- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPS blocking my own server
Hello, it looks like I am doing something wrong and I was not able to find my answer on the internet, so please if someone could enlighten me :)
I have web server, behind nat. Rule set like this:
incoming: wan
Outgoing: lan
source: all
destination: virtual IP of the server
service: https
security profiles: ips high security (modified to quarantine most threats)
 ssl inspection: specific "protecting ssl server" profile
From time to time when there is IPS attack blocked, the IPS puts into quarantine the internal IP of the web server (ie. 192.168.x.x , it is visible in quarantine monitor and can be removed there manually). See below ips log - i suppose the "source" should be blocked, and not "destination" :(
Do you please know what am I doing wrong?
Thank you
Regards
Martin
Solved! Go to Solution.
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check your IPS Filter :
To better understand the Filter: Please note that Fortinet are providing more than 7000 Signatures to help detect stop and
prevent threats. You need to build your own profile based on your infrastructure.
For severity : You can Choose between Crticial High Medium Low
Target : Client or Server
OS : Linux Windows BSD MacOS
Action : Monitor Block Quarantine
The Sensor is offering you all the possibilities from basic to advanced Filter options.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @Wessnitzer,
Please check the logs to see which IPS signature and which firewall policy was matched and triggered the quarantine.
Regards,
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, from the logs I see it was the inbound firewall rule to the server (not the outbound rule) with the "high_security" IPS profile, which is used in thus firewall rule.
What is confusing to me is that inbound rule put the destination server into quarantine, not the source attacker.
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
True that the IPS is there to block attacks from Sources. But, what if the Destination becomes also a malicious ?
My Recommendations are :
1) Go for a Deep Scan of your Web Server and check for vulnerabilities, specially Bot C&C. This may block your web SIte as Destination and be blacklisted.
2) Read the Logs : Find which Security Profile did block your IP.
3) Check the Config of the IPS : Section Botnet C&C
Good Luck
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
1) ok i will do full scan
2) security profile "high_security" from the inbound rule from internet to the server. Profile settings screenshot is in original post.
3) scan outgoing connection to botnet is set to block - can this quarantine the server? In this regard block = quarantine?
Thanks
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Check your IPS Filter :
To better understand the Filter: Please note that Fortinet are providing more than 7000 Signatures to help detect stop and
prevent threats. You need to build your own profile based on your infrastructure.
For severity : You can Choose between Crticial High Medium Low
Target : Client or Server
OS : Linux Windows BSD MacOS
Action : Monitor Block Quarantine
The Sensor is offering you all the possibilities from basic to advanced Filter options.
Thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello, I had the ips profile like this
 
Do you think adding TGT server will help, ie. is it "severity+only if target is server" or "severity and everything related to server"? My search about this was unconclusive, but I will this variant.
Also I have perhaps been a bit overzealous in setting action to Quarantine, perhaps if the problem happens again I will set it to default and leave quarantine only on the specified attacks :)
Thank you
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Wessnitzer .
Has the issue happened again?
How do you solve this kind of problem?
Thank you,
Regards
