Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Millibhu
New Contributor

Intrusion Protection Log show heartbeat information attack

Hi,

 

Is anyone know that what is this log mean

 

 

I'm encounter with this log in my fortigate 100D , I already enable IPS, AV, Web filtering. Is this attack need to worried ?

What should I do with me fortigate 100D

 

Thanks

Millibhu

14 REPLIES 14
gschmitt
Valued Contributor

Blurring out the source public IPs of an external "attacker" is not really a good idea (since it doesn't reveal any information about you it is safe)

 

Chances are if you try to access http://TheIpShownAsSource it will show you a page like this:

Hello, we are a project to reveal heartbleed vulnerability and do checks throughout the net. If you are bothered by this click here to get on our block list.

 

Basically there are multiple sites out there which scan the whole web for the heartbleed bug for fun.

Millibhu
New Contributor

Hi gschmit

 

the source is my internal ip address (client), but the destination it go to linkedin

 

Is this attack already block by Fortigate ? , because the status show only 'detected'

BTW I used firmware 5.0 patch 5 Fortigate 100D

 

Thanks

 

gschmitt
Valued Contributor

Millibhu wrote:

the source is my internal ip address (client), but the destination it go to linkedin

Really? That's odd.

 

Go check your interal > wan policy (the one which applies to this traffic) and check the name of the IPS profile

 

Now to to Security Profiles > Intrusion Protection and make sure the correct profile is selected in the drop down menu top right corner (if you do not have a drop down menu enable Multiple Profiles at System > Config > Features)

 

At Pattern Based Signatures and Filter whatis the Action set to? Default or Monitor all?

Millibhu

Hi,

 

I follow your instruction and I'm using "Default" profile, should I check the signature inside this profile ?

 

Thanks

Millibhu

gschmitt
Valued Contributor

Yes

vjoshi_FTNT

Hello Millibhu,

 

Status 'detected' doesn't mean it is blocked. I see that the 'default' IPS sensor is applied on the Firewall policy. If you check under Security Profile > Intrusion Protection > Choose the default IPS sensor > View IPS signatures > Then search the signature name, any signature for that matter.

-  I believe, the default action is PASS.

 

 

Millibhu wrote:

Hi gschmit

 

the source is my internal ip address (client), but the destination it go to linkedin

[attachImg]https://forum.fortinet.com/download.axd?file=0;127233&where=message&f=heartbleed.jpg[/attachImg]

 

Is this attack already block by Fortigate ? , because the status show only 'detected'

BTW I used firmware 5.0 patch 5 Fortigate 100D

 

Thanks

 

vjoshi_FTNT
Staff
Staff

Just to clarify, in my earlier update, when I say  "any signature for that matter." I mean to say, you can use the same technique to find the action set on each signature which you think is not being blocked or you want to change the action.

Millibhu

Hi,

 

I follow your instruction and found that both signature

OpenSSL.TLS.Heartbeat.Information.Disclosure OpenSSL.ChangeCipherSpec.Injection

 

default action is "pass" , how can I modify the action to be block please advice

 

Thanks

Millibhu

vjoshi_FTNT

Hello Millibhu,

 

To make sure you are doing it right, create a new sensor as below:

 

Click on Intrusion Protection > Click on '+' sign at right corner of the screen > Name it > Ok > Create New > OK > Create New > This time, select "Specify Signatures" for "Sensor type" > Type 'opens ' and you will see all the relevant signatures > Select all the signatures needed (you can use the 'Ctrl' key on the keyboard to select multiple signatures) > Then click on 'Block All' at the bottom > Click OK.

 

Now, Drag/Move the specific signature filter above the existing default filter

 

Hope that helps

 

Millibhu wrote:

Hi,

 

I follow your instruction and found that both signature

OpenSSL.TLS.Heartbeat.Information.Disclosure OpenSSL.ChangeCipherSpec.Injection

 

default action is "pass" , how can I modify the action to be block please advice

 

Thanks

Millibhu

Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors