[AF] IPS Policies is set to deny, and the blasting log shows success
Problem Description
Local ips Policies is set to deny. A blast attack is detected, and the action in the Logs is also denied, but the blast result does show that the attack is successful.
Warning Info
Effective troubleshooting steps
- Check that the action of the corresponding Policies is indeed in the rejection state
- Check the log interception type for medium and low frequency blasting. Medium and low frequency blasting is post-detection, and rejection is an action. The source IP will be added to the IP Blocking. The attack was successful because the successful login logo was found in the process.
Root cause
Medium and low frequency blasting is post-detection, rejection is an action, and the source IP will be added to the linkage IP Blocking. The attack is successful because the successful login logo is found in the process.
solution
Just explain to the customer the identification and processing mechanism of medium and low frequency blasting
Operation Impact Scope
No operation is required, but the blast will block the source IP
Original Link
https://support.sangfor.com.cn/cases/list?product_id=13&type=1&category_id=1596&isOpen=true