Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

TCP.Split.Handshake type alert

Message meets Alert condition

The following intrusion was observed: TCP.Split.Handshake.

date=2018-10-23 time=18:00:56 devname=FG200D3916815028 devid=FG200D3916815028 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd=root severity=medium srcip= srccountry="United States" dstip= srcintf="wan1" dstintf="port16" policyid=13 sessionid=71453405 action=detected proto=6 service="ca.vsign.in_http" attack="TCP.Split.Handshake" srcport=13633 dstport=8999 direction=outgoing attackid=26339 profile="all_default" ref="" incidentserialno=257015217 msg="a-ipdf: TCP.Split.Handshake, TCP split handshake at state: ESTABLISHED" crscore=10 crlevel=medium  

Valued Contributor II

What's your question? 


Per the link, this is a protocol anomaly often used as an attack or for recon.

Per the log you posted you have it set to detect but not block. 



You may want to update your IPS Security Profile to block anomalies like this.  

Top Kudoed Authors