Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MikeJ
New Contributor

Created on ‎01-28-2016 10:40 AM

Detect/Dropped vs Passthrough

This might be a n00b question, but I just want to make sure I understand Fortigate processes traffic and alerts.

 

In the Fortianalyzer/Fortiview/Logs:

 

So, when I research an alert for Angler EK and I check the IPS logs, I see "detected" and usually "dropped" for a given IP, but when I search for the IP in the Web Filters and the "action" says "passthrough".

 

My question is, did the Fortigate allow the website requests from the IP and then when it detects Angler, the IPS then blocks the traffic? Or am I missing something?

 

I just want to know that if I see alerts on a particular EK like Angler or Nuclear and I check and see detected and dropped that there is no more action I need to take, like remediation, etc...

 

Thanks all,

 

MikeJ

 

 

 

7251
0 Kudos
2 REPLIES 2
razor
New Contributor III

Created on ‎02-08-2016 12:15 AM

Hi MikeJ,

 

You should capture the packets and follow the connection stream.

 

The capture will show you which system blocks the connection first, and which systems follows. You could reproduce this using an isolated virtual machine. You could also use the diagnose debug command to capture the packets.

Fortinet Network Security Professional (NSE4)

Fortinet Network Security Professional (NSE4)
3057
0 Kudos
emnoc
Esteemed Contributor III
In response to razor

Created on ‎02-08-2016 12:33 AM

I  posted  this earlier, but the  life of  the packet should be studied by all so you know what and how a packet flow across a  Fortigate & in what order.

 

http://docs.fortinet.com/uploaded/files/2674/fortios-life-of-a-packet-524.pdf

 

Be aware of the packet flow  ( in and out ) and the logs for what you are seeing. As far as packet capture, you could have also enable it on the IPS sensor. if the signature has a block  vrs a a pass, than you can assure it was blocked.

 

Make sure the sign is status enable also.

 

PCNSE 

NSE 

StrongSwan  

PCNSE NSE StrongSwan
3057
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.