hi all,
I happened to find there are compromised host under Security tab of dashboard, why are they here? Are they attacked?
And the host are dynamically displayed. 2 days ago, it displays 2 host, now it displays only 1 host. What are the criteria for this?
How can I remove them from here (to really solve the problem).
Thanks!
Nominating a forum post submits a request to create a new Knowledge Article based on the forum post topic. Please ensure your nomination includes a solution within the reply.
Hi @sean3 ,
This is a list of hosts that are analyzed to be compromised by the security fabric.
More information can be found here - https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/110327/viewing-session-infor...
You could look at all the sessions and the security actions taken based on the inspection to understand what traffic was blocked.
There are also configurable threat weights - https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/250999/log-settings-and-targ... - and these are used to calculate an overall threat score that is then used to mark an endpoint as compromised.
thanks mpapisetty for the advice.
so, it does not require to take any specific action, right?
It depends on the 13 sessions that got blocked. What sort of sessions are these? If they look expected (for example, someone was testing a virus download to test firewall efficacy etc), you can ignore the alert. If not, you will have to look at the host to see if something is indeed compromised and take corrective action.
Select Forum Responses to become Knowledge Articles!
Select the “Nominate to Knowledge Base” button to recommend a forum post to become a knowledge article.
User | Count |
---|---|
1662 | |
1077 | |
752 | |
446 | |
220 |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.