How to find problem with IPS in fortigate firewall?
In our case issues is High memory utilization in the devices so start
the capture memory process first.
1st step
#diagnose hardware sysinfo memory
Run Time: 41 days, 16 hours and 7
minutes
4U, 0N, 1S, 94I, 0WA, 0HI, 1SI,
0ST; 3615T, 764F
ipsengine
23181 S < 12.7
3.6 ( Noticed that the IPS engine
is taking lot of memory)
ipsengine 23183 S <
4.9 3.7
ipsengine 23180 S <
4.9 3.7
scanunitd 3505
S < 4.9 0.6
ipsengine
23179 S < 2.9
3.7
miglogd 262 S 0.9 1.9
2d step
# diag debug crashlog read
>>>>Not able to find anything related to ips engine
n0_fw (global) # get sys
fortiguard-service status
NAME VERSION LAST UPDATE METHOD EXPIRE
AV Engine 6.149 2020-05-29 21:34:00 manual
2025-08-11 23:59:59
Virus Definitions 89.7121
2021-11-23 10:04:37 scheduled
2025-08-11 23:59:59
Extended set 89.7121
2021-11-23 10:04:37 scheduled
2025-08-11 23:59:59
Flow-based Virus Definitions 89.7121
2021-11-23 10:04:37 scheduled
2025-08-11 23:59:59
Attack Definitions
6.741 2015-12-01 02:30:00 manual
2025-08-11 23:59:59 Find this
outdated
Attack Extended Definitions 18.200
2021-11-22 20:05:11 scheduled
2025-08-11 23:59:59
IPS Malicious URL Database 3.195
2021-11-22 20:05:11 scheduled
2025-08-11 23:59:59
IPS/FlowAV Engine 6.071
2021-02-17 20:28:04 scheduled
2025-08-11 23:59:59
IPS Config Script 1.009
2019-06-06 14:02:00 manual 2025-08-11 23:59:59
Application Definitions 18.199 2021-11-18 20:07:31 scheduled 2025-08-11 23:59:59
Industrial Attack Definitions 6.741
2015-12-01 02:30:00 manual n/a
4th
step
(Solution for this we need update the IPS from cli using below command)
#execute
update-ips (In global mode)
Note: Performing the activity of upgrading IPS engine will terminate all TCP
sessions. This will have impact to firewall. Make sure that you schedule this activity
diagnose test application ipsmonitor 5 (This command will help us to bypass the IPS for monitoring)
diagnose ips packet status (This will help to check ips packet counters/monitor the traffic for ips)
dia test application ipsmonitor 13 > This will soft restart the ips
diagnose ips packet status
diag ips session performance
diag ips session performance
diag ips signature status
diag ips packet status
n0_fwl_i (global) # dia ips session list
Total TCP sessions: 165
SESSION id:105637489 serial:754130096 proto:6 group:0 age:6 idle:6 flag:0x200027
feature:0x202 encap:0 ignore:1,0 ignore_after:0,204800
C-212.224.76.233:44882, S-94.154.20.19:80
state: C-ESTABLISHED/731/0/0/0/0, S-ESTABLISHED/0/0/0/0/0 pause:0, paws:0
expire: 24
app: unknown:0 last:0 unknown-size:0
cnfm: http
set: http sip rtsp
asm: http
n0_fwl1_i (global) # dia test application ipsmonitor 13
Session List: pid=23179
vf=4 proto=6 194.154.20.10:49770->92.168.217.1:3306
vf=4 proto=6 82.4.241.19:39352->94.154.20.7:443
Total session :26660
n0_fwl1_i (global) # diag ips session performance
PERFORMANCE STATISTICS
name : sess | pkts cycles | pkts cycles
decoder : 0 | 1007720701 0 | 0 0
session : 0 | 1007720701 0 | 0 0
protocol : 0 | 969665012 0 | 0 0
application : 0 | 1544856777 0 | 63603439 0
detect : 0 | 0 0 | 0 0
match : 0 | 2096202687 0 | 0 0
NC match : 0 | 2931515123 0 | 0 0
Cross Tag : 0 | 107154002 0 | 0 0
-------------------------------------------------------------------------
No comments:
Post a Comment