Meraki Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Received our first ever IDS Alert - Fortinet FortiOS and FortiProxy authentication bypass attempt

Solved
MVDEVILDOG
Conversationalist
‎Jun 20 2023 2:12 PM
‎Jun 20 2023 2:12 PM

Received our first ever IDS Alert - Fortinet FortiOS and FortiProxy authentication bypass attempt

Have any members seen this one.  We don't utilize Fortinet products.  Is this coming from someone who uses this equipment or have they been compromised.  Thanks in advance for any responses!

 

MVDEVILDOG_0-1687295431323.png

 

0 Kudos
Subscribe
1 Accepted Solution
MVDEVILDOG
Conversationalist
‎Jun 21 2023 7:07 AM
‎Jun 21 2023 7:07 AM

Here was Meraki supports response:  

 

It appears the attempt was blocked by Snort but it doesn't look like this is a known issue but it appears similar enough to something that is known hence it was blocked by Snort.

Meraki Support isn't actually able to make changes to the existing security policies as they are provided by a 3rd party.  We can, however, bring it to their attention and they are constantly providing security updates.  Unfortunately we have to wait for a Meraki Firmware update as the changes are baked into the firmware etc.

View solution in original post

0 Kudos
Subscribe
6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal
‎Jun 20 2023 2:46 PM
‎Jun 20 2023 2:46 PM

Have you tried checking the source and destination?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Subscribe
MVDEVILDOG
Conversationalist
‎Jun 20 2023 2:49 PM
‎Jun 20 2023 2:49 PM

Yes.  Source is an IP in the Netherlands.  Destination is my front facing IP.  

0 Kudos
Subscribe
BlakeRichardson
Kind of a big deal
Kind of a big deal
‎Jun 20 2023 3:14 PM
‎Jun 20 2023 3:14 PM

Sounds like a false positive to me, if you don't use Fortinet products then I am not sure why you would see this. Perhaps you should contact support and query it. 

btr.net.nz
Subscribe
In response to BlakeRichardson
MVDEVILDOG
Conversationalist
‎Jun 20 2023 3:21 PM
‎Jun 20 2023 3:21 PM

I will.  Thanks Blake!  

0 Kudos
Subscribe
Brash
Kind of a big deal
Kind of a big deal
‎Jun 20 2023 3:35 PM
‎Jun 20 2023 3:35 PM

It could be a correct detection. I've had similar detections on a firewall that is also non-Fortinet and non-Meraki).

 

The detection is based on network traffic and connection details. 
There will be bad actors on the internet spraying CVE attacks at any available targets, even if they don't know the firewall vendor.

Subscribe
MVDEVILDOG
Conversationalist
‎Jun 21 2023 7:07 AM
‎Jun 21 2023 7:07 AM

Here was Meraki supports response:  

 

It appears the attempt was blocked by Snort but it doesn't look like this is a known issue but it appears similar enough to something that is known hence it was blocked by Snort.

Meraki Support isn't actually able to make changes to the existing security policies as they are provided by a 3rd party.  We can, however, bring it to their attention and they are constantly providing security updates.  Unfortunately we have to wait for a Meraki Firmware update as the changes are baked into the firmware etc.

0 Kudos
Subscribe
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels
© 2024 Cisco Systems, Inc.