FG-VD-56112.0day

Team-IT · ‎07-04-2024

From 2024-07-03 19:00 till 2024-07-04 05:00 (CEST) we experienced IPS blockage of nearly all traffic on our 200F with IPS FG-VD-56112.0day. I'm pretty sure it was in issue within the database from Fortinet. Does anybody else experienced this? Since it seems to be totally false positive how can one prevent against this, cause every legimit traffic was also blocked by this.

mpapisetty · ‎07-04-2024

Hi @Team-IT , couple of questions -

1. "nearly all traffic" or "all traffic"? If it is nearly all, what was the allowed traffic and what is different about it?

2. The issue got rectified at 5 CEST on its own or after an admin intervention or an IPS signature auto-update? If the signature database did not get updated, it is unlikely that there was a problem with the IPS signature itself.

-Manoj Papisetty

Team-IT · ‎07-04-2024

Hi @mpapisetty

1) the difference was the targeting domain. google.com for example was blocked outgoing (on a rule that had IPS enabled); incoming traffic: 80% of our domains were blocked; 20% of the domains (pointing to the same Virtual IP) were just fine.

2) it resolved itself when a new IPS signature auto-update came.

We resolved it earlier that night by disabling IPS. When we saw that there was a new IPS DB we reenabled IPS (thats the little spike on the right) :)

-Bjoern