i got this by email (this is one, i have many more) Message meets Alert condition The following intrusion was observed: "Linksys.Routers.Administrative.Console.Authentication.Bypass". date=2017-10-13 time=15:07:31 devname=XXX devid=XXXX logid="0419016384" type="utm" subtype="ips" eventtype="signature" level="alert" vd="XXX" logtime=1507896450 severity="high" srcip=191.180.88.52 srccountry="Brazil" dstip=192.168.100.171 srcintf="XXXX" srcintfrole="wan" dstintf="TestingLAN-2037" dstintfrole="lan" policyid=96 sessionid=17583157 action="detected" proto=6 service="HTTP" attack="Linksys.Routers.Administrative.Console.Authentication.Bypass" srcport=36532 dstport=80 hostname="XXXX" direction="outgoing" attackid=44582 profile="default" ref="http://www.fortinet.com/ids/VID44582" incidentserialno=848384263 msg="backdoor: Linksys.Routers.Administrative.Console.Authentication.Bypass," crscore=30 crlevel="high" i have 2 questions for it 1. does this mean that the threat was just "spotted" or is it blocked? this policy is attached with "high security" ips profile that states this severity as blocked by default 2. as you can see, the source country is brazil
this is my first firewall rule :
set name "Blocked Countries"
set uuid 58cfcbac-9bfd-51e7-91c5-d54383633417
set srcintf "any"
set dstintf "any"
set srcaddr "Blocked Countries" "Blocked Addresses"
set dstaddr "all"
set schedule "always"
set service "ALL"
set logtraffic all
next
first rule in sequence
am i missing something? how can this traffic been spotted on this alert when it was supposed to be stopped by the first firewall policy? brazil is one of the countries of "blocked countries" group
thank you
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1712 | |
1093 | |
752 | |
447 | |
231 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.