Description |
This article describes the difference between Destination IP for GeoIP attack logs and Signature detection attack logs.
|
Scope | FortiWeb-VM, FortiWeb. |
Solution |
FortiWeb generates attack logs according to the Webprotection profiles used. According to the log, the values of the HTTP Host and URL of the GEO IP attack log are 'none', this implies the TCP connection of this HTTP request was not established. The violation was detected in TCP connection establishment stage, not in the subsequent 'HTTP' stage. In the TCP connection establishment stage, the daemon is not aware of HTTP real servers, the destination of the TCP connection between the client and FortiWebis the VIP, which means the source IP of the TCP connection is in the GEO IP database.
So if the IP in its HTTP header XFF is in the GEO IP database, it would be a GEO IP violation as well, and for this case, the destination would be the real server IP.
Conclusion: For GeoIP attack logs destination IP will be VS IP. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.