Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
hvschie
New Contributor

SSL alert sent

During the day I receive the next alerts in the Eventlogging: Facility: 21 Severity: 3 Priority: 171 Priority Name local5.error Time Generated: Nov 19 11:00:42 Hostname: 10.65.0.209 Message: date=2013-11-19 time=12:00:41 devname=FW_RIX_01 devid=FG200B3912603194 logid=0105048019 type=event subtype=wad level=error vd=" root" session_id=7d742306 policyid=3 src=0.0.0.0 srcport=0 dst=93.116.201.10 dstport=443 action=send alert=2 desc=22 msg=" SSL Alert sent" I can' t figure out what type of traffic is causing these messages. The strange thing is the source ip adres of 0.0.0.0 and source port of 0. Anyone seeing the same thing or knowns what kind of traffic is causing these alerts? The policyID is the Webproxy policy
1 REPLY 1
billp
Contributor

I haven' t seen this, but it' s listed here as a VIP SSL error: http://docs.fortinet.com/fgt/techdocs/fortigate-lmr.pdf Error 22 description:
fts_alert_desc_record_overflow=22 – a TLSCiphertext record 
 was received that had a length more than 2^14+2048 bytes, or a record 
 decypted to a TLSCompressed record with more than 2^14+1024 bytes 
 (always fatal)
Perhaps look at your VIP traffic to see if there' s something funny going on there? Sounds like some kind of hacking attempt, perhaps.

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1

Bill ========== Fortigate 600C 5.0.12, 111C 5.0.2 Logstash 1.4.1
Labels
Top Kudoed Authors