Unlock Exclusive Benefits
Join Our Community Today!
Join our community and post in the forum to earn your exclusive Holiday badge! Become a member today!
LOGIN/REGISTER
CONTINUE AS A GUEST
- Support Forum
- Knowledge Base
- Customer Service
- Internal Article Nominations
- FortiGate
- FortiClient
- FortiAP
- FortiAnalyzer
- FortiADC
- FortiAuthenticator
- FortiBridge
- FortiCache
- FortiCarrier
- FortiCASB
- FortiConnect
- FortiConverter
- FortiCNP
- FortiDAST
- FortiDDoS
- FortiDB
- FortiDNS
- FortiDLP
- FortiDeceptor
- FortiDevSec
- FortiDirector
- FortiEDR
- FortiExtender
- FortiGate Cloud
- FortiGuard
- FortiHypervisor
- FortiGuest
- FortiInsight
- FortiIsolator
- FortiMail
- FortiMonitor
- FortiManager
- FortiNAC
- FortiNAC-F
- FortiNDRCloud
- FortiNDR (on-premise)
- FortiPhish
- FortiPAM
- FortiPortal
- FortiProxy
- FortiRecon
- FortiRecorder
- FortiSRA
- FortiSandbox
- FortiScan
- FortiSASE
- FortiSIEM
- FortiSOAR
- FortiSwitch
- FortiTester
- FortiToken
- FortiWAN
- FortiVoice
- FortiWeb
- FortiAppSec Cloud
- Lacework
- RMA Information and Announcements
- Wireless Controller
- FortiCloud Products
- ZTNA
- 4D Documents
- Customer Service
- Community Groups
- Blogs
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
- Fortinet Community
- Support Forum
- RE: IPS Sensor Being Applied to Internal Host
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPS Sensor Being Applied to Internal Host
Hello all! I' m running into a little problem recently and I' m not sure why it' s happening. Here is the scenario:
I have an inbound webserver policy (just http and https) to a couple of webservers and I also have a " webserver" IPS sensor applied to it. One of the matched signatures is the OpenSSL.TLS.HeartBeat.Information.Disclosure signature and I have that set to quarantine the source IP for 1 week. Everything is working normally until last week when I start getting alert emails from my FAZ saying that my Webserver has been quarantined. Looking at the logs I see that the xxx.xxx.xxx.xxx IP (src) is the address of our webserver and the dst IP is some address on the Internet. Immediately I' m thinking that the server has been compromised and is attempting to " hack" other servers on the Internet. We then isolate the server and scan it with every known tool and it comes up clean which I thought it would. Server admins prove that they' ve patched the heatbeat vulnerability the week it was disclosed. So then I look at the traffic logs and the traffic logs have the traffic originating (src) on the Internet and ending (dst) on our server however the attack logs are showing it in reverse and because I quarantine attackers IP address, it " bans" our IP. It' s not only that webserver, it' s others including a Internal server that has an external VIP associated with it.
Here is the Attack Log for this " attack" showing my IP (xxx.xxx.xxx.xxx) as the source which it is not:
---------------
2014-06-25 13:52:33 log_id=0419016384 type=ips subtype=signature pri=alert severity=critical carrier_ep=" N/A" profilegroup=" N/A" profiletype=" N/A" profile=" N/A" src=xxx.xxx.xxx.xxx dst=96.47.226.20 src_int=" port3" dst_int=" port1" policyid=54 intf_policyid=N/A identidx=0 serial=190410668 status=reset proto=6 service=54439/tcp vd=" root" count=1 attack_name=OpenSSL.TLS.Heartbeat.Information.Disclosure src_port=443 dst_port=54439 attack_id=38307 sensor=" IPS-Sensor-Servers-DMZ" ref=" http://www.fortinet.com/ids/VID38307" user=" N/A" group=" N/A" incident_serialno=1705129081 msg=" applications: OpenSSL.TLS.Heartbeat.Information.Disclosure,"
----------------
Here is the Traffic log of the " attack" showing my IP as the destination which is how it should be:
----------------
2014-06-25 13:52:33 log_id=0021000002 type=traffic subtype=allowed pri=notice status=accept vd=" root" dir_disp=org tran_disp=noop src=96.47.226.20 srcname=96.47.226.20 src_port=54439 dst=xxx.xxx.xxx.xxx dstname=xxx.xxx.xxx.xxx dst_country=" United States" src_country=" Anonymous Proxy" dst_port=443 tran_ip=N/A tran_port=0 tran_sip=N/A tran_sport=0 service=443/tcp proto=6 app_type=N/A duration=1 rule=54 policyid=54 identidx=0 sent=597 rcvd=5176 shaper_drop_sent=0 shaper_drop_rcvd=0 perip_drop=0 shaper_sent_name=" TS-Servers" shaper_rcvd_name=" TS-Servers" perip_name=" N/A" sent_pkt=7 rcvd_pkt=7 vpn=" N/A" vpn_type=UNKNOWN(65535) vpn_tunnel=" N/A" src_int=" port1" dst_int=" port3" SN=190410668 app=" N/A" app_cat=" N/A" user=" N/A" group=" N/A" carrier_ep=" N/A" profilegroup=" N/A" subapp=" N/A" subappcat=" N/A"
----------------
The simple fix for me was to delete the quarantine from the sensor and then delete the " Banned User" but ultimately I need to figure why all of a sudden this started happening. Literally nobody was in the firewall on the day the problem started and no configuration changes were made. The only thing I noticed was a scheduled auto update to the IPS and AV engines but I' m not sure how that could be the source of this problem.
Any suggestions would be much appreciated.
-TJ
-TJ
8 REPLIES 8
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Whoops...I forgot:
Model: Fortigate FGT600B
FortiOS: 4.3.15 (build 0672)
We are getting ready to move to 5.0.x in the next couple of weeks on this unit. All my other FGTs are running 5.0.7 already.
-TJ
-TJ
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi TopJimmy,
Unfortunately, there is only a partial answer, -it is seeing traffic matching attempts to compromise a website using Heartbleed, coming from your webserver.
I have over 200 Fortinets, almost all on 4.3.15, and when they made that update, it caused complete chaos across our data network, as if millions of voices suddenly cried out in terror, and were suddenly silenced!
For whatever reason, random (legitimate) outbound HTTPS traffic was found to contain sufficient data to match what this Heartbleed signature was looking for, so it got flagged. What was worse for us was that;
1) it was listed as critical
2) while it was defaulted to Detect (not drop), we had set all Critical to Quarantine (for 5 minutes), so 1,000s of our users suddenly found themselves blocked with a loud IPS alert message!
Fortinet TAC was not able to give me an answer, nor assist us in developing a way to overcome this, so we ended up changing our UTM profile to not detect Heartbleed for outbound traffic. Sad, but I guess it is the lesser of two evils.
In your case, especially if your webserver is being VIP' d, your outbound traffic is using the same rule, so you may have to do the same..patch and verify you don' t have heartbleed, them remove the heartbleed signature from your UTM inspection.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the info. I wonder if 5.0.x has the same issue. This A-P cluster is the last of our units on 4 and is slated for upgrade in the next week or so. I may escalate the upgrade due to this issue as long as 5.0.x doesn' t have it.
-TJ
-TJ
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It does.
My 100D runs 507 and I had to turn off hearbleed checking too.
:-(
For some reason (possibly sloppy browser code?), some HTTPS requests are sent to a site with the flags in the packets, making it look like an end user is actively attacking a website. I don' t have enough insight into what specifically it finds, so I just removed it. If we end up inadvertently hacking another site, C' est la vie.
Maybe someone else here on the site has found a way around it.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
According to their release note they have fixed the SSL Heart bleed issue in 5.0.7
Nihas [\b]
Nihas [\b]
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
best practice is to enable strong cryptography on the FortiGate itself as all 5.0.x releases are vulnarable till P7. this is pretty important if you have internet facing interface with https or ssh administration allowed
# config system global
(global) # set strong-crypto enable
Mohammad Al-Zard
Mohammad Al-Zard
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When this issue came up for the first time, a custom signature was posted on Fortiguard and it was specified as " --src_port 443; --flow from_server,reversed" , which explains the attack direction (disclosure). Normally, " reversed" would lead to client ip quarantine. Taking a look at the current IPS signature on the FGT, the target is specified as client AND server, so this signature now appears to work bi_directional and if documentation is correct, this can' t be reversed -> the attack source is quarantined (either client or server, depending on detection).
If the current signature is only in parts similar to the custom one, the test pattern (encrypted data) is relatively short and given that the entire stream is scanned, it provides the potential for higher numbers of false positives as already observed. Likely the reason it is not set to block by default.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi netmin,
I agree with your assessment, but need to add, the ' quarantine attacker' feature kicks in regardless of status, so even ' Detected' is sufficient for the quarantine to kick in. The only way to continue using the quarantine function is to create an IPS policy that explicitly removes that rule from the sensor, and then apply it (to an outbound traffic firewall policy).
Announcements
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
Labels
-
FortiGate
8,815 -
FortiClient
1,789 -
5.2
801 -
FortiManager
747 -
5.4
639 -
FortiAnalyzer
567 -
FortiSwitch
481 -
FortiAP
476 -
FortiClient EMS
440 -
6.0
416 -
5.6
362 -
FortiMail
324 -
SSL-VPN
257 -
6.2
251 -
FortiAuthenticator v5.5
234 -
IPsec
218 -
FortiWeb
211 -
5.0
196 -
FortiNAC
196 -
FortiGuard
139 -
6.4
128 -
SD-WAN
118 -
FortiAuthenticator
110 -
FortiGateCloud
102 -
FortiSIEM
99 -
FortiCloud Products
99 -
FortiToken
92 -
Firewall policy
86 -
Customer Service
81 -
Wireless Controller
81 -
4.0MR3
64 -
FortiProxy
61 -
High Availability
60 -
Fortivoice
57 -
FortiADC
54 -
VLAN
53 -
FortiEDR
52 -
ZTNA
50 -
Routing
49 -
DNS
47 -
FortiExtender
46 -
FortiSandbox
44 -
FortiDNS
42 -
LDAP
42 -
BGP
40 -
Authentication
39 -
RADIUS
37 -
NAT
37 -
SAML
36 -
Certificate
36 -
FortiGate v5.4
35 -
FortiSwitch v6.4
34 -
SSO
34 -
VDOM
33 -
Interface
32 -
FortiConnect
30 -
FortiLink
29 -
Application control
28 -
FortiWAN
27 -
Web profile
27 -
Virtual IP
26 -
FortiConverter
25 -
Logging
25 -
FortiGate v5.2
24 -
FortiGate-VM
24 -
SSL SSH inspection
23 -
FortiPAM
22 -
FortiSwitch v6.2
19 -
FortiPortal
19 -
Fortigate Cloud
19 -
FortiMonitor
18 -
Traffic shaping
18 -
OSPF
16 -
SSID
16 -
Automation
16 -
WAN optimization
16 -
FortiDDoS
15 -
System settings
15 -
FortiGate v5.0
14 -
FortiSOAR
14 -
SNMP
14 -
Static route
14 -
Web application firewall profile
14 -
IP address management - IPAM
14 -
Admin
13 -
FortiCASB
12 -
FortiManager v5.0
11 -
FortiRecorder
11 -
IPS signature
11 -
Security profile
11 -
Proxy policy
11 -
FortiManager v4.0
10 -
FortiBridge
10 -
FortiAP profile
10 -
4.0MR2
9 -
FortiGate v4.0 MR3
9 -
FortiWeb v5.0
9 -
Traffic shaping policy
9 -
Intrusion prevention
9 -
FortiDeceptor
8 -
RMA Information and Announcements
8 -
DNS filter
8 -
Port policy
8 -
4.0
7 -
FortiAnalyzer v5.0
7 -
FortiCache
7 -
Antivirus profile
7 -
Fabric connector
7 -
Web rating
7 -
Fortinet Engage Partner Program
7 -
FortiToken Cloud
6 -
Explicit proxy
6 -
API
6 -
trunk
6 -
Packet capture
6 -
Traffic shaping profile
6 -
FortiTester
5 -
Users
5 -
Email filter profile
5 -
3.6
4 -
FortiCarrier
4 -
FortiScan
4 -
FortiDirector
4 -
Internet service database
4 -
Application signature
4 -
Authentication rule and scheme
4 -
DLP sensor
4 -
Netflow
4 -
TACACS
4 -
Replacement messages
4 -
Service
4 -
Cloud Management Security
4 -
FortiDB
3 -
FortiHypervisor
3 -
FortiNDR
3 -
NAC policy
3 -
DLP Dictionary
3 -
DLP profile
3 -
DoS policy
3 -
Protocol option
3 -
SDN connector
3 -
VoIP profile
3 -
Multicast routing
3 -
FortiInsight
2 -
FortiAI
2 -
Kerberos
2 -
Schedule
2 -
Multicast policy
2 -
Zone
2 -
Vulnerability Management
2 -
4.0MR1
1 -
FortiManager-VM
1 -
FortiCWP
1 -
Subscription Renewal Policy
1 -
Video Filter
1 -
ICAP profile
1
Top Kudoed Authors
| User | Count |
|---|---|
| 1748 | |
| 1114 | |
| 764 | |
| 447 | |
| 241 |
Broad. Integrated. Automated.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Security Research
Company
News & Articles
Copyright 2025 Fortinet, Inc. All Rights Reserved.