Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Millibhu
New Contributor

Created on ‎08-24-2015 12:03 AM

Intrusion Protection Log show heartbeat information attack

Hi,

 

Is anyone know that what is this log mean

 

 

I'm encounter with this log in my fortigate 100D , I already enable IPS, AV, Web filtering. Is this attack need to worried ?

What should I do with me fortigate 100D

 

Thanks

Millibhu

Preview file
67 KB
11013
0 Kudos
14 REPLIES 14
gschmitt
Valued Contributor

Created on ‎08-24-2015 01:31 AM

Blurring out the source public IPs of an external "attacker" is not really a good idea (since it doesn't reveal any information about you it is safe)

 

Chances are if you try to access http://TheIpShownAsSource it will show you a page like this:

Hello, we are a project to reveal heartbleed vulnerability and do checks throughout the net. If you are bothered by this click here to get on our block list.

 

Basically there are multiple sites out there which scan the whole web for the heartbleed bug for fun.

4543
0 Kudos
Millibhu
New Contributor

Created on ‎08-24-2015 01:54 AM

Hi gschmit

 

the source is my internal ip address (client), but the destination it go to linkedin

 

Is this attack already block by Fortigate ? , because the status show only 'detected'

BTW I used firmware 5.0 patch 5 Fortigate 100D

 

Thanks

 

Preview file
59 KB
4543
0 Kudos
gschmitt
Valued Contributor
In response to Millibhu

Created on ‎08-24-2015 02:01 AM

Millibhu wrote:

the source is my internal ip address (client), but the destination it go to linkedin

Really? That's odd.

 

Go check your interal > wan policy (the one which applies to this traffic) and check the name of the IPS profile

 

Now to to Security Profiles > Intrusion Protection and make sure the correct profile is selected in the drop down menu top right corner (if you do not have a drop down menu enable Multiple Profiles at System > Config > Features)

 

At Pattern Based Signatures and Filter whatis the Action set to? Default or Monitor all?

4565
0 Kudos
Millibhu
New Contributor
In response to Millibhu

Created on ‎08-24-2015 02:06 AM

Hi,

 

I follow your instruction and I'm using "Default" profile, should I check the signature inside this profile ?

 

Thanks

Millibhu

4565
0 Kudos
gschmitt
Valued Contributor
In response to Millibhu

Created on ‎08-24-2015 02:08 AM

Yes

4565
0 Kudos
vjoshi_FTNT
Staff
Staff
In response to Millibhu

Created on ‎08-24-2015 02:08 AM

Hello Millibhu,

 

Status 'detected' doesn't mean it is blocked. I see that the 'default' IPS sensor is applied on the Firewall policy. If you check under Security Profile > Intrusion Protection > Choose the default IPS sensor > View IPS signatures > Then search the signature name, any signature for that matter.

-  I believe, the default action is PASS.

 

 

Millibhu wrote:

Hi gschmit

 

the source is my internal ip address (client), but the destination it go to linkedin

[attachImg]https://forum.fortinet.com/download.axd?file=0;127233&where=message&f=heartbleed.jpg[/attachImg]

 

Is this attack already block by Fortigate ? , because the status show only 'detected'

BTW I used firmware 5.0 patch 5 Fortigate 100D

 

Thanks

 

4565
0 Kudos
vjoshi_FTNT
Staff
Staff

Created on ‎08-24-2015 02:11 AM

Just to clarify, in my earlier update, when I say  "any signature for that matter." I mean to say, you can use the same technique to find the action set on each signature which you think is not being blocked or you want to change the action.

4565
0 Kudos
Millibhu
New Contributor
In response to vjoshi_FTNT

Created on ‎08-24-2015 02:46 AM

Hi,

 

I follow your instruction and found that both signature

OpenSSL.TLS.Heartbeat.Information.Disclosure OpenSSL.ChangeCipherSpec.Injection

 

default action is "pass" , how can I modify the action to be block please advice

 

Thanks

Millibhu

4565
0 Kudos
vjoshi_FTNT
Staff
Staff
In response to Millibhu

Created on ‎08-24-2015 03:12 AM

Hello Millibhu,

 

To make sure you are doing it right, create a new sensor as below:

 

Click on Intrusion Protection > Click on '+' sign at right corner of the screen > Name it > Ok > Create New > OK > Create New > This time, select "Specify Signatures" for "Sensor type" > Type 'opens ' and you will see all the relevant signatures > Select all the signatures needed (you can use the 'Ctrl' key on the keyboard to select multiple signatures) > Then click on 'Block All' at the bottom > Click OK.

 

Now, Drag/Move the specific signature filter above the existing default filter

 

Hope that helps

 

Millibhu wrote:

Hi,

 

I follow your instruction and found that both signature

OpenSSL.TLS.Heartbeat.Information.Disclosure OpenSSL.ChangeCipherSpec.Injection

 

default action is "pass" , how can I modify the action to be block please advice

 

Thanks

Millibhu

4565
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.