- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPS
Our network on attack but log message include this. Not include IPS. why can not detect ips?
Message meets Alert condition
date=2022-06-07 time=16:46:07 devname=xxxx devid=xxxxxxxxxxx logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1654609567005375688 tz="+0300" srcip=176.193.227.224 srcport=41898 srcintf="wan1" srcintfrole="wan" dstip=xxxxxxxx dstport=3389 dstintf="lan" dstintfrole="lan" sessionid=110258904 proto=6 action="deny" policyid=0 policytype="policy" service="RDP" dstcountry="Turkey" srccountry="Russian Federation" trandisp="dnat" tranip=10.10.10.52 tranport=3389 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high"
- Labels:
-
FortiGate
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i think, maybe affacted packet flow but in similar case IPS detected
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
IPS inspection is triggered as a result of a firewall policy being matched.
Packet arrives -> find a matching policy -> apply UTM profiles from that policy (including IPS)
Your traffic didn't match any policy, and so it was simply dropped. ("implicit deny")
... action="deny" policyid=0 policytype="policy" ...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you for reply. in addition i found this article in old mails.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Here's a more up-to-date version of that document - https://docs.fortinet.com/document/fortigate/6.4.0/parallel-path-processing-life-of-a-packet/466137/...