Our network on attack but log message include this. Not include IPS. why can not detect ips?
Message meets Alert condition
date=2022-06-07 time=16:46:07 devname=xxxx devid=xxxxxxxxxxx logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1654609567005375688 tz="+0300" srcip=176.193.227.224 srcport=41898 srcintf="wan1" srcintfrole="wan" dstip=xxxxxxxx dstport=3389 dstintf="lan" dstintfrole="lan" sessionid=110258904 proto=6 action="deny" policyid=0 policytype="policy" service="RDP" dstcountry="Turkey" srccountry="Russian Federation" trandisp="dnat" tranip=10.10.10.52 tranport=3389 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high"
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
i think, maybe affacted packet flow but in similar case IPS detected
IPS inspection is triggered as a result of a firewall policy being matched.
Packet arrives -> find a matching policy -> apply UTM profiles from that policy (including IPS)
Your traffic didn't match any policy, and so it was simply dropped. ("implicit deny")
... action="deny" policyid=0 policytype="policy" ...
thank you for reply. in addition i found this article in old mails.
Here's a more up-to-date version of that document - https://docs.fortinet.com/document/fortigate/6.4.0/parallel-path-processing-life-of-a-packet/466137/...
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.