Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Team-IT
New Contributor III

Created on ‎07-04-2024 10:42 AM Edited on ‎07-04-2024 12:51 PM

FG-VD-56112.0day

From 2024-07-03 19:00 till 2024-07-04 05:00 (CEST) we experienced IPS blockage of nearly all traffic on our 200F with IPS FG-VD-56112.0day. I'm pretty sure it was in issue within the database from Fortinet. Does anybody else experienced this? Since it seems to be totally false positive how can one prevent against this, cause every legimit traffic was also blocked by this.

Labels:
547
0 Kudos
5 REPLIES 5
mpapisetty
Staff
Staff

Created on ‎07-04-2024 11:12 PM

Hi @Team-IT , couple of questions - 

1. "nearly all traffic" or "all traffic"? If it is nearly all, what was the allowed traffic and what is different about it? 

2. The issue got rectified at 5 CEST on its own or after an admin intervention or an IPS signature auto-update? If the signature database did not get updated, it is unlikely that there was a problem with the IPS signature itself.  

-Manoj Papisetty
493
Team-IT
New Contributor III
In response to mpapisetty

Created on ‎07-04-2024 11:34 PM Edited on ‎07-05-2024 12:01 AM

Hi @mpapisetty 

 

1) the difference was the targeting domain. google.com for example was blocked outgoing (on a rule that had IPS enabled); incoming traffic: 80% of our domains were blocked; 20% of the domains (pointing to the same Virtual IP) were just fine.

 

2) it resolved itself when a new IPS signature auto-update came.

 

We resolved it earlier that night by disabling IPS. When we saw that there was a new IPS DB we reenabled IPS (thats the little spike on the right) :)

 
 

0day.png

-Bjoern

485
Pkoum1
New Contributor II

Created on ‎07-08-2024 06:12 AM

It seems that we had the same issue here. From 18:33 cest on the 3rd of July.

We managed to workaround be removing the "High" severity IPS signatures on our IPS filter profile.

 

 

436
Team-IT
New Contributor III
In response to Pkoum1

Created on ‎07-08-2024 09:18 AM

Your solution was as bad as ours (i know it still helped) :D Firewall without IPS or without "high" IPS --- hmmmm.... The question i'm commig to. Is there a way to roll back the IPS database. One can download only the newest version from the FG website; but nothing older...

425
0 Kudos
mpapisetty
Staff
Staff

Created on ‎07-08-2024 10:01 PM

It does look like there was an error in one of the IPS DB versions and was rolled back immediately which resolved the issue. I see a few reports of customers who ran into this exact same problem and the resolution happened right after the next auto update. 

 

Regarding the question about rollback of the IPS database, that is no direct option available. If there is a specific use case, then it will have to go through Fortinet support channels to explore possible options.

-Manoj Papisetty
401
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.