After discovering a Fortinet device via SNMPv3, we are seeing a lot of minor alarms titled "IPS SIGNATURE DETECTED". What are these alarms, and why are we getting them?

Release: Any
Component: SPCAEM

These are trap based alarms from the device.

The trap is a Fortinet specific trap, fnTrapIpsAnomaly (1.3.6.1.4.1.12356.0.504).

Looking at the vendor MIB there really isn't much to go on here. The Trap description reads "An IPS anomaly has been detected". It passes the following variables:

• fnSysSerial (1.3.6.1.4.1.12356.1.2)
• sysName (1.3.6.1.2.1.1.5)
• fnIpsTrapSigId (1.3.6.1.4.1.12356.16.1)
• fnIpsTrapSrcIp (1.3.6.1.4.1.12356.16.2 )

This trap is mapped out of the box in Spectrum. The Probable Cause associated with this alarm states the following:

IPS SIGNATURE DETECTED

SYMPTOMS:

An 'fnTrapIpsAnomaly' trap was received from the device.

PROBABLE CAUSES:

An IPS anomaly has been detected.

RECOMMENDED ACTIONS:

1) Refer to the Event Message associated with this alarm for additional details that the device may have provided about the cause of this condition.

2) Review the Events associated with this model that occurred in the same time frame as this alarm in order to gain insight into the device's state.  These can be vie
wed from the Events tab in OneClick.


It is recommend you giving this over to the Network Admin and let them determine the cause and address the issue.