Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Lonis23i
New Contributor II

Created on ‎12-19-2023 11:39 PM

Clarification Needed on Fortigate IPS Alert

Dear community members,

I hope this message finds you well. I have a question regarding Fortigate IPS, specifically about the scope of its analysis. Does the firewall's IPS exclusively analyze incoming traffic (e.g., WAN to LAN, WAN to DMZ, etc.), or does it also scrutinize outgoing traffic (e.g., LAN to WAN, LAN to LAN, etc.) for potential threats?

The reason I'm raising this question is that I recently encountered an IPS alert with the description "Backdoor: Backdoor.Cobalt.Strike.Beacon." The details provided were as follows: Source - Public IP address, Destination - Internal address (switch), Direction - Outgoing. I'm seeking clarification on what this alert precisely signifies. Does it imply a compromised internal machine? Could you please provide a more in-depth explanation of this alert?

Thank you for your assistance and insights.

Best regards,

570
0 Kudos
5 REPLIES 5
AEK
SuperUser
SuperUser

Created on ‎12-20-2023 05:27 AM

Hello

In my understanding IPS scans both in and out traffic depending on the IPS profile.

E.g.: protect_client profile mainly (but not exclusively) analyses responses from server, while protect_server profile mainly analyses queries from client.

Regarding the backdoor alert it is not simple to provide definite response, but basically the firewall detected suspicious communication, but it doesn't mean that your host is 100% compromised. The next action would be to scan the host and investigate further.

AEK
AEK
521
vraev
Staff
Staff

Created on ‎12-27-2023 12:43 AM

Hi @Lonis23i ,
Could you provide the version of the FortiGate and the FortiAnalyzer?

 

Best,

V.R.
427
0 Kudos
Jack_wack
New Contributor III

Created on ‎01-18-2024 01:15 PM Edited on ‎01-18-2024 01:20 PM

Look in the raw logs of ips. there is a parameter called direction. It's values: incoming or outgoing.

Screenshot 2024-01-18 221916.jpg

 

 

300
0 Kudos
Angelrian
New Contributor

Created on ‎02-14-2024 12:17 AM Edited on ‎02-19-2024 11:32 PM

A situation where your FortiGate firewall generates an IPS alert for suspicious outgoing traffic, indicating potential exploitation. For instance, you may receive an alert with the description "Suspicious Activity: CVE-2023-XXXX Exploit Attempt." Upon investigation, you discover that the source IP is an internal server, while the destination IP belongs to an external entity. This raises concerns about a possible compromise of the internal server and unauthorized attempts to exploit a known vulnerability.

213
0 Kudos
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.