Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
user2345312
New Contributor

I don't understand that significate the action "detected" in the type event name = ips

I have been thinking about it for several days and do not understand several things about IPS:

If the action detected by the IPS is of type "detected", does this mean that this action has been detected but the IPS has not blocked the action? What is the reason for this? Does the IPS works with signatures and, depending on the detection, does it perform a blocking action or not?

I would like to know these questions to get an idea of how the IPS works when it does not block the actions.

Note: I noticed that it is also associated according to the severity and cscore fields?

Example of log:

 

logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" eventtime=1638688278 severity="medium" action="detected" proto=6 service="HTTP" policyid=5 attack="Cross.Site.Scripting" direction="outgoing" attackid=17702 ref="http://www.fortinet.com/ids/VID17702" incidentserialno=1073380607 msg="web_app2: Cross.Site.Scripting," crscore=10 crlevel="medium"

 

Thank you, best regards.

 

1 REPLY 1
jdelafuente_FTNT

If the action detected by the IPS is of type "detected", does this mean that this action has been detected but the IPS has not blocked the action?

-- No block, just log created.

 

What is the reason for this?

-- To prevent false positives, incorrect blocking, to start checking if the environment is under what kind of attacks, for Proof of concept, in short, to know what happens in your network without using an invasive method that affects production, you can modify once the attack is confirmed. 

 

Does the IPS works with signatures and, depending on the detection, does it perform a blocking action or not? This is a "Default parameter" designed by Fortiguard, based on previous point.

 

Best Regards

Jonathan De La Fuente
LATAM TAC Engineer