Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ble
New Contributor II

Created on ‎07-27-2023 06:50 AM Edited on ‎07-27-2023 06:52 AM

FortiAnalyzer: Threat direction

Hello,

 

I am currently working with a FortiAnalyzer cluster. In the Log View I can see several "IPS detected intrusion" events with an "alert" severity. When double-clicking the events, a detail view is opened. Now the detail view displays that the threat direction is outgoing, although the source interface role is WAN while the destination interface role is LAN. A screenshot of one such event is attached below.

 

Why is the direction "outgoing" instead of incoming and how can I fix this? I would have assumed that the direction is determined based on interface roles. Is this a bug or a configuration error on my side? And should the IPS even report an intrusion since this is coming from the outside (just another vulnerability scanner) and there is no indication of compromise?

 

Thanks in advance.

 

 

 

ips.png

Labels:
1357
0 Kudos
1 Solution
sthampi_FTNT
Staff
Staff

Created on ‎07-28-2023 12:37 AM

Hi Ble,


The log shown in the attachment is generated by the Fortigate and sent to the Fortianalyser. The direction mentioned in the log is determined by the Fortigate and it is determined as per the explanation given in the following article.

 

https://docs.fortinet.com/document/fortigate/6.2.0/new-features/199570/logging-session-versus-attack...

 

I believe in your case, the session direction was incoming, (from internet to LAN) however the attack direction was outgoing because the client (on the internet) was trying to post/upload malware to the server (in the LAN).

 

IPS should report this scan (although it is blocked), so that the admin can patch the server for this vulnerability as explained in the following article;

 

https://www.fortiguard.com/encyclopedia/ips/50825

 

 

View solution in original post

1312
0 Kudos
1 REPLY 1
sthampi_FTNT
Staff
Staff

Created on ‎07-28-2023 12:37 AM

Hi Ble,


The log shown in the attachment is generated by the Fortigate and sent to the Fortianalyser. The direction mentioned in the log is determined by the Fortigate and it is determined as per the explanation given in the following article.

 

https://docs.fortinet.com/document/fortigate/6.2.0/new-features/199570/logging-session-versus-attack...

 

I believe in your case, the session direction was incoming, (from internet to LAN) however the attack direction was outgoing because the client (on the internet) was trying to post/upload malware to the server (in the LAN).

 

IPS should report this scan (although it is blocked), so that the admin can patch the server for this vulnerability as explained in the following article;

 

https://www.fortiguard.com/encyclopedia/ips/50825

 

 

1313
0 Kudos
Announcements
Check out our Community Chatter Blog! Click here to get involved
Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2025 Fortinet, Inc. All Rights Reserved.