IPS SIGNATURE DETECTED

Document ID : KB000096828
Last Modified Date : 17/05/2018
Show Technical Document Details
Question:
After discovering a Fortinet device via SNMPv3, we are seeing a lot of minor alarms titled "IPS SIGNATURE DETECTED". What are these alarms, and why are we getting them?
Answer:
These are trap based alarms. Nothing that Spectrum is polling for.

The trap is a Fortinet specific trap, fnTrapIpsAnomaly (1.3.6.1.4.1.12356.0.504).

Looking at the vendor MIB there really isn't much to go on here. The Trap description reads "An IPS anomaly has been detected". It passes the following variables:
  • fnSysSerial (1.3.6.1.4.1.12356.1.2)
  • sysName (1.3.6.1.2.1.1.5)
  • fnIpsTrapSigId (1.3.6.1.4.1.12356.16.1)
  • fnIpsTrapSrcIp (1.3.6.1.4.1.12356.16.2 )
I suspect the variables "fnIpsTrapSigId" and "fnIpsTrapSrcIp" are the key to understanding the issue.

It is recommend you giving this over to the Network Admin and let them determine the cause and address the issue.