Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
knikolajczuk
New Contributor

No logs from Intrusion Prevention after update to FortiOS 6.2.6

Hello everyone

on my FortiGate 601E I stopped receiving logs from Intrusion Prevention system. On version 6.2.4 everything works fine but when I update to 6.2.5 and then to 6.2.6 no logs coming from IPS. I think that IPS not working as expected and don't detect potential vulnerabilities facing my WAN-DMZ direction exposes my servers to potentials threats. Before update I received many information about potentials attacks but now my log is almost clear. I know that IPS security profiles are correctly assigned to appropriate policies in WAN --> DMZ (D-NAT) facing direction. Can anyone help me resolve this issue or explain my why logs stopped being stored in disk and fortianalyzer?

Below is the screenshot from logs pane. As you can see before upgrade everythings works fine, many threats was detected. But now after 11 Sep, IPS event log is almost clear except single FTP.Login.Brute.Force detection.

 

 

 

2 REPLIES 2
bommi
Contributor III

Hi,

 

can you please check if you are seeing ips engine crashes?

Just use this command:

diagnose debug crashlog read

 

I see many ips engine crashes after upgrading to 6.2.6, but I use ngfw policy-mode so ips engine is always stressed by many packets.

 

Regards

bommi

NSE 4/5/7

NSE 4/5/7
knikolajczuk

Hello and thanks for reply.

My NGFW works in Profile-based mode. After execution mentioned command I received output as below (truncated):

 

16343: 2020-09-12 01:00:25 ipsengine 05.002.218 crashed 2 times. The latest crash was at 2020-09-12
16344: 2020-09-12 01:00:25 00:00:24.
16345: 2020-10-26 19:35:31 the killed daemon is /bin/ipsmonitor: status=0x0
16346: 2020-11-24 05:45:19 the killed daemon is /bin/updated: status=0x0
16347: 2020-12-04 10:30:54 <00371> firmware FortiGate-601E v6.2.6,build1175b1175,201110 (GA) (Release)
16348: 2020-12-04 10:30:54 <00371> application ipsengine 05.002.229
16349: 2020-12-04 10:30:54 <00371> *** signal 11 (Segmentation fault) received ***
16350: 2020-12-04 10:30:54 <00371> Register dump:
16351: 2020-12-04 10:30:54 <00371> RAX: 00007f9c6c3d5980 RBX: 00007f9c6c3d5800
16352: 2020-12-04 10:30:54 <00371> RCX: 000000000000000d RDX: 00007f9cadf6027d
16353: 2020-12-04 10:30:54 <00371> R08: 00007f9c6c3d5960 R09: 0000000000000020
16354: 2020-12-04 10:30:54 <00371> R10: fffdff9cad8c0a08 R11: 00007f9cad8c4830
16355: 2020-12-04 10:30:54 <00371> R12: 00007f9c6c3d5810 R13: 0000000000000001
16356: 2020-12-04 10:30:54 <00371> R14: 00007f9cad8da328 R15: 00007f9cadb6b890
16357: 2020-12-04 10:30:54 <00371> RSI: 0000000000000000 RDI: 0000000000000000
16358: 2020-12-04 10:30:54 <00371> RBP: 00007f9c296c6da0 RSP: 00007fff3c5d8da8
16359: 2020-12-04 10:30:54 <00371> RIP: 0000000000000000 EFLAGS: 0000000000010246
16360: 2020-12-04 10:30:54 <00371> CS: 0033 FS: 0000 GS: 0000
16361: 2020-12-04 10:30:54 <00371> Trap: 000000000000000e Error: 0000000000000014
16362: 2020-12-04 10:30:54 <00371> OldMask: 0000000000004206
16363: 2020-12-04 10:30:54 <00371> CR2: 0000000000000000
16364: 2020-12-04 10:30:54 <00371> Backtrace:
16365: 2020-12-04 10:30:54 <00371> [0x00000000]
16366: 2020-12-04 10:30:54 <00371> [0x7f9cadb8d0b5] => /data/lib/libips.so
16367: 2020-12-04 10:30:54 <00371> Backtrace:
16368: 2020-12-04 10:30:54 <00371> [0x7f9cb4c5173d] => /usr/lib/x86_64-linux-gnu/libsegfault.so
16369: 2020-12-04 10:30:54 liboffset 0000273d
16370: 2020-12-04 10:30:54 <00371> [0x7f9cb3cb56b0] => /usr/lib/x86_64-linux-gnu/libc.so.6 liboffset
16371: 2020-12-04 10:30:54 000346b0
16372: 2020-12-04 10:30:54 [IPS Engine <00371>] base: 0x7f9cad992000
16373: 2020-12-04 10:30:54 [IPS Engine <00371>] Last session info:
16374: 2020-12-04 10:30:54 [IPS Engine <00371>] Session ID:3087678 Serial:61971326 Proto:17 Age:618
16375: 2020-12-04 10:30:54 Idle:0 Flag:0x87 Feature:0x0 Ignore:1,0 Encap:0
16376: 2020-12-04 10:30:54 [IPS Engine <00371>] Client: 10.200.0.48:50011 Server: 52.112.150.83:3480
16377: 2020-12-04 10:30:54 [IPS Engine <00371>] Stream: C-4160316/0/0, S-2109962/0/0
16378: 2020-12-04 10:30:54 [IPS Engine <00371>] URL:
16379: 2020-12-04 10:30:54 [AV Engine <371>] AV Engine version: 6.2.154
16380: 2020-12-04 10:30:54 [AV Engine <371>] Last file info:
16381: 2020-12-04 10:30:54 [AV Engine <371>] filename: buffer, filesize: 168, filebuffer: 0x7f9cad811000
16382: 2020-12-04 10:30:54 [AV Engine <371>] Native script imagebase: 0x7f9cabc5b000
16383: 2020-12-04 10:30:54 [AV Engine <371>] Native script imagesize: 0x8000
16384: 2020-12-04 10:30:54 [AV Engine <371>] AV Engine imagebase: 0x7f9c2cb3d000
Crash log interval is 3600 seconds
ipsengine 05.002.229 crashed 1 times. The last crash was at 2020-12-04 10:30:54

Labels
Top Kudoed Authors