Received our first ever IDS Alert - Fortinet FortiOS and FortiProxy authentication bypass attempt

Solved
MVDEVILDOG
Conversationalist

Received our first ever IDS Alert - Fortinet FortiOS and FortiProxy authentication bypass attempt

Have any members seen this one.  We don't utilize Fortinet products.  Is this coming from someone who uses this equipment or have they been compromised.  Thanks in advance for any responses!

 

MVDEVILDOG_0-1687295431323.png

 

1 Accepted Solution
MVDEVILDOG
Conversationalist

Here was Meraki supports response:  

 

It appears the attempt was blocked by Snort but it doesn't look like this is a known issue but it appears similar enough to something that is known hence it was blocked by Snort.

Meraki Support isn't actually able to make changes to the existing security policies as they are provided by a 3rd party.  We can, however, bring it to their attention and they are constantly providing security updates.  Unfortunately we have to wait for a Meraki Firmware update as the changes are baked into the firmware etc.

View solution in original post

6 Replies 6
alemabrahao
Kind of a big deal
Kind of a big deal

Have you tried checking the source and destination?

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
MVDEVILDOG
Conversationalist

Yes.  Source is an IP in the Netherlands.  Destination is my front facing IP.  

BlakeRichardson
Kind of a big deal
Kind of a big deal

Sounds like a false positive to me, if you don't use Fortinet products then I am not sure why you would see this. Perhaps you should contact support and query it. 

If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.
MVDEVILDOG
Conversationalist

I will.  Thanks Blake!  

Brash
Kind of a big deal
Kind of a big deal

It could be a correct detection. I've had similar detections on a firewall that is also non-Fortinet and non-Meraki).

 

The detection is based on network traffic and connection details. 
There will be bad actors on the internet spraying CVE attacks at any available targets, even if they don't know the firewall vendor.

MVDEVILDOG
Conversationalist

Here was Meraki supports response:  

 

It appears the attempt was blocked by Snort but it doesn't look like this is a known issue but it appears similar enough to something that is known hence it was blocked by Snort.

Meraki Support isn't actually able to make changes to the existing security policies as they are provided by a 3rd party.  We can, however, bring it to their attention and they are constantly providing security updates.  Unfortunately we have to wait for a Meraki Firmware update as the changes are baked into the firmware etc.

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels