please find below network diagram to understand the issue.
we have three different subnet which are directly connected trough unmanageable D-link switches.
rules are made on the firewall itself for connecting to different subnet.
My issue is
when i tried to send large data from one subnet to another subnet (i.e using windows protocol / folder sharing transfer) ips engine is crashing all time and giving me an error saying
"IPS enter fail open mode: engines=1 socketsize=8388608 sessionact=pass
IPS exit fail open mode"
I had logged the case with fortinet technical team and they had suggested me to upgrade the firmware.(currently i m on firmware version 5.0 patch 9 ).
does this issue will reslove after upgrading the firmware or is their any alternative solution to this?
(if i will upgrade the firmware to 5.0 patch 11 will it work
does the ips version will change or remains same. i m avoiding for upgrading firmware version to 5.2 because some of the feature are not present e.g top client by bandwidth )
please let me know
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Following TAC suggestion, but just to be clear, you get these messages ONLY when sending traffic between subnets?
How many rules do you have IPS sensors enabled on?
Do you really need IPS rules for intra-subnet traffic ?
How much avg/ma cpu/memory ?
Are you sure the firewall is not under sized? What the amount of traffic being sent? What model of FGT ?
Bottom line fail-open IPS is not a good thing and numerous issues can cause this issue at least your traffic is not impeded.
You will probably need to work with TAC. I would also not rule out alogrithm methods used in the ips global cfg. I've see issues when engine-pick algorithm was used on lower end devices. You can play with that and low settings & monitor the cpu/memory and if any overall improvements.
PCNSE
NSE
StrongSwan
Thanks for your quick reply here are the answer for your question? yes this messages displayed only when their is a lan traffic between two different subnets.
Q)How many rules do you have IPS sensors enabled on? ans: I don't see any column which is labled as "IPS" on policy tab. i think ips is globally enabled for all the policy. if not how to disable the ips for particular policy. provide me the steps for the same.
Q)Do you really need IPS rules for intra-subnet traffic ? ans: i do not have any idea weather ips is really required for the intra-subnet or not. but as per fortinet technical support team it is not good idea to disable ips for policy. please comment on this
Q)How much avg/ma cpu/memory ?
ans: when only internet traffic is their then avg mem is near about 50% cpu also 50%
Q)Are you sure the firewall is not under sized? What the amount of traffic being sent? What model of FGT ?
ans:yes. firewall is under the sized. firewall model is 90 D
throughput of the firewall is 3.2 GbPS. lan data traffic is only 150 Mbps max at the time of ips engine gets crash.
below are the changes made by TAC but still issue exist.
# config ips global # set engine-count 4 # set algorithm low # set socket-size 1 # end # diag test app ipsmonitor 99 Reduce the session timers to close unused sessions faster #config system global #set tcp-halfclose-timer 30 #set tcp-halfopen-timer 30 #set tcp-timewait-timer 0 #set udp-idle-timer 60 #end
I m waiting for your reply
To get ant ideal of how many sessions with active ips you could dump the session table and look at the ips
e.g
diag sys session list | grep ips
You could also review the firewall policyId from the above and the reference sensor in the firewall config
A2; but you need to know what your inspecting. Did support-TAC or any consultant configure these policies and for why? Was it trimmed and monitor for > & for the client-2-server ? or server-2client traffic?
A3: So support made changes, did they pull your logs and look at any events? They obviously made a ips engine count change and did my suggest "low" but what you probably need to do which goes back to A1; you need to find what your inspecting.
>The diag ips session list will show you active session and even helps by posting the Client and Server in the details.
>The diag ips session status will show you the memory used and available, some one can correct me but that's shared memory for the IPS enginer iirc.
e.g
diag ips session status SYSTEM: memory capacity 104M memory used 23M recent pps\bps 0\0K session in-use 0 TCP: in-use\active\total 0\0\0 UDP: in-use\active\total 0\0\1 < ---------protocols that are enabled ICMP: in-use\active\total 0\0\0 IP: in-use\active\total 0\0\0
Find what you have enabled, the characteristics of the sensor ( what 's enabled in that sensor rules ) and make sure you have the latest updates.
If you have any >> any policy with a sensor enabled and all rules than that is probably a bad thing. i don't believe your firewall is undersize btw, probably just poor designing of the ips -sensors and/or policy-id that are enabled. I would find the latest FortiOS ips guide and study that and then make and monitor corrections for improvements.
FWIW
The get sys performance status is a helpful status to monitor cpu/mem and ips events but i don't know how to reset this without a reboot. So you have some work cut out for you ;)
I hope the above helps and get you started.
PCNSE
NSE
StrongSwan
Thanks for your reply.
i have collected the result for the said command & try to figure out the cause but i m unable to understand the logs.
so could you please help to figure out what exactly is causing the problem in ips.
and fortinet support-TAC has only ask to change the firmware to latest one. also they have not spoke anything about the ips engine on the intra-lan subnet traffic.
so please find the attched the log file for the same.
You still haven't determine what policies have ips protection and what rule you have enabled in the sensors. I would follow TAC and upgrade BUT also you need to trim and police the IPS sensors. What are you trying to protect between internal---2---internal? ( Application server, mail,web,etc....)
In your IPS details I see alot of Client to Server with service 443? Are you also deploying SSL inspection?
And lastly, did you pull the latest Fortigate IPS guide and review the pdf? I would read this 1st
http://docs.fortinet.com/uploaded/files/1082/fortigate-security_profiles-50.pdf
and then look at your IPS and determine if you need anomaly ( aka DoS sensor ) or signature based protection. You can't just blindly enable these and NOT understand the results and impact. Also they need a careful eye that's on going to ensure you have the best protection vrs performance.
You most likely will end up with exemptions, adjust and thresholds set and continously re-adjusted during the lifetime of the sensor deployment.
PCNSE
NSE
StrongSwan
Thanks again.
as per your thinking I have applied ips security profiles to the internal lan policy ?(is it right)
but i have not enabled the intrusion prevention features on fortigate firewall (which is normally located at system>config>feature)
and also i m not able to see security profiles option while creating any new/old policy.
so how come the policy will have ips senser attached without enabling on the firewall itself.
please let me know whatever i have write that is correct or not and if it is yes then how the ips senser is attached to policy by default. and if it is no then how to disable ips senser for intra-lan traffic.
also i don't want to protect any web ,mail etc server in the intra-lan traffic .
please find the screenshot for the ips feature disable.
Did you check all policy from the CLI?
Another quick way to determine if you have IPS enable;
diag ips signature status
or
diag ips anomaly status
Did you follow TAC suggestion and upgrade?
FWIW:if you have ips_view and have your system crashing due to IPS engine, than it's mostly likely due to your IPS being enabled regardless of what features you have checked in the gui. That's just the features you have enabled per-WebGUI.
Get back in touch with TAC, and have them guide you on the problem and resolution. If you still have issues.
PCNSE
NSE
StrongSwan
Hi,
If you disable the ips feature from GUI, it doesn't mean that you disable the ips engine.
You should connect in CLI and performs this command:
config fireall policy
edit <policy ID>
show full-config
If you don't mind post it.
Otherwise, search the ips-sensor field... it should be blank. If it's not blank, do this: unset ips-sensor.
Regards,
Radu
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1713 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.