Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
Marian
New Contributor

Message meets Alert condition - intrusion

Hi, I have got this message two times in the last two days in two different internal destinations and I am worried about it: Message meets Alert condition The following intrusion was observed: . date=2013-05-28 time=10:07:47 devname=FGT110C device_id=FG100C3xxxxxx log_id=xxxxx type=ips subtype=signature pri=alert severity=high carrier_ep=" N/A" profilegroup=" N/A" profiletype=" N/A" profile=" N/A" src=2.22.178.116 dst=192.xxx.xxx.xxx src_int=" port1" dst_int=" wan1" policyid=1 intf_policyid=N/A identidx=0 serial=xxxxx status=detected proto=6 service=49576/tcp vd=" root" count=1 src_port=80 dst_port=49576 attack_id=13448 sensor=" protect_client" ref=" http://www.fortinet.com/ids/VID13448" user=" N/A" group=" N/A" incident_serialno=1322911253 msg=" web_client: Mozilla.Firefox.Chrome.Page.Loading.Restriction.Bypass" I have read the information in the link and it is supposed to be an exploit in Mozilla Firefox but in the early versions and the users has updated versions of that browser so as I am concern about this issue I would like to deny the traffic for that public IP and I would appreciate if somebody could help me to do it. Thanks and regards
8 REPLIES 8
Carl_Wallmark
Valued Contributor

Hi, Create an IPS profile with the sensor set to BLOCK. Put that profile on the outgoing firewall rule.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Marian
New Contributor

Hi, Thanks for your reply. I have never create an IPS Profile before and I am not sure the I am doing it right. I have created an IPS Sensor and now I am creating a Filter, but in the filter I don' t see were to put the public IP to block and also don' t know what to fill in several options. I would appreciate if you could tell me where could I find a manual to do this. Thanks
Marian
New Contributor

Hi all, I woudl appreciate if somebody could help me with this problem. Thanks!
Carl_Wallmark
Valued Contributor

Hi Marian, Sorry for late answer, Create a IPS sensor with the signature and set it to block. Then create a firewall policy with the public IP as destination: Source IF:Internal -> source addr:all -> Destination IF:wan1 -> Destination addr:PublicIP -> Service: HTTP Then put your IPS profile on this rule. And place the rule above your common HTTP rule.

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
ede_pfau
SuperUser
SuperUser

Or you could just create a new policy source: your LAN dest: public IP to block service: HTTP, HTTPS action: DENY logging: enabled and see if you get hits in the Traffic log. Move this policy to the top of all policies in this section (int->wan) to make it work. This will block ANY HTTP(S) traffic to this destination so be aware of the consequences.
Ede Kernel panic: Aiee, killing interrupt handler!
Ede Kernel panic: Aiee, killing interrupt handler!
Marian
New Contributor

Hi Selective, Sorry for asking again, when I create an IPS Sensor, I create also a Filter, and I don' t know how should I configure it, with everything set to " All" ? And also, I don' t see where to configure the sensor to " block" . Thanks again for your help
Carl_Wallmark
Valued Contributor

Like this:

FCNSA, FCNSP
---
FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30B
FortiAnalyzer 100B, 100C
FortiMail 100,100C
FortiManager VM
FortiAuthenticator VM
FortiToken
FortiAP 220B/221B, 11C

FCNSA, FCNSP---FortiGate 200A/B, 224B, 110C, 100A/D, 80C/CM/Voice, 60B/C/CX/D, 50B, 40C, 30BFortiAnalyzer 100B, 100CFortiMail 100,100CFortiManager VMFortiAuthenticator VMFortiTokenFortiAP 220B/221B, 11C
Marian
New Contributor

I don' t have the same options, I don' t see where to fill " matches signatures" . Could I have a different version? : Thanks!
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors