what is compromised host by verdict

sean3 · ‎07-08-2024

hi all,

I happened to find there are compromised host under Security tab of dashboard, why are they here? Are they attacked?

And the host are dynamically displayed. 2 days ago, it displays 2 host, now it displays only 1 host. What are the criteria for this?

How can I remove them from here (to really solve the problem).

Thanks!

mpapisetty · ‎07-08-2024

Hi @sean3 ,

This is a list of hosts that are analyzed to be compromised by the security fabric.

More information can be found here - https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/110327/viewing-session-infor...

You could look at all the sessions and the security actions taken based on the inspection to understand what traffic was blocked.

There are also configurable threat weights - https://docs.fortinet.com/document/fortigate/7.4.4/administration-guide/250999/log-settings-and-targ... - and these are used to calculate an overall threat score that is then used to mark an endpoint as compromised.

HTH
Manoj Papisetty

sean3 · ‎07-09-2024

thanks mpapisetty for the advice.

so, it does not require to take any specific action, right?

mpapisetty · ‎07-09-2024

It depends on the 13 sessions that got blocked. What sort of sessions are these? If they look expected (for example, someone was testing a virus download to test firewall efficacy etc), you can ignore the alert. If not, you will have to look at the host to see if something is indeed compromised and take corrective action.

HTH
Manoj Papisetty

what is compromised host by verdict

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website