at 29.914 and above, the IPS logs should show a block for these signatures if the default action is used.

 

Sample log:

 

Sample.jpg

 

Related articles:
Labels:
1054
0 Kudos
Suggest New Article
Article Feedback
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.