Support Forum
The Forums are a place to find answers on a range of Fortinet products from peers and product experts.
MarcusLeung
New Contributor

IPS engine blocked the attack but "Allowed" & Action "TCP reset from client" in Traffic log

Recently the FortiGate received attack from 114.34.160.41 and IPS successfully blocked the attack, but then caused a false alarm on SIEM.

 

As the FortiGate sent a “Allowed – session reset” log message to SIEM, the SIEM triggered a high-alert message, which the keyword “allowed” made a confuse of the Firewall bypassed the attack.

 

Any suggestion to prevent that? Thanks.

 

MarcusLeung_8-1651740155976.png

MarcusLeung_5-1651739693995.png

 

MarcusLeung_4-1651739533752.png

MarcusLeung_1-1651739138327.png

MarcusLeung_7-1651739797469.png

MarcusLeung_2-1651739143452.png

1 Solution
amouawad
Staff
Staff

Are you sure the IPS blocked this?

 

The default action for this signature is to allow:

2022-05-05_21-25.png

From the IPS log it looks like you're using the default IPS profile, which has the action set to default (which means do whatever the individual signature's default action is, which in this case is allow):

2022-05-05_21-25_1.png

Could you confirm what the action was in the IPS log you had above? Your picture didn't show the full log.

View solution in original post

2 REPLIES 2
amouawad
Staff
Staff

Are you sure the IPS blocked this?

 

The default action for this signature is to allow:

2022-05-05_21-25.png

From the IPS log it looks like you're using the default IPS profile, which has the action set to default (which means do whatever the individual signature's default action is, which in this case is allow):

2022-05-05_21-25_1.png

Could you confirm what the action was in the IPS log you had above? Your picture didn't show the full log.

MarcusLeung

Hi amouawad,

 

Thanks for your reply! The policy is using default IPS profile and should be the reason why action shows "Allowed" on traffic log.

 

But why some CVE set Action "Pass" as default setting?