Honeypot - Port Scanning

Peanican · ‎04-15-2014

What do I need to trigger a ' port scan' alert? I put a laptop on one interface on my firewall and allowed all traffic in/out with all the security profiles enabled. I have been pounding the network with nessus scans. I can see everything in the traffic logs. But nothing is registering in the IDS logs. I have also enabled the DoS policy but don' t even know where that is logged? Any help would be appreciated.

ShrewLWD · ‎04-16-2014

Hi Peanican, Without a model number and firmware, its hard to say, but start here, and scroll down specifically to Andrea' s fully fleshed out post at the bottom, to make sure your logging and alerting is set correctly. You will need to have either disk or memory logging enabled, and the logging disk/partition formatted, if you have a device that has a disk/paritition (flash/ssd, etc.) https://forum.fortinet.com/FindPost/106095

Dipen · ‎04-30-2014

Additionally please check the IPS Profile as what action has been set in IPS Signatures?

Ahead of the Threat. FCNSA v5 / FCNSP v5

Fortigate 1000C / 1000D / 1500D

neonbit · ‎05-05-2014

If you enabled a DOS policy with logging then the logs should populate under Security > Intrusion Prevention. To confirm that it' s actually triggering you can use the following command to see if the DOS policy has been tripped: # diagnose ips anomaly list Below is an example from my lab device (.54) which was doing an nmap scan. The DOS policy I had configured here was to block tcp-port-scans that were >10 list nids meter: id=tcp_port_scan ip=192.168.101.54 dos_id=1 exp=984 pps=2 freq=6 total # of nids meters: 1.

Honeypot - Port Scanning

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website