From 2024-07-03 19:00 till 2024-07-04 05:00 (CEST) we experienced IPS blockage of nearly all traffic on our 200F with IPS FG-VD-56112.0day. I'm pretty sure it was in issue within the database from Fortinet. Does anybody else experienced this? Since it seems to be totally false positive how can one prevent against this, cause every legimit traffic was also blocked by this.
Hi @Team-IT , couple of questions -
1. "nearly all traffic" or "all traffic"? If it is nearly all, what was the allowed traffic and what is different about it?
2. The issue got rectified at 5 CEST on its own or after an admin intervention or an IPS signature auto-update? If the signature database did not get updated, it is unlikely that there was a problem with the IPS signature itself.
Created on 07-04-2024 11:34 PM Edited on 07-05-2024 12:01 AM
Hi @mpapisetty
1) the difference was the targeting domain. google.com for example was blocked outgoing (on a rule that had IPS enabled); incoming traffic: 80% of our domains were blocked; 20% of the domains (pointing to the same Virtual IP) were just fine.
2) it resolved itself when a new IPS signature auto-update came.
We resolved it earlier that night by disabling IPS. When we saw that there was a new IPS DB we reenabled IPS (thats the little spike on the right) :)
-Bjoern
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1089 | |
892 | |
535 | |
441 | |
152 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.