Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
New Contributor

alert message about intrustion

i got this by email (this is one, i have many more) Message meets Alert condition The following intrusion was observed: "Linksys.Routers.Administrative.Console.Authentication.Bypass". date=2017-10-13 time=15:07:31 devname=XXX devid=XXXX logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="XXX" logtime=1507896450 severity="high" srcip= srccountry="Brazil" dstip= srcintf="XXXX" srcintfrole="wan" dstintf="TestingLAN-2037" dstintfrole="lan" policyid=96 sessionid=17583157 action="detected" proto=6 service="HTTP" attack="Linksys.Routers.Administrative.Console.Authentication.Bypass" srcport=36532 dstport=80 hostname="XXXX" direction="outgoing" attackid=44582 profile="default" ref="" incidentserialno=848384263 msg="backdoor: Linksys.Routers.Administrative.Console.Authentication.Bypass," crscore=30 crlevel="high"  i have 2 questions for it 1. does this mean that the threat was just "spotted" or is it blocked? this policy is attached with "high security" ips profile that states this severity as blocked by default 2. as you can see, the source country is brazil


this is my first firewall rule :

set name "Blocked Countries"
        set uuid 58cfcbac-9bfd-51e7-91c5-d54383633417
        set srcintf "any"
        set dstintf "any"
        set srcaddr "Blocked Countries" "Blocked Addresses"
        set dstaddr "all"
        set schedule "always"
        set service "ALL"
        set logtraffic all


first rule in sequence 

am i missing something? how can this traffic been spotted on this alert when it was supposed to be stopped by the first firewall policy? brazil is one of the countries of "blocked countries" group


thank you


It looks like an alert. If you have any inbound VIPs add the set match-vip enable command. Without it it won't block anything to your vips.
Top Kudoed Authors