One-Arm IDS
Interface-based policy only defines what and how IPS functions are applied to the packets transmitted by the interface. It works no matter if the port is used in a forwarding path or used as an One-Arm device.
To enable One-Arm IDS, the user should first enable sniff-mode on the interface, config system interface
edit port2 set ips-sniffer-mode enable
next
end
Once sniff-mode is turned on, both incoming and outgoing packets will be dropped after IPS inspections. The port can be connected to a hub or a switch’s SPAN port. Any packet picked up by the interface will still follow the interface policy so different IPS and DoS anomaly checks can be applied.
can you please advise if i am receiving below log and i have configured 200B as IDS using sniffing session so i can get IPS functionality? as in IDS mode device isnt supposed to take any action.
Message meets Alert condition
The following intrusion was observed: Bash.Function.Definitions.Remote.Code.Execution.
date=2019-01-29 time=01:26:55 devname=Forti-IDS-200B devid=FG200B3 logid=0419016384 type=utm subtype=ips eventtype=signature level=alert vd=”root” severity=critical srcip=10.80.10.68 dstip=172.18.88.2 srcintf=”port13″ dstintf=”port13″ sessionid=104227912 action=dropped proto=6 service=tcp/22528 attack=”Bash.Function.Definitions.Remote.Code.Execution” srcport=44429 dstport=88
If you have it in one arm mode then all it is doing is watching traffic and reporting what it sees. This is the functionality you are shooting for correct?