Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MarcusLeung
New Contributor

Created on ‎05-05-2022 01:48 AM

IPS engine blocked the attack but "Allowed" & Action "TCP reset from client" in Traffic log

Recently the FortiGate received attack from 114.34.160.41 and IPS successfully blocked the attack, but then caused a false alarm on SIEM.

 

As the FortiGate sent a “Allowed – session reset” log message to SIEM, the SIEM triggered a high-alert message, which the keyword “allowed” made a confuse of the Firewall bypassed the attack.

 

Any suggestion to prevent that? Thanks.

 

MarcusLeung_8-1651740155976.png

MarcusLeung_5-1651739693995.png

 

MarcusLeung_4-1651739533752.png

MarcusLeung_1-1651739138327.png

MarcusLeung_7-1651739797469.png

MarcusLeung_2-1651739143452.png

Labels:
1969
0 Kudos
1 Solution
amouawad
Staff
Staff

Created on ‎05-05-2022 04:31 AM

Are you sure the IPS blocked this?

 

The default action for this signature is to allow:

2022-05-05_21-25.png

From the IPS log it looks like you're using the default IPS profile, which has the action set to default (which means do whatever the individual signature's default action is, which in this case is allow):

2022-05-05_21-25_1.png

Could you confirm what the action was in the IPS log you had above? Your picture didn't show the full log.

View solution in original post

1955
0 Kudos
2 REPLIES 2
amouawad
Staff
Staff

Created on ‎05-05-2022 04:31 AM

Are you sure the IPS blocked this?

 

The default action for this signature is to allow:

2022-05-05_21-25.png

From the IPS log it looks like you're using the default IPS profile, which has the action set to default (which means do whatever the individual signature's default action is, which in this case is allow):

2022-05-05_21-25_1.png

Could you confirm what the action was in the IPS log you had above? Your picture didn't show the full log.

1956
0 Kudos
MarcusLeung
New Contributor
In response to amouawad

Created on ‎05-09-2022 08:52 PM

Hi amouawad,

 

Thanks for your reply! The policy is using default IPS profile and should be the reason why action shows "Allowed" on traffic log.

 

But why some CVE set Action "Pass" as default setting?

1899
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.