Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Lonis23i
New Contributor II

Clarification Needed on Fortigate IPS Alert

Dear community members,

I hope this message finds you well. I have a question regarding Fortigate IPS, specifically about the scope of its analysis. Does the firewall's IPS exclusively analyze incoming traffic (e.g., WAN to LAN, WAN to DMZ, etc.), or does it also scrutinize outgoing traffic (e.g., LAN to WAN, LAN to LAN, etc.) for potential threats?

The reason I'm raising this question is that I recently encountered an IPS alert with the description "Backdoor: Backdoor.Cobalt.Strike.Beacon." The details provided were as follows: Source - Public IP address, Destination - Internal address (switch), Direction - Outgoing. I'm seeking clarification on what this alert precisely signifies. Does it imply a compromised internal machine? Could you please provide a more in-depth explanation of this alert?

Thank you for your assistance and insights.

Best regards,

5 REPLIES 5
AEK
SuperUser
SuperUser

Hello

In my understanding IPS scans both in and out traffic depending on the IPS profile.

E.g.: protect_client profile mainly (but not exclusively) analyses responses from server, while protect_server profile mainly analyses queries from client.

Regarding the backdoor alert it is not simple to provide definite response, but basically the firewall detected suspicious communication, but it doesn't mean that your host is 100% compromised. The next action would be to scan the host and investigate further.

AEK
AEK
vraev
Staff
Staff

Hi @Lonis23i ,
Could you provide the version of the FortiGate and the FortiAnalyzer?

 

Best,

V.R.
Jack_wack
New Contributor III

Look in the raw logs of ips. there is a parameter called direction. It's values: incoming or outgoing.

Screenshot 2024-01-18 221916.jpg

 

 

Angelrian
New Contributor

A situation where your FortiGate firewall generates an IPS alert for suspicious outgoing traffic, indicating potential exploitation. For instance, you may receive an alert with the description "Suspicious Activity: CVE-2023-XXXX Exploit Attempt." Upon investigation, you discover that the source IP is an internal server, while the destination IP belongs to an external entity. This raises concerns about a possible compromise of the internal server and unauthorized attempts to exploit a known vulnerability.

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors