From 2024-07-03 19:00 till 2024-07-04 05:00 (CEST) we experienced IPS blockage of nearly all traffic on our 200F with IPS FG-VD-56112.0day. I'm pretty sure it was in issue within the database from Fortinet. Does anybody else experienced this? Since it seems to be totally false positive how can one prevent against this, cause every legimit traffic was also blocked by this.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @Team-IT , couple of questions -
1. "nearly all traffic" or "all traffic"? If it is nearly all, what was the allowed traffic and what is different about it?
2. The issue got rectified at 5 CEST on its own or after an admin intervention or an IPS signature auto-update? If the signature database did not get updated, it is unlikely that there was a problem with the IPS signature itself.
Created on 07-04-2024 11:34 PM Edited on 07-05-2024 12:01 AM
Hi @mpapisetty
1) the difference was the targeting domain. google.com for example was blocked outgoing (on a rule that had IPS enabled); incoming traffic: 80% of our domains were blocked; 20% of the domains (pointing to the same Virtual IP) were just fine.
2) it resolved itself when a new IPS signature auto-update came.
We resolved it earlier that night by disabling IPS. When we saw that there was a new IPS DB we reenabled IPS (thats the little spike on the right) :)
-Bjoern
It seems that we had the same issue here. From 18:33 cest on the 3rd of July.
We managed to workaround be removing the "High" severity IPS signatures on our IPS filter profile.
Your solution was as bad as ours (i know it still helped) :D Firewall without IPS or without "high" IPS --- hmmmm.... The question i'm commig to. Is there a way to roll back the IPS database. One can download only the newest version from the FG website; but nothing older...
It does look like there was an error in one of the IPS DB versions and was rolled back immediately which resolved the issue. I see a few reports of customers who ran into this exact same problem and the resolution happened right after the next auto update.
Regarding the question about rollback of the IPS database, that is no direct option available. If there is a specific use case, then it will have to go through Fortinet support channels to explore possible options.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1707 | |
1093 | |
752 | |
446 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.