Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Wessnitzer
New Contributor II

Created on ‎11-01-2023 01:50 AM

IPS blocking my own server

Hello, it looks like I am doing something wrong and I was not able to find my answer on the internet, so please if someone could enlighten me :)

I have web server, behind nat. Rule set like this:
incoming: wan

Outgoing: lan

source: all

destination: virtual IP of the server

service: https

security profiles: ips high security (modified to quarantine most threats)

 
 

ips.png

 

 ssl inspection: specific "protecting ssl server" profile

 

From time to time when there is IPS attack blocked, the IPS puts into quarantine the internal IP of the web server (ie. 192.168.x.x , it is visible in quarantine monitor and can be removed there manually). See below ips log - i suppose the "source" should be blocked, and not "destination" :(

ips log.png

 

Do you please know what am I doing wrong?
Thank you
Regards
Martin

Labels:
2385
0 Kudos
1 Solution
ramadas
New Contributor II
In response to Wessnitzer

Created on ‎11-02-2023 09:56 AM


Check your IPS Filter :

To better understand the Filter: Please note that Fortinet are providing more than 7000 Signatures to help detect stop and
prevent threats. You need to build your own profile based on your infrastructure.

For severity : You can Choose between Crticial High Medium Low
Target : Client or Server
OS : Linux Windows BSD MacOS
Action : Monitor Block Quarantine

The Sensor is offering you all the possibilities from basic to advanced Filter options.

Thanks

View solution in original post

2318
7 REPLIES 7
hbac
Staff
Staff

Created on ‎11-01-2023 08:44 AM

Hi @Wessnitzer,

 

Please check the logs to see which IPS signature and which firewall policy was matched and triggered the quarantine. 

 

Regards, 

2364
Wessnitzer
New Contributor II
In response to hbac

Created on ‎11-02-2023 04:22 AM

Hello, from the logs I see it was the inbound firewall rule to the server (not the outbound rule) with the "high_security" IPS profile, which is used in thus firewall rule.
What is confusing to me is that inbound rule put the destination server into quarantine, not the source attacker.
Regards

2329
0 Kudos
ramadas
New Contributor II

Created on ‎11-01-2023 01:45 PM

True that the IPS is there to block attacks from Sources. But, what if the Destination becomes also a malicious ?

My Recommendations are : 

1) Go for a Deep Scan of your Web Server and check for vulnerabilities, specially Bot C&C. This may block your web SIte as Destination and be blacklisted.

2) Read the Logs : Find which Security Profile did block your IP. 

3) Check the Config of the IPS : Section Botnet C&C

Good LuckCapture.PNG

2348
Wessnitzer
New Contributor II
In response to ramadas

Created on ‎11-02-2023 04:24 AM

Hello,

1) ok i will do full scan

2) security profile "high_security" from the inbound rule from internet to the server. Profile settings screenshot is in original post.

3) scan outgoing connection to botnet is set to block - can this quarantine the server? In this regard block = quarantine?
Thanks
Regards

2328
ramadas
New Contributor II
In response to Wessnitzer

Created on ‎11-02-2023 09:56 AM


Check your IPS Filter :

To better understand the Filter: Please note that Fortinet are providing more than 7000 Signatures to help detect stop and
prevent threats. You need to build your own profile based on your infrastructure.

For severity : You can Choose between Crticial High Medium Low
Target : Client or Server
OS : Linux Windows BSD MacOS
Action : Monitor Block Quarantine

The Sensor is offering you all the possibilities from basic to advanced Filter options.

Thanks

2319
Wessnitzer
New Contributor II
In response to ramadas

Created on ‎11-03-2023 12:29 AM

Hello, I had the ips profile like this 

ips1.png

Do you think adding TGT server will help, ie. is it "severity+only if target is server" or "severity and everything related to server"? My search about this was unconclusive, but I will this variant.

ips2.png

Also I have perhaps been a bit overzealous in setting action to Quarantine, perhaps if the problem happens again I will set it to default and leave quarantine only on the specified attacks :)

Thank you
Regards

2303
Gemi
New Contributor
In response to Wessnitzer

Created on ‎12-13-2023 03:42 PM

Hi Wessnitzer .

 

Has the issue happened again?

How do you solve this kind of problem?

 

Thank you,

Regards

1908
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.