I received the following alert on my Fortigate. How do I tell that this was dropped? Or if there is still something else I need to do on my Fortigate?
The following intrusion was observed: Apache.Tomcat.Arbitrary.JSP.file.Upload.
date=2019-05-03 time=06:02:20 devname=FGT01 devid=FG101E4Q17000329 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd=root severity=high srcip=60.216.17.66 srccountry="China" dstip=xxx.xxx.xxx.xxx srcintf="wan1" dstintf="lan" policyid=7 sessionid=57982235 action=dropped proto=6 service="HTTPS" attack="Apache.Tomcat.Arbitrary.JSP.file.Upload" srcport=31951 dstport=443 hostname="xxx.xxx.xxx.xxx:xxx" direction=outgoing attackid=44543 profile="protect_http_server" ref="http://www.fortinet.com/ids/VID44543" incidentserialno=1972817245 msg="web_server: Apache.Tomcat.Arbitrary.JSP.file.Upload," crscore=30 crlevel=high
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
action=droppedIPS cuts off the session if a pattern matches, that's why it's called "dropped". This one was detected and the connection was dropped after some time/bytes. It wouldn't hurt if you checked your server though.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1732 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.