Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Wessnitzer
New Contributor II

IPS blocking my own server

Hello, it looks like I am doing something wrong and I was not able to find my answer on the internet, so please if someone could enlighten me :)

I have web server, behind nat. Rule set like this:
incoming: wan

Outgoing: lan

source: all

destination: virtual IP of the server

service: https

security profiles: ips high security (modified to quarantine most threats)

 
 

ips.png

 

 ssl inspection: specific "protecting ssl server" profile

 

From time to time when there is IPS attack blocked, the IPS puts into quarantine the internal IP of the web server (ie. 192.168.x.x , it is visible in quarantine monitor and can be removed there manually). See below ips log - i suppose the "source" should be blocked, and not "destination" :(

ips log.png

 

Do you please know what am I doing wrong?
Thank you
Regards
Martin

1 Solution
ramadas
New Contributor II


Check your IPS Filter :

To better understand the Filter: Please note that Fortinet are providing more than 7000 Signatures to help detect stop and
prevent threats. You need to build your own profile based on your infrastructure.

For severity : You can Choose between Crticial High Medium Low
Target : Client or Server
OS : Linux Windows BSD MacOS
Action : Monitor Block Quarantine

The Sensor is offering you all the possibilities from basic to advanced Filter options.

Thanks

View solution in original post

7 REPLIES 7
hbac
Staff
Staff

Hi @Wessnitzer,

 

Please check the logs to see which IPS signature and which firewall policy was matched and triggered the quarantine. 

 

Regards, 

Wessnitzer
New Contributor II

Hello, from the logs I see it was the inbound firewall rule to the server (not the outbound rule) with the "high_security" IPS profile, which is used in thus firewall rule.
What is confusing to me is that inbound rule put the destination server into quarantine, not the source attacker.
Regards

ramadas
New Contributor II

True that the IPS is there to block attacks from Sources. But, what if the Destination becomes also a malicious ?

My Recommendations are : 

1) Go for a Deep Scan of your Web Server and check for vulnerabilities, specially Bot C&C. This may block your web SIte as Destination and be blacklisted.

2) Read the Logs : Find which Security Profile did block your IP. 

3) Check the Config of the IPS : Section Botnet C&C

Good LuckCapture.PNG

Wessnitzer
New Contributor II

Hello,

1) ok i will do full scan

2) security profile "high_security" from the inbound rule from internet to the server. Profile settings screenshot is in original post.

3) scan outgoing connection to botnet is set to block - can this quarantine the server? In this regard block = quarantine?
Thanks
Regards

ramadas
New Contributor II


Check your IPS Filter :

To better understand the Filter: Please note that Fortinet are providing more than 7000 Signatures to help detect stop and
prevent threats. You need to build your own profile based on your infrastructure.

For severity : You can Choose between Crticial High Medium Low
Target : Client or Server
OS : Linux Windows BSD MacOS
Action : Monitor Block Quarantine

The Sensor is offering you all the possibilities from basic to advanced Filter options.

Thanks

Wessnitzer
New Contributor II

Hello, I had the ips profile like this 

ips1.png

Do you think adding TGT server will help, ie. is it "severity+only if target is server" or "severity and everything related to server"? My search about this was unconclusive, but I will this variant.

ips2.png

Also I have perhaps been a bit overzealous in setting action to Quarantine, perhaps if the problem happens again I will set it to default and leave quarantine only on the specified attacks :)

Thank you
Regards

Gemi

Hi Wessnitzer .

 

Has the issue happened again?

How do you solve this kind of problem?

 

Thank you,

Regards

Top Kudoed Authors