Help
FortiGate
FortiGate Next Generation Firewall utilizes purpose-built security processors and threat intelligence security services from FortiGuard labs to deliver top-rated protection and high performance, including encrypted traffic.
Not applicable

Created on ‎02-18-2005 12:00 AM Edited on ‎06-16-2022 08:47 AM

Article Id 193205

Technical Tip: Antivirus and intrusion logs seem to report the reverse source and destination IPs

 

Description This article describes that antivirus and intrusion logs seem to report the reverse source and destination IP addresses.
Components

FortiGate v2.50 and v2.80.
Steps or Commands

The source and destination information that the FortiGate logs (ex. Syslog), for antivirus or intrusion detection, can be misleading.

 

The logged message may seem to indicate the opposite direction from where the virus or exploit was detected.

 

For example, the result of the log below was from a client PC on internal network, accessing the Internet and downloading the file eicar.com via http.

The infected file was coming from the Internet on the FortiGate unit's external interface, to the Client PC on the internal interface. The log output below, appear to show the opposite.

 

2004-02-27 15:12:25 Local7.Warning 192.168.171.249 date=2004-02-27 time=15:11:51 device_id=APS3012803000000 log_id=0201060100 type=virus subtype=filename pri=warning src=192.168.171.132 dst=82.149.70.98 src_int=internal dst_int=external service=http status=blocked msg="The file eicar.com is blocked."

Below are two more log entries concerning an internal FTP client that first attempts to download the eicar.com test file from the Internet, and then attempts to upload it.

The files were blocked both times, however the log entries do not differentiate between the two different directions.

 

2004-02-27 16:43:51 Local7.Warning 192.168.171.249 date=2004-02-27 time=16:43:17 device_id=APS3012803000000 log_id=0200060101 type=virus subtype=infected pri=warning src=192.168.171.132 dst=205.252.48.161 src_int=internal dst_int=external service=ftp status=blocked msg="The file eicar.com is infected with EICAR_TEST_FILE."

2004-02-27 16:44:23 Local7.Warning 192.168.171.249 date=2004-02-27 time=16:43:49 device_id=APS3012803000000 log_id=0200060101 type=virus subtype=infected pri=warning src=192.168.171.132 dst=65.39.139.194 src_int=internal dst_int=external service=ftp status=blocked msg="The file eicar.txt is infected with EICAR_TEST_FILE."

 

The logging appears reversed because the Internal -> External Firewall Policy protected this session, and the session was established in that direction.

Therefore the FortiGate unit logs the session in the Internal -> External format, even though the file was coming in the opposite direction.

 

Labels:
1323
0 Kudos
Submit Article Idea
Contributors
Broad. Integrated. Automated.

The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.

Social Media
Security Research
Company
News & Articles
Contact Us

Copyright 2024 Fortinet, Inc. All Rights Reserved.