Tuesday, January 23, 2018

IPS error initiated by Fortigate firewall

In this case, we had a user who had no internet access and got this screen when web browsing.


We found that the Fortigate 60D we had was causing this.  The cause seems to have been multiple invalid DNS lookups.  We didn't find any error logs that suggested that problem, but this is what this IPS block is typically caused by.  In the end, we fixed this by changing the user's LAN IP address, but we also could have seen the blocked IP addresses via these commands from the CLI:

OS 5.0:
get user ban list

OS 5.2
diagnose firewall ip_host list

To delete an entry, you'd enter this command:
diagnose firewall ip_host delete src4/src6

Exmaple:
diagnose firewall ip_host delete src4 10.10.10.21

The information from this page came from here:
http://kb.fortinet.com/kb/documentLink.do?externalID=FD36211