Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
unknown1020
New Contributor III

events Source Country "Reserved" in Fortigate

Good morning friends, I have created a report in the fortianalyzer about which countries access or try to access my publications that I have created in the firewall.
In the report I have noticed the following information (image):

 

Screenshot_1.jpg

 

When you say "reserved" what does it mean?
Reviewing the logs, I see that the source IP is the private IP of my LAN network (users) and that the signature has LOW criticality with the signature "traceroute" and others have the signature "IP.LAND". It is worth mentioning that the IPS profile detects it.

 

Do you recommend blocking the IP.LAND signature?

2 Solutions
hbac
Staff
Staff

Hi @unknown1020,

 

Source Country = Reserved means the source IP is a private IP address. Private IP addresses are not in the Geo database. 

 

The IP Land attack is a denial-of-service attack. An attacker can send an IP packet to the target host where the source IP address of the packet has been spoofed to be that of the host itself.

 

Regards, 

View solution in original post

AEK

Hi

If source address is spoofed like this then I guess the firewall will block it with RPF check (this is basic firewall protection), so you don't need to block that signature with IPS.

Just check the logs again and confirm that these packets are already blocked by the firewall.

AEK

View solution in original post

AEK
3 REPLIES 3
hbac
Staff
Staff

Hi @unknown1020,

 

Source Country = Reserved means the source IP is a private IP address. Private IP addresses are not in the Geo database. 

 

The IP Land attack is a denial-of-service attack. An attacker can send an IP packet to the target host where the source IP address of the packet has been spoofed to be that of the host itself.

 

Regards, 

unknown1020
New Contributor III

Hi, thanks for your comments. Regarding that signature "IP.LAND", I see in the logs that the source IP is a private IP of the company's LAN network towards the publication (WAN to LAN policy). So would it be recommended to block that signature?

 

Since it is a "low" category signature, would it be considered a false positive?

AEK

Hi

If source address is spoofed like this then I guess the firewall will block it with RPF check (this is basic firewall protection), so you don't need to block that signature with IPS.

Just check the logs again and confirm that these packets are already blocked by the firewall.

AEK
AEK
Announcements

Select Forum Responses to become Knowledge Articles!

Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.

Labels
Top Kudoed Authors