Wednesday, November 24, 2021

How to troubleshoot the IPS issues in fortigate firewalls

 How to find problem with IPS in fortigate firewall?


In our case issues is High memory utilization in the devices so start the capture memory process first.

1st step

#diagnose hardware sysinfo memory

Run Time:  41 days, 16 hours and 7 minutes

4U, 0N, 1S, 94I, 0WA, 0HI, 1SI, 0ST; 3615T, 764F

       ipsengine    23181      S <    12.7     3.6   ( Noticed that the IPS engine is taking lot of memory)

       ipsengine    23183      S <     4.9     3.7

       ipsengine    23180      S <     4.9     3.7

       scanunitd     3505      S <     4.9     0.6

       ipsengine    23179      S <     2.9     3.7

         miglogd      262      S       0.9     1.9

                                 

2d step

# diag debug crashlog read          >>>>Not able to find anything related to ips engine

 
3d step

n0_fw (global) # get sys fortiguard-service status

NAME               VERSION LAST UPDATE          METHOD    EXPIRE

AV Engine           6.149  2020-05-29 21:34:00  manual    2025-08-11 23:59:59

Virus Definitions   89.7121  2021-11-23 10:04:37  scheduled 2025-08-11 23:59:59

Extended set        89.7121  2021-11-23 10:04:37  scheduled 2025-08-11 23:59:59

Flow-based Virus Definitions  89.7121  2021-11-23 10:04:37  scheduled 2025-08-11 23:59:59

Attack Definitions  6.741  2015-12-01 02:30:00  manual    2025-08-11 23:59:59  Find this outdated

Attack Extended Definitions  18.200  2021-11-22 20:05:11  scheduled 2025-08-11 23:59:59

IPS Malicious URL Database  3.195  2021-11-22 20:05:11  scheduled 2025-08-11 23:59:59

IPS/FlowAV Engine   6.071  2021-02-17 20:28:04  scheduled 2025-08-11 23:59:59

IPS Config Script   1.009  2019-06-06 14:02:00  manual    2025-08-11 23:59:59

Application Definitions  18.199  2021-11-18 20:07:31  scheduled 2025-08-11 23:59:59

Industrial Attack Definitions  6.741  2015-12-01 02:30:00  manual    n/a

  

4th step

(Solution for this we need update the IPS from cli using below command)

#execute update-ips  (In global mode)

Note: Performing the activity of upgrading IPS engine will terminate all TCP sessions. This will have impact to firewall. Make sure that you schedule this activity

 Few more commands to trouble shoot the IPS engine

diagnose test application ipsmonitor 5 (This command will help us to bypass the IPS for monitoring)

diagnose ips packet status (This will help to check ips packet counters/monitor the traffic for ips)

dia ips session list

dia test application ipsmonitor 13 >     This will  soft restart the ips 

diagnose ips packet status

diag ips session performance

diag ips session performance

diag ips signature status

diag ips  packet status

n0_fwl_i (global) # dia ips session list

Total TCP sessions: 165

SESSION id:105637489 serial:754130096 proto:6 group:0 age:6 idle:6 flag:0x200027

        feature:0x202 encap:0 ignore:1,0 ignore_after:0,204800

  C-212.224.76.233:44882, S-94.154.20.19:80

  state: C-ESTABLISHED/731/0/0/0/0, S-ESTABLISHED/0/0/0/0/0 pause:0, paws:0

  expire: 24

  app: unknown:0 last:0 unknown-size:0

  cnfm: http

  set: http sip rtsp

  asm: http

n0_fwl1_i (global) # dia test application ipsmonitor 13

Session List: pid=23179

vf=4 proto=6 194.154.20.10:49770->92.168.217.1:3306

vf=4 proto=6 82.4.241.19:39352->94.154.20.7:443

Total session :26660


n0_fwl1_i (global) # diag ips session performance


PERFORMANCE STATISTICS

name           :       sess |       pkts   cycles |       pkts   cycles

decoder        :          0 | 1007720701        0 |          0        0

session        :          0 | 1007720701        0 |          0        0

protocol       :          0 |  969665012        0 |          0        0

application    :          0 | 1544856777        0 |   63603439        0

detect         :          0 |          0        0 |          0        0

match          :          0 | 2096202687        0 |          0        0

NC match       :          0 | 2931515123        0 |          0        0

Cross Tag      :          0 |  107154002        0 |          0        0

-------------------------------------------------------------------------

No comments:

Post a Comment

Optimization of fortigate IPS

IPS signature need select according to infrastructure environment  Eg:-  if  we are not have Linux servers this ips signature can disable (d...