Help
Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
unknown1020
New Contributor III

Created on ‎03-09-2024 09:15 AM

events Source Country "Reserved" in Fortigate

Good morning friends, I have created a report in the fortianalyzer about which countries access or try to access my publications that I have created in the firewall.
In the report I have noticed the following information (image):

 

Screenshot_1.jpg

 

When you say "reserved" what does it mean?
Reviewing the logs, I see that the source IP is the private IP of my LAN network (users) and that the signature has LOW criticality with the signature "traceroute" and others have the signature "IP.LAND". It is worth mentioning that the IPS profile detects it.

 

Do you recommend blocking the IP.LAND signature?

Labels:
1211
0 Kudos
2 Solutions
hbac
Staff
Staff

Created on ‎03-09-2024 09:30 AM

Hi @unknown1020,

 

Source Country = Reserved means the source IP is a private IP address. Private IP addresses are not in the Geo database. 

 

The IP Land attack is a denial-of-service attack. An attacker can send an IP packet to the target host where the source IP address of the packet has been spoofed to be that of the host itself.

 

Regards, 

View solution in original post

1204
0 Kudos
AEK
SuperUser
SuperUser
In response to unknown1020

Created on ‎03-10-2024 01:29 AM

Hi

If source address is spoofed like this then I guess the firewall will block it with RPF check (this is basic firewall protection), so you don't need to block that signature with IPS.

Just check the logs again and confirm that these packets are already blocked by the firewall.

AEK

View solution in original post

AEK
1154
0 Kudos
3 REPLIES 3
hbac
Staff
Staff

Created on ‎03-09-2024 09:30 AM

Hi @unknown1020,

 

Source Country = Reserved means the source IP is a private IP address. Private IP addresses are not in the Geo database. 

 

The IP Land attack is a denial-of-service attack. An attacker can send an IP packet to the target host where the source IP address of the packet has been spoofed to be that of the host itself.

 

Regards, 

1205
0 Kudos
unknown1020
New Contributor III
In response to hbac

Created on ‎03-09-2024 09:20 PM

Hi, thanks for your comments. Regarding that signature "IP.LAND", I see in the logs that the source IP is a private IP of the company's LAN network towards the publication (WAN to LAN policy). So would it be recommended to block that signature?

 

Since it is a "low" category signature, would it be considered a false positive?

1170
0 Kudos
AEK
SuperUser
SuperUser
In response to unknown1020

Created on ‎03-10-2024 01:29 AM

Hi

If source address is spoofed like this then I guess the firewall will block it with RPF check (this is basic firewall protection), so you don't need to block that signature with IPS.

Just check the logs again and confirm that these packets are already blocked by the firewall.

AEK
AEK
1155
0 Kudos
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors
View all
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.