Recently the FortiGate received attack from 114.34.160.41 and IPS successfully blocked the attack, but then caused a false alarm on SIEM.
As the FortiGate sent a “Allowed – session reset” log message to SIEM, the SIEM triggered a high-alert message, which the keyword “allowed” made a confuse of the Firewall bypassed the attack.
Any suggestion to prevent that? Thanks.
Solved! Go to Solution.
Are you sure the IPS blocked this?
The default action for this signature is to allow:
From the IPS log it looks like you're using the default IPS profile, which has the action set to default (which means do whatever the individual signature's default action is, which in this case is allow):
Could you confirm what the action was in the IPS log you had above? Your picture didn't show the full log.
Are you sure the IPS blocked this?
The default action for this signature is to allow:
From the IPS log it looks like you're using the default IPS profile, which has the action set to default (which means do whatever the individual signature's default action is, which in this case is allow):
Could you confirm what the action was in the IPS log you had above? Your picture didn't show the full log.
Hi amouawad,
Thanks for your reply! The policy is using default IPS profile and should be the reason why action shows "Allowed" on traffic log.
But why some CVE set Action "Pass" as default setting?
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1738 | |
1108 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.