Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
ahmetyilmaz2050
New Contributor II

IPS

Our network on attack but log message include this. Not include IPS. why can not detect ips?

 

Message meets Alert condition

date=2022-06-07 time=16:46:07 devname=xxxx devid=xxxxxxxxxxx logid="0000000013" type="traffic" subtype="forward" level="notice" vd="root" eventtime=1654609567005375688 tz="+0300" srcip=176.193.227.224 srcport=41898 srcintf="wan1" srcintfrole="wan" dstip=xxxxxxxx dstport=3389 dstintf="lan" dstintfrole="lan" sessionid=110258904 proto=6 action="deny" policyid=0 policytype="policy" service="RDP" dstcountry="Turkey" srccountry="Russian Federation" trandisp="dnat" tranip=10.10.10.52 tranport=3389 duration=0 sentbyte=0 rcvdbyte=0 sentpkt=0 appcat="unscanned" crscore=30 craction=131072 crlevel="high"

4 REPLIES 4
ahmetyilmaz2050
New Contributor II

i think, maybe affacted packet flow but in similar case IPS detected

pminarik
Staff
Staff

IPS inspection is triggered as a result of a firewall policy being matched.

Packet arrives -> find a matching policy -> apply UTM profiles from that policy (including IPS)

 

Your traffic didn't match any policy, and so it was simply dropped. ("implicit deny")

 

... action="deny" policyid=0 policytype="policy" ...

[ corrections always welcome ]
ahmetyilmaz2050

thank you for reply. in addition i found this article in old mails.

 

https://help.fortinet.com/fos50hlp/52data/Content/FortiOS/fortigate-life-of-packet-52/LoP-packet-flo...

 

pminarik

Here's a more up-to-date version of that document - https://docs.fortinet.com/document/fortigate/6.4.0/parallel-path-processing-life-of-a-packet/466137/...

[ corrections always welcome ]
Top Kudoed Authors