Help
FortiGuest
FortiGuest is an access management solution that provides secure network access to guests as per the configured policies. It monitors and reports user activity ensuring policy compliance and network security.
amrit
Staff & Editor
Staff & Editor

Created on ‎07-07-2025 07:39 AM

Article Id 399811

Technical Tip: FortiAnalyzer triggers compromised(IOC) host notification for the local out traffic originated from the WAN IP of FortiGate

Description This article explains why the IOC notification triggered by FortiAnalyzer for the FortiGate originated local out traffic may be considered a false positive.
Scope FortiGate, FortiAnalyzer, Indicator of compromise(IOC).
Solution

FortiAnalyzer with an IOC license may trigger a compromised host notification for the FortiGate-originated local out traffic 

 

Example:

For the following local out traffic, FortiAnalyzer triggered an IOC alert.

 

date=2025-07-03 time=18:39:14 eventtime=1751585954200054017 tz="-0500" logid="0001000014" type="traffic" subtype="local" level="notice" vd="root" srcip=10.9.1.93 srcport=7464 srcintf="root" srcintfrole="undefined" dstip=192.243.59.20 dstport=443 dstintf="port1" dstintfrole="undefined" srccountry="Reserved" dstcountry="United States" sessionid=1644764 proto=6 action="close" policyid=0 service="HTTPS" trandisp="noop" app="HTTPS" duration=1 sentbyte=689 rcvdbyte=3354 sentpkt=8 rcvdpkt=6

 

Since the FortiGate is located behind a NAT device, its WAN IP appears as 10.9.1.93.  Although this IP is categorized as a 'Potentially Unwanted Program' and is therefore blocked by the web filter on the device, FortiGate will still initiate a TLS probe

 

When a user accesses a website, FortiGate generates local-out traffic to that destination to perform an SNI check using TLS probes. This traffic is not initiated by FortiGate on its own but is triggered specifically when a user attempts to access a site. This behavior is expected and by design for flow-based policies with security profiles. The resulting IOC alerts for this traffic do not indicate a compromise of the FortiGate and can be safely disregarded

 

FortiGate performs TLS probes regardless of the certificate inspection mode, whether certificate or deep inspection is enabled. These probes are specific to flow-based inspection mode policies and are managed by the IPS engine process, which handles flow-based inspection. In contrast, proxy-based policies are handled by the WAD process, which does not utilize these probes.

 

The TLS probe process is explained in the article below: Technical Tip: How FortiGate does 'TLS Active Probe' 

 

TLS probes are enabled by default. It can be disabled by turning off the SNI check in the SSL inspection profile, as outlined in the referenced article: Technical Tip: Configure interface for IPS TLS protocol active probing (Slow page load when Web Filt... 

 

Related documents:

Indicators of Compromise 

Understanding IOC entries 
Working with IOC information 

 

Related article:

Troubleshooting Tip: How to allow HTTPS (port 443) traffic when certificate-probe-failed error occur... 
137
0 Kudos
Suggest New Article
Article Feedback
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.