One-Arm IDS
Interface-based policy only defines what and how IPS functions are applied to the packets transmitted by the interface. It works no matter if the port is used in a forwarding path or used as an One-Arm device.
To enable One-Arm IDS, the user should first enable sniff-mode on the interface, config system interface
edit port2 set ips-sniffer-mode enable
next
end
Once sniff-mode is turned on, both incoming and outgoing packets will be dropped after IPS inspections. The port can be connected to a hub or a switch’s SPAN port. Any packet picked up by the interface will still follow the interface policy so different IPS and DoS anomaly checks can be applied.
Having trouble configuring your Fortinet hardware or have some questions you need answered? Check Out The Fortinet Guru Youtube Channel! Want someone else to deal with it for you? Get some consulting from Fortinet GURU!
can you please advise if i am receiving below log and i have configured 200B as IDS using sniffing session so i can get IPS functionality? as in IDS mode device isnt supposed to take any action.
Message meets Alert condition
The following intrusion was observed: Bash.Function.Definitions.Remote.Code.Execution.
date=2019-01-29 time=01:26:55 devname=Forti-IDS-200B devid=FG200B3 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd=”root” severity=critical srcip=10.80.10.68 dstip=172.18.88.2 srcintf=”port13″ dstintf=”port13″ sessionid=104227912 action=dropped proto=6 service=tcp/22528 attack=”Bash.Function.Definitions.Remote.Code.Execution” srcport=44429 dstport=88
If you have it in one arm mode then all it is doing is watching traffic and reporting what it sees. This is the functionality you are shooting for correct?