FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
mricardez
Staff
Staff
Article Id 247937
Description This article describes how to troubleshoot the IPS signature matching which can give visibility of triggered IPS alerts.
Scope IPS Engine v7.0 and earlier.
Solution

When the UTM IPS profile is enabled in the firewall policies, it is possible to start receiving IPS logs without having an understanding of the reason for the signature trigger matching.

 

mricardez_0-1677778333695.png

 

To have further details of traffic that matches a signature, it is possible to enable the following options in order to troubleshoot/gather information and identify if the IPS matching is a false positive situation.

 

config ips sensor
    edit {sensor name} <- The IPS sensor.
        config entries
            edit {an integer ID} <- Use ? here to find which ones are in use.

                set rule {51006} <- Attack ID. 
                set log enable
                set log-attack-context enable
                set log-packet enable
            next

 

  • log-packet: Enable saving the packet that triggers the filter. It is possible to download the packets in PCAP format for diagnostic use.
  • log-attack-context: The attack context field contains all the matched patterns as well as the URI+HEADER+BODY+entire packet buffer. The content of this field is encoded in base64 but once decrypted should show more information on the detection.

 

The log-attack-context gives visibility of triggered IPS alert but without complete payload and the log-packet will allow getting complete payload on IPS alert.

It is possible to download the packets in PCAP format for diagnostic use.


WARNING:

Use with caution, as these options consume a lot of resources and are used when troubleshooting an IPS match. After troubleshooting, it must be disabled.

 

From the IPS log, It is possible to get the IPS Attack ID. In this example, the lab ID is 51006.

 mricardez_1-1677778815733.png

 

To avoid a considerable consumption of resources, create an entry on top of the specific Attack ID into the IPS sensor to reduce the amount of log matching as much as possible.

 

mricardez_2-1677779356003.png

 

Set on top of the new entry to have higher precedence during the matching decision.

 

mricardez_3-1677779396818.png

 

With the CLI, enable log, log-packet, and log-packet-context to the entry which contains the specific Attack-ID (51006).

 

mricardez_4-1677779644910.png

 

The next IPS log matching will contain the Attack Context and the Archived Data.

 

mricardez_0-1677780887656.png

 

Using a base64 utility in Linux to decode the string will show the matching pattern of the IPS signature.

 

mricardez_1-1677781006107.png

 

From the Archived Data tab, it is possible to download the PCAP file.

 

mricardez_0-1677781172346.png

 

Using Wireshark, it is possible to analyze the header and payload of the packet IPS signature match. 

 

mricardez_2-1677781325323.png

 

Related article:

Troubleshooting Tip: Using the FortiOS policy based packet capture