Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
cperez22
New Contributor II

Critical Risk

Hello,
I have a problem in my fortigate 300E, currently I get alerts in my fortianalizer of all IP addresses, with the critical risk alert, it seems to be an infected DNS problem but I don't know how to detect the origin of the problem and how to solve it.
Any suggestion or help would be appreciated.

7 REPLIES 7
Anthony_E
Community Manager
Community Manager

Hello cperez,

 

Thank you for using the Community Forum.

I will seek to get you an answer or help. We will reply to this thread with an update as soon as possible.

 

Regards,

Anthony-Fortinet Community Team.
tthrilok
Staff
Staff

Hi Cperez,

 

Thank you  for the query!

 

May we kindly request what is the exact log/alert you are seeing in FAZ. 

 

Please keep us posted.

 

cperez22
New Contributor II

In FAZ, compromised hosts an IP appears but it is not always the same, it changes constantly, these IPs are from my local network. in the type of threat it shows that it is of the CnC and Sinkhole type, but in details it does not show anything

kvimaladevi

Hi,

Usually If a computer attempts to connect to a sinkhole server, it's most likely infected with malware. 

Could you please check if you are able to see more information about this issue in the Fortigate Intrusion prevention logs under logs and events? We shall be able to see the 1st event occurrence and find the source for it.

Also to get rid of this, you may have to use Anti-Virus software to scan and clean the infected device.

Regards,

Vimala

cperez22

Thank you, Critical risk.jpgbut how can I know which device is infected if the infected IP constantly changes, and in fortigate all the IPs of my local network appear as infected, with the legend of critical risk.

unknown1020
New Contributor III

Hello, did you find any answer? because the same thing is happening to me.

Christian_89
Contributor III

I'm sorry to hear about the critical risk alerts on your FortiGate 300E. These alerts could be indicative of a serious issue, so it's essential to approach the situation methodically and carefully. Here's a general guideline to help you identify and potentially resolve the issue:

### 1. **Identify the Alert Details**
- **Check FortiAnalyzer Logs**: Review the detailed logs in FortiAnalyzer to understand what exactly the alerts pertain to. Look for specific signatures, attack patterns, or behaviors that are flagged as critical.
- **Understand the Alert**: Determine if the alert is related to a known attack, malware, or something else. The details provided in the alert can guide you toward the root cause.

### 2. **Isolate the Affected Systems**
- **Find Common Patterns**: Look for common patterns such as specific IP addresses, domains, or DNS requests that are flagged.
- **Isolate Networks**: If possible, isolate the affected systems or networks to prevent potential spread if it is indeed an infection.

### 3. **Investigate DNS Activity**
- **Review DNS Logs**: If the alerts are related to DNS, review your DNS server logs to identify any suspicious requests or patterns.
- **Check DNS Configuration**: Review the DNS configuration on the FortiGate and other network devices to ensure that they are correct and have not been tampered with.

### 4. **Utilize Security Tools**
- **FortiSandbox**: If you have FortiSandbox, you might want to use it to analyze suspicious files or URLs.
- **Endpoint Security**: Ensure that endpoint security solutions are updated and performing scans on the internal network.

### 5. **Consider Professional Assistance**
- **Fortinet Support**: Reach out to Fortinet Support for assistance. They have the expertise to guide you through the investigation and resolution process.
- **Security Professionals**: Consider involving a cybersecurity professional or a specialized team if the situation is complex.

### 6. **Mitigation and Remediation**
- **Apply Necessary Patches**: If the issue is related to a known vulnerability, ensure that all systems are patched and up to date.
- **Adjust Policies**: Based on the findings, you may need to adjust firewall or security policies to mitigate the risk.
- **Monitor Continuously**: Keep monitoring the situation closely to ensure that the issue has been resolved and does not reoccur.

### 7. **Document the Incident**
- **Create a Detailed Report**: Document what happened, the investigation process, and the steps taken to resolve the issue. This can be valuable for future reference and compliance.

Remember, without specific details about the alerts and your network configuration, it's challenging to provide a definitive solution. The above steps are general guidelines, and it would be advisable to involve Fortinet Support or cybersecurity professionals to ensure a thorough investigation and resolution.

Labels
Top Kudoed Authors