One-Arm IDS

One-Arm IDS

Interface-based policy only defines what and how IPS functions are applied to the packets transmitted by the interface. It works no matter if the port is used in a forwarding path or used as an One-Arm device.

To enable One-Arm IDS, the user should first enable sniff-mode on the interface, config system interface

edit port2 set ips-sniffer-mode enable

next

end

Once sniff-mode is turned on, both incoming and outgoing packets will be dropped after IPS inspections. The port can be connected to a hub or a switch’s SPAN port. Any packet picked up by the interface will still follow the interface policy so different IPS and DoS anomaly checks can be applied.


Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!

This entry was posted in Administration Guides, FortiGate on by .

About Mike

Michael Pruett, CISSP has a wide range of cyber-security and network engineering expertise. The plethora of vendors that resell hardware but have zero engineering knowledge resulting in the wrong hardware or configuration being deployed is a major pet peeve of Michael's. This site was started in an effort to spread information while providing the option of quality consulting services at a much lower price than Fortinet Professional Services. Owns PacketLlama.Com (Fortinet Hardware Sales) and Office Of The CISO, LLC (Cybersecurity consulting firm).

2 thoughts on “One-Arm IDS

  1. Asif Majeed

    can you please advise if i am receiving below log and i have configured 200B as IDS using sniffing session so i can get IPS functionality? as in IDS mode device isnt supposed to take any action.

    Message meets Alert condition
    The following intrusion was observed: Bash.Function.Definitions.Remote.Code.Execution.
    date=2019-01-29 time=01:26:55 devname=Forti-IDS-200B devid=FG200B3 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd=”root” severity=critical srcip=10.80.10.68 dstip=172.18.88.2 srcintf=”port13″ dstintf=”port13″ sessionid=104227912 action=dropped proto=6 service=tcp/22528 attack=”Bash.Function.Definitions.Remote.Code.Execution” srcport=44429 dstport=88

    Reply
    1. Mike Post author

      If you have it in one arm mode then all it is doing is watching traffic and reporting what it sees. This is the functionality you are shooting for correct?

      Reply

Leave a Reply to Asif Majeed Cancel reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.