Good morning friends, I have created a report in the fortianalyzer about which countries access or try to access my publications that I have created in the firewall.
In the report I have noticed the following information (image):
When you say "reserved" what does it mean?
Reviewing the logs, I see that the source IP is the private IP of my LAN network (users) and that the signature has LOW criticality with the signature "traceroute" and others have the signature "IP.LAND". It is worth mentioning that the IPS profile detects it.
Do you recommend blocking the IP.LAND signature?
Solved! Go to Solution.
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @unknown1020,
Source Country = Reserved means the source IP is a private IP address. Private IP addresses are not in the Geo database.
The IP Land attack is a denial-of-service attack. An attacker can send an IP packet to the target host where the source IP address of the packet has been spoofed to be that of the host itself.
Regards,
Hi
If source address is spoofed like this then I guess the firewall will block it with RPF check (this is basic firewall protection), so you don't need to block that signature with IPS.
Just check the logs again and confirm that these packets are already blocked by the firewall.
Hi @unknown1020,
Source Country = Reserved means the source IP is a private IP address. Private IP addresses are not in the Geo database.
The IP Land attack is a denial-of-service attack. An attacker can send an IP packet to the target host where the source IP address of the packet has been spoofed to be that of the host itself.
Regards,
Hi, thanks for your comments. Regarding that signature "IP.LAND", I see in the logs that the source IP is a private IP of the company's LAN network towards the publication (WAN to LAN policy). So would it be recommended to block that signature?
Since it is a "low" category signature, would it be considered a false positive?
Hi
If source address is spoofed like this then I guess the firewall will block it with RPF check (this is basic firewall protection), so you don't need to block that signature with IPS.
Just check the logs again and confirm that these packets are already blocked by the firewall.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1733 | |
1106 | |
752 | |
447 | |
240 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.