Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPS Sensor 200B
Hi!
I have a following problem. I use FortiGate 200B router (cloud of 2). Under UTM Security Profiles->Intrusion Protection->IPS Sensor a have a rule, that all attacks from default list with Severity high&critical their source IP should act to quarantine for 1 month. So today i see few attacks with high severity, but nothing is added to quarantine, why so?
Also when i tried to change quarantine time it gives me an Error - Input not as expected.
Can any1 help me please?
BR
3 REPLIES 3
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Zigmars,
Welcome to the forums!
Let' s start with some information gathering...
1) What firmware, including patch release (e.g. 4.0 MR3 P15) are you running?
2) are you sure you don' t have a rule or exception listed above these, that would be allowing them in, before the rule that quarantines them even gets a shot at them?
3) The Error=Input not as expected is not too helpful, granted, but it is symptomatic of another issue elsewhere.
-Did you recently make a change, then start to see these?
-Has the box been rebooted recently?
-You could do a
diag debug config-error-log read
and see if the box has an issue with your configuration.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for your answer!
1) I am using v5.0 build 0147 (GA Patch1)
2) My fault - there was different rule
3) " Input not as expected" i am reciving everytime i am trying to change IPS sensor rule (is it allowed to change rule settings while rule is in use?), reboot didnt help, diag debug config-error-log read looks like is empty.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OOh, that' s your answer right there... get off patch 1. Just about every forum post here on firmware 5.0 will stay to avoid GA0-P3, and go to minimum P4.
If you use SSL VPN or have the admin web page set to be accessed from anywhere, you don' t have a choice, you MUST go to P7 (to fix heartbleed).
Since the issues found in patch 7 are so rare, versus what it fixes, P7 is the most recommended of the 5.0 firmwares anyway.
I saw a similar issue on firmwares 0-3, that were solved by 4 (mine would not let me edit my VPN Concentrator group in GUI, only in CLi, with a very similar error).