Created on 08-09-2007 12:00 AM
Description | How a FortiGate unit handles IPS logging aggregation. |
Components |
|
Steps or Commands | IPS aggregates attack logs to prevent the attacker from overloading the FortiGate unit by generating attack flood. When the IPS engine detects an attack, IPS engine first checks if the same attack has been detected in the last 5 seconds. If not, the attack is logged right away. If an attack is detected continuously, it is logged only once every 60 seconds. The log reports the IP/port information of the last detection and how many times it is aggregated.If a signature is triggered too often, it may indicate the network is under a heavy attack. It may also be caused by false alert of the signature. If you suspect the logs are false positives, contact Fortinet so IPS service team can improve the signature. Sometimes a signature is only to indicate some suspicious behavior. Normally these signatures are set to low severity. These behaviors may be very popular at one customer's network at one time, but rarely happen in another network. If required, you can choose to turn the signature off. |
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.
Copyright 2024 Fortinet, Inc. All Rights Reserved.